"Eric W. Bradway" wrote:
private-key be stored on a smart-card. However you do it, your
guarentee of client id is only as secure as that private key.
So, how do the browsers manage the private-key? Is it only
the OS that prevents unauthorized access to it?
whole system. How
Michael Sierchio wrote:
I am now faced with the need to generate and validate certs
based on PKCS#3 DH Parameters: prime, base, and privateValueLength.
These don't seem to be supported directly in the command line tool,
though I may be mistaken. Is anyone using OpenSSL to generate
and
Reiner Buehl wrote:
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called "wildcard
certificate".
This is a certificate with a hostname like '*.mydomain.org'
AFAIK this does not work with M$ IE.
Ciao, Michael.
I want to figure out in how many days a cert will expire. I want to do this
so I can flag the user that their cert is about to expire (n a week, say).
What API should I use for this?
thanks,
Michael.
_
Get Your Private,
Correction, it does work with IE, we have a wildcard certificate that works
with IE 5.01. It works with IE 4 fine. As for IE 3.02 and before, well, they
have problems with their root certs anyway.
-
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems
Hello,
I'm not sure these messages are getting through to the list
-- can someone please answer me? I've posted already, but it didn't
reflect my message. Can anyone acknowledge this message please?
Thanks!
--
I've been having some trouble with EVP_Verify, perhaps someone could
It appears that you are not using one IP address for each virtual host. Once
you've configured those correctly the error should go away.
-
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Hi !!
I've installed a Netscape
Certificate Server 4.2sp1 on a linux mandrake 7.2 (kernel
2.2.17-21)...
I've also installed an Apache
1.3.14 server with mod_perl 1.24_01, mod_ssl 2.2.7, php 4.0.3pl1 and openssl
0.9.6...
I've signed Apache certificate
with the Certificate server.
I
I hope you are kidding about using mod_ssl 2.2.7. The latest version is
2.7.1, which is what you should be running.
-
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road,
Dr S N Henson wrote:
The main problem is how you'd certify a DH key when it can't be used to
sign a certificate request.
I do not understand your comments. There are excellent POP algorithms
available for the certificate request phase (see Diffie-Hellman
Proof-of-Possession Algorithms, RFC
Reiner Buehl wrote:
Hi,
a) Can I make my on certificate valid for many host names ?
There is a (not recommended) possibility for this: If all of your hosts
belong to the same domain you could generate a so called "wildcard certificate".
This is a certificate with a hostname like
Hi,
When I encrypt a large chunk of data (in my case 12220 bytes) the first 8
bytes of that data cannot be encrypted and decrypted again properly.
They are garbage.
The routines I use are the following :
// read a file in an unsigned char * cbc_data
// Length = number of bytes read
//
You have both Thawte Verisign
www.thawte.com
www.verisign.com
With respects to how Thawte handles the enrollments, any request for a 'wild
card' certificate through Verisign will need to be submitted via email to
'[EMAIL PROTECTED]'.
All requests are handled on a 'case by case' basis.
Hi,
I am reading the SSL_read() in ssl_lib.c file under ssl directory and it
calls the ssl_read(SSL *, void *, int) function. I searched the ssl
directory and found there is a ssl_read(BIO *, char *, int) defined in
bio_ssl.c. Looks like it is casting the SSL structure to the BIO structure.
But
On Thu, Jan 25, 2001 at 09:19:48AM -0800, Patrick Li wrote:
Hi,
I am reading the SSL_read() in ssl_lib.c file under ssl directory and it
calls the ssl_read(SSL *, void *, int) function. I searched the ssl
directory and found there is a ssl_read(BIO *, char *, int) defined in
bio_ssl.c.
Michael Sierchio wrote:
Dr S N Henson wrote:
The main problem is how you'd certify a DH key when it can't be used to
sign a certificate request.
I do not understand your comments. There are excellent POP algorithms
available for the certificate request phase (see Diffie-Hellman
Hi,
I'm sure this has been asked before, but
is it possible to have a jsse java client connect to an openssl coded
server. I'm sure there are issues with how openssl and java store their
respective certificates at the very least.
Does anyone have any example code?
Thanks
From the Thawte support web server
(http://www.thawte.com/support/server/wildcards.html#wildsupport)
Do wildcard certificates work with all servers and browsers?
Wildcard certs work with (almost) all servers. We don't think WebSTAR/SSL
supports wildcards. We know for a fact that MS IIS does
Dr S N Henson wrote:
Or to summarise, yes it is possible to add support in OpenSSL, no it
isn't very easy and I'm not sure how useful it would be if support was
added.
I suggest a division of labor -- leave the demonstration of usefulness to me,
and you take the hard part... ;-) Our
[Sorry for the long gap before replying]
As far as I can tell, the following might work:
- get a certificate with an arbitrary domain name (say foo.bar.com)
- configure DNS to return 127.0.0.1 when clients want to convert
for.bar.com to an address
- supply the foo.bar.com certificate to the
Michael Sierchio wrote:
Dr S N Henson wrote:
Or to summarise, yes it is possible to add support in OpenSSL, no it
isn't very easy and I'm not sure how useful it would be if support was
added.
I suggest a division of labor -- leave the demonstration of usefulness to me,
and you take
I'm getting the following messages in my ssl_engine_log
[25/Jan/2001 16:31:56 18090] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered
details of a re-created server certificate?]
I am unsure as to how to remedy this...
Anyone else
Dr S N Henson wrote:
Seriously though is there some specific reason why you need to use DH
rather than RSA or DSA (if its authentication only)?
Actually... yes. ;-)
Several proposed algorithms for authentication and replay prevention
exist which use the long-term DH secret (or some product
I don't know it M$ broke anything in IIS 5.0, but I recently signed my
own certificate for an IIS 4.0 server, and it worked fine (once I
figured out that I had to manually strip everything before the "BEGIN
CERTIFICATE" stuff in the signed cert). I just used the sign.sh script
from the mod_ssl
Cory,
Section 7.2.1 of the TLS spec (rfc2246) goes into detail about this, and
Eric Rescorla's book has a complete discussion of what the issues are here.
I believe you get the error from OpenSSL if you receive an TCP FIN *before*
you receive a close_notify alert. The problem is probably in the
I know with WinNT4 with IIS 4 and the certificate managing software
(KeyManager?) tended to break things. I couldn't even install a test cert
from Thawte or VeriSign.
I installed openssl (9.x) on my Slackware Linux box and generated a
certificate for IIS 5.0 (win2k) with no problem. Just
Sharon,
1) You are, correct, this is not done anywhere in the OpenSSL code. You
have to make that check outside of OpenSSL, probably just after the
handshake has completed. The precise check you mention is not really
mandated by SSL. If you want to authenticate the peer you do need to make
I agree with all your points, but I thought I would add one more.
If the man-in-the-stack were named mack, and you were named jack,
then you would be vulnerable to a mack-in-the-stack attack jack,
which should be in the FAQ.
Its late. My apologies to the terminally serious.
Hi,
Inside the BIO structure (struct bio_st), there is a field called num with
integer type. It is used to store the file descriptor of the associated
socket. Please correct me if I am wrong.
I am still investigating what needs to be changed if I plug in my own TCP
routines which is
Hi,
Im new to SSL and Im having trouble with RC4-128 encrypted sites. Im hoping
that its just be a problem with my certificates. If I force it to bypass
this code its okay:
i=ssl_verify_cert_chain(s,sk);
if ((s-verify_mode != SSL_VERIFY_NONE) (!i))
{
Hi Everyone,
I am final year university student creating a e-commerce
application, because I do most of my work at home I am
using the windows version of apache. is it possible to
use the standard Open SSL package in combination with
windows apache or do I have to do it some other way.
one
I'm working on an update to a mail application that was using RSA Bsafe
Crypto-C, but is now being moved to SSL and Sendmail 8.11 which will allow
for a higher level of security. Right now we have a base class of all of
the algorithm and key objects in RSA. This creates a wrapper for the
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
33 matches
Mail list logo