On Thu, Feb 11, 2010 at 1:31 PM, skillz...@gmail.com wrote:
I have a DER-encoded PKCS#7 file that I'd like to extract the
certificate from, verify that certificate against a specific sub-CA
certificate, then use the certificate's public key to verify a
signature.
I looked at the code for
That was it. One @ 13k works and one @18k doesn't. Thanks Victor.
Ron
Victor Duchovni wrote:
On Wed, Feb 10, 2010 at 03:23:03PM -0800, rono16 wrote:
I am using OpenSSL to create a self sign certificate and have a need to
add
approximately 4000, yes 4000, DNS entries (don't ask why)
* Victor Duchovni wrote:
The SSL/TLS record layer has a maximum record size, a
certificate probably needs to fit into one record, so if your
500+ domains generate a certificate that is larger than ~16K
bytes, you may be out of luck.
(I just ask for curiosity, not because I have any problem
On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
Is there a way (via the API rather than the tool) to tell OpenSSL that
the sub-CA certificate is trusted and it doesn't need to walk further
up the chain? For my case, I embed the sub-CA certificate in my code
and I'm space constrained so I'd
I believe it's an x.509v3 limitation and not specific to openssl.
After getting Viktor's hint I did a little research and found that the
limitation is set at 2^14.
Ron
Steffen DETTMER wrote:
* Victor Duchovni wrote:
The SSL/TLS record layer has a maximum record size, a
certificate
I posted the following message in the stunnel group. I'm following that
posting here because I believe this may be an issue with the underlying
library which is OpenSSL. Is there a known issue with certificates for
version 0.9.8b that are aware of? What version of OpenSSL contains the
fix if
On Fri, Feb 12, 2010 at 12:41:16PM +0100, Steffen DETTMER wrote:
* Victor Duchovni wrote:
The SSL/TLS record layer has a maximum record size, a
certificate probably needs to fit into one record, so if your
500+ domains generate a certificate that is larger than ~16K
bytes, you may be out
* Victor Duchovni wrote on Fri, Feb 12, 2010 at 14:20 -0500:
The limit is not (only?) an X.509 limit, rather the SSL/TLS
record layer cannot carry messages larger than 2^14 bytes (plus
some overhead for compression algorithms which provably need to
be able to make some records larger in order
On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote:
(So DER encoding is used, and it is allowing 128 byte long
length fields allowing 2^1024 [a number taking four and a half
line in xterm because 309 decimal digits long] bytes long value
fields sufficient to enumerate
Roger Cruz wrote:
I posted the following message in the stunnel group. I'm following that
posting here because I believe this may be an issue with the underlying
library which is OpenSSL. Is there a known issue with certificates for
version 0.9.8b that are aware of? What version of OpenSSL
On Fri, Feb 12, 2010 at 01:04:01PM -0700, Thomas J. Hruska wrote:
Roger Cruz wrote:
I posted the following message in the stunnel group. I'm following that
posting here because I believe this may be an issue with the underlying
library which is OpenSSL. Is there a known issue with
As an OpenSSL newbie, I'm trouble that the man pages for SSL_write()
and SSL_read() don't stress that you should clear the error stack upon
a failed call. They suggest you check SSL_get_error(), but they make
no mention of clearing the error stack afterward, and I hear that
clearing the error
Patrick,
I believe the sane state implied here is that if you call
SSL_get_error() some of the time and not all of the time, you may be
getting information about errors that happened any time in the past
for that SSL*. It won't necessarily prevent OpenSSL from working
correctly, just your
I should have mentioned ERR_get_error() in my question, that's what's
most heavily on my mind. The question is if you have to call clear the
error stack with ERR_get_error() after every failed SSL call, even
failures that are often not really failures. For example, my code
considered SSL_read()
When dealing with the high level SSL_* functions, stick with
SSL_get_error() as per s_client.c and s_server.c.
If you are doing things on a lower level, you may need to deal with
the error stack yourself; but for people new to OpenSSL, just stick
with functions starting with SSL_* or BIO_*
On
From the SSL_get_error() man page:
The current thread's error queue must be empty before the TLS/SSL I/O
operation is attempted, or SSL_get_error() will not work reliably.
And don't
16 matches
Mail list logo