Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
Hi, I've done some googling and failed to come up with an answer... I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is the latest one avaialble from the CentOS repositories. I've downloaded and set up

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Erwann Abalea
OpenSSL 1.0.1 works fine here, both with expired and revoked certificates (i.e. correctly reports the status). Could you share your elements (certs, CRLs)? -- Erwann ABALEA - chlorophytophonie: musique pour les plantes vertes Le 05/12/2012 15:11, Will Nordmeyer a écrit : Hi, I've done

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as well

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Jakob Bohm
On 12/5/2012 5:30 PM, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They

Re: [openssl-users] Openssl not properly validating certificates?

2012-12-05 Thread Will Nordmeyer
On Wed, Dec 5, 2012 at 12:18 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 12/5/2012 5:30 PM, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson

openssl rsa command

2012-12-05 Thread Alex Chen
I am trying to change the password of a private key with 'openssl rsa' command. The original key file, server.key.enc has the following format: -BEGIN ENCRYPTED PRIVATE KEY- -END ENCRYPTED PRIVATE KEY- When I used the command openssl rsa -in server.key.enc -passin

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Kent Yoder
Hi Ashok, On Wed, Dec 5, 2012 at 12:29 AM, Ashok C ash@gmail.com wrote: Hi, Our current SSL server loads plain-text private keys using the SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to use custom encrypted private keys using the TPM concept. For this, we have

Head check on SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option

2012-12-05 Thread no_spam_98
The SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option only affects how the OUTBOUND (i.e. SSL_write) records are split (or not), correct?  It doesn't define any behavior for how the INBOUND records (i.e. SSL_read) should be split (or not), correct? So, it's possible that different sides of an SSL

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Dr. Stephen Henson
On Wed, Dec 05, 2012, Ashok C wrote: Hi, Our current SSL server loads plain-text private keys using the SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to use custom encrypted private keys using the TPM concept. For this, we have an engine implemented. Now the

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-05 Thread Ashok C
Thanks Steve and Kent for the pointers. Makes things clear for now. On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Wed, Dec 05, 2012, Ashok C wrote: Hi, Our current SSL server loads plain-text private keys using the SSL_CTX_use_PrivateKey_file() method.

Re: openssl rsa command

2012-12-05 Thread Christian Hohnstaedt
On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote: I am trying to change the password of a private key with 'openssl rsa' command. The original key file, server.key.enc has the following format: -BEGIN ENCRYPTED PRIVATE KEY- -END ENCRYPTED PRIVATE KEY- This is