Hi SSL gurus,
I'm running into a problem with the OpenSSL 0.9.5a
library which we're using in one of our products. When
it tries to verify a particular chain of certificates,
it seems to return the X509_v_ERR_INVALID_CA error for
what appears to me to be no good reason at all...
The chain
Verisign have issued Microsoft certs by accident. Could pose serious
security breach.
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
Tat.
__
OpenSSL Project
Ignore this error in your verification callback function the same way the
function 'cb' of apps/verify.c does.
Dror
Hi SSL gurus,
I'm running into a problem with the OpenSSL 0.9.5a
library which we're using in one of our products. When
it tries to verify a particular chain of
Otmi Dror wrote:
Ignore this error in your verification callback function the same way the
function 'cb' of apps/verify.c does.
Dror
Won't this approach cause our application to accept certificates
that should be rejected? For example, certificates used for signing
other certificates, but
Michael Playle wrote:
Hi SSL gurus,
- As a temporary measure, can we extract the new check_purpose_*
stuff from 0.9.6 and put it into our existing version? I tried
this fix and it solved the problem, but I'd rather not put it
into production code without some sort of
How do you set the handshake type? How do you specify if you are a client,
a server, or a server that requires client authentication?
Thanks
George
__
OpenSSL Project http://www.openssl.org
User
Won't this approach cause our application to accept certificates
that should be rejected?
It would if you just ignore it.
But you could do some extra checks in your verification callback
when it is invoked with X509_V_ERR_INVALID_CA and then decide
if to accept the certificate or not.
Hello all,
Iam using "openssl req" command to generate a private key and
certificate request for a
pache-mod_ssl server. Here I have to specify the keysize in bits...
For all sizes greater than 384 I generate a key and request
successfully ..Iam also able to get a certificate and install it.
Nacho,
These extensions do work with IIS (the certificate is generated using
openssl 0.9.6).
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Telfort SITB authentication
Netscape Cert Type:
I am trying to import the public RSA key (modulus) created on a
Smart Card into an OpenSSL/OpenSSH key structure. The size of
the Smart Card public/private key pair is 1024 bits, and the key pair
was generated onboard the Smart Card.
I use the following code:
Key *k;
k = key_new(KEY_RSA);
Hello all,
I am an OpenSSL newbie (I compiled 0.9.6 on last monday only) and first
want to congratulate the development team :)
It worked all well under NT with VC5 with a static build - no dll.
After having searched hardly in the documentation, I am beginning to use
the correct PEM_ macros and
Could you, Please, send me the openssl.cnf (or relevant part of it) you
used to sign the certificate.
The sign script I use creates one .cnf on the fly so check it out.
The proccess I follow is this:
I generate the key:
openssl genrsa -des3 -out clienteNets-dsa.key 1024
Then I generate the
Hi. All
I have a next problem with compile the
lastopenssl-version.
cc -o openssl -DMONOLITH -I../include -O -lsocket
openssl.o verify.o asn1pars.oreq.o dgst.o dh.o dhparam.o enc.o passwd.o
gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o
dsa.o dsaparam.o x509.o genrsa.o
cc -o openssl -DMONOLITH -I../include -O -lsocket
openssl.o verify.o asn1pars.o
req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o
errstr.o ca.o pkcs7.o crl2p7
.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o
genrsa.o gendsa.o s_server.o s
_client.o speed.o s_time.o apps.o s_cb.o s_socket.o
HI!!!
I'm with the same problem..
but i can't get the peer certificate in any situation, it is always
NULL!
i'm using the SSL_CTX_set_verify() method after i create the call to
SSL_CTX_new(),
is it in the wrong place?? should i use the SSL_set_verify() ?
i'm doing this in c++ also, and i'm
On Fri, 23 Mar 2001, Kenneth R. Robinette wrote:
I am trying to import the public RSA key (modulus) created on a
Smart Card into an OpenSSL/OpenSSH key structure. The size of
the Smart Card public/private key pair is 1024 bits, and the key pair
was generated onboard the Smart Card.
If I
Michael Wohlwend wrote:
Hi there,
I'm new to openssl and want to implement a client/server SSL connection. The
difficulty is that the private key is on a smartcard ( it never leaves the card) so
SSL should delegate all signing to the card.
Is this possible at the moment ?
It's easy if
Nancho,
For every certificate I generate from script a custom .cnf file.
The relevant parts of the configuration file are:
[ req ]
prompt = no
distinguished_name = req_distinguished_name
output_password = YOUR PASSWORD
[
Pradeep,
You are a troublemaker ;)
Microsoft's CryptoAPI CSP architecture requires RSA primes to be a
multiple of 8 bits in length, which in turn forces moduli to be a multiple
of 16 bits in length. Since IE uses one of the MS CSP's, I would assume only
moduli which are a multiple of 16
Hi. All
I have a next problem with compile the last
openssl-version.
cc -o openssl -DMONOLITH -I../include -O -lsocket
openssl.o verify.o =
asn1pars.o
req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o
errstr.o ca.o =
pkcs7.o crl2p7
.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o
genrsa.o
Hello all,
I have had problems with browsers trying to access an Apache mod_ssl
server with private key size other than 1024 .For sizes of
600bits,1025bits for the private key, IE is unable to connect to the
secure server,Netscape connects successfully.For key size of 384,400
both Netscape
21 matches
Mail list logo
