id-pda-dateOfBirth in Subject?

Hello, can someone please tell me the correct syntax and/or give me an example of using NID id-pda-dateOfBirth when requesting a certificate by calling openssl req -config openssl.cnf -new -key cert.key -subj /.../id-pda-dateOfBirth=? -out cert.csr must there be something special in the

AES GCM + padding

Hi, I'm playing around with EVP_aes_128_gcm. This works, but it seems that EVP_* does not include padding. Is this expected/needed or did I miss a step? Thanks Dirk __ OpenSSL Project

Re: Obtaining a TLS session key

On Fri, Feb 8, 2013 at 12:11 AM, T J jordan.tre...@gmail.com wrote: TLS keying material exporter, i.e., SSL_export_keying_material(), will make your life much easier if you are just looking for a mechanism to derive suitable keys for other uses assuming you are using recent enough OpenSSL.

build CSR with x500UniqueIdentifier

I need to build an CSR with x500UniqueIdentifier as subject like this | openssl req -noout -text -in csr.pem| |Certificate Request: Data: Version: 0 (0x0) Subject: x500UniqueIdentifier=karsten.reimers Subject Public Key Info: Public Key Algorithm:

Re: AES GCM + padding

It is a feature of GCM that the ciphertext (excluding the authentication tag) is identical length to the plaintext. Therefore no padding is required. Matt On 8 February 2013 14:27, Dirk Menstermann noadsple...@web.de wrote: Hi, I'm playing around with EVP_aes_128_gcm. This works, but it

Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

Dear All, I am working on an embedded product which has the OpenSSL 0.9.8w library and acts as a client. It is communicating with another product which has the OpenSSL 0.9.8e library and acts as a server. A customer has supplied the client certificate for the server and the associated root CA

Re: AES GCM + padding

Thank you Matt! On 08.02.2013 16:33, Matt Caswell wrote: It is a feature of GCM that the ciphertext (excluding the authentication tag) is identical length to the plaintext. Therefore no padding is required. Matt On 8 February 2013 14:27, Dirk Menstermann noadsple...@web.de

RE: Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

I think either you mis-read the web page, or the author is confused. Looking at RFC 2253, it quotes X.501 which says: DistinguishedName ::= RDNSequence RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

Re: [openssl-users] Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

Since you need authoritative elements, start by downloading and reading authoritative documents (all are freely available from ITU-T website). X.509, section 7: - [...] The issuer and subject fields of each certificate are used, in part, to identify a valid path. For each pair of adjacent

Re: [openssl-users] Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

Ording is important. unfortunately the default order shown in the textual form is not the same as for ldap tools. using openssl asn1parse shows the encoding, country code should come first. __ OpenSSL Project

Only in FIPS mode: Crash in X509_sign() with memory corruption

I'm hoping someone has some insight into what I'm doing wrong or if I've just bumped up against a bug. I'm using Visual Studio 2008 on Windows 8 and am in the process of running existing code with FIPS enabled. As expected a few things don't work, but in this case, I'm a bit stumped. I've