Fun Fact: (For me) Gmail often marks completely legit emails from
mailing lists as spam and you manually have to mark them as "no spam".
The fun comes in when you notice that actual spam is not marked as
such at all.
Looks like strong encryption is much easier to develop than a decent
spam
I see. Thank you very much Jakob and Jeffrey!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
2016-03-31 18:09 GMT+02:00 Jakob Bohm :
> On 31/03/2016 17:16, warron.french wrote:
> 3. Then create new server certificates for the 2 servers again.
>
> Yep, and give the new ones a slightly different "full"
> distinguished name (important for CRL and "ca" database).
> My
2015-12-13 22:57 GMT+01:00 Salz, Rich :
>
>> And we don't know on which client OP will have to use that pem file, thus
>> give advise that works on all clients, not just OpenSSL or GnuTLS or
>> whatever.
>
> It is quite reasonable to give openssl-specific answers on the
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni :
>
> In other words, you can concatenate all the trusted root CA
> certs into the "cert.pem" file in that directory, but this
> has a performance cost, as all the certificates are loaded
> into memory and parse even though most
2015-12-13 20:27 GMT+01:00 Viktor Dukhovni :
>
> This is both wrong and irrelevant. The OP should proceed as instructed.
> OpenSSL's CAfile feature reads multiple certificates from a single file.
Exactly that is the point. Only "linux based" tools will be able to
read
Hi,
so if I understand you correctly you want to create one file that
contains more than one CA certificate and can be installed onto
Windows, Mac, etc.? You only can do that if you create a p12 file and
that must contain a leaf certificate and its private key.
openssl pkcs12 -export -in
Tell the person who created the CSR that the value of the
stateOrProvinceName field has to be HK. If that is not possible
because the subCA is in a different country you can change your
openssl.cnf to allow different values in that field so instead of
stateOrProvinceName = match you have to use at
That guide is a little bit old and not very accurate. I setup my PKI
using the OpenSSL Cookbook recommended to me by Rich Salz. This free
guide / documentation is here:
https://www.feistyduck.com/books/openssl-cookbook/ (Click "Free: Read
Now" below the cover image). I also used various other
://drive.google.com/file/d/0B8gf20AKtya0Y2tLOU1FaGFnUE0/view?usp=sharing
2015-11-04 16:06 GMT+01:00 Ben Humpert <b...@an3k.de>:
> That guide is a little bit old and not very accurate. I setup my PKI
> using the OpenSSL Cookbook recommended to me by Rich Salz. This free
> guide / docume
Take a look in your openssl.cnf and you should see the option serial
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.
Rich Salz recommended me this SSL
2015-06-24 1:35 GMT+02:00 Jakob Bohm jb-open...@wisemo.com:
On 19/06/2015 16:24, Ben Humpert wrote:
When the CSR contains an email address and the email_in_dn setting in
the config file is set to no the email address is actually present
in the issuer DN but not in the subject DN. This causes
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
2015-06-29 22:51 GMT+02:00 David Li dlipub...@gmail.com:
Hi,
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want
;DNS.0 = example.com
client configuration file has subjectAltName:
subjectAltName = DNS: www.cs.com
So is this a mismatch? How come s_client/s_server test was okay?
On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert b...@an3k.de wrote:
Do you use nameConstraints or have specified IP
When the CSR contains an email address and the email_in_dn setting in
the config file is set to no the email address is actually present
in the issuer DN but not in the subject DN. This causes errors when
verifying certificate chains since the subject hash is used to
identify a cert but the issuer
As a workaround try running openssl with the -config command line option.
2015-06-04 22:17 GMT+02:00 Cathy Fauntleroy cathy.fauntle...@vdtg.com:
Hello,
I have OpenSSL 1.0.2a installed on my Windows 7 box. I am attempting to
generate a CSR so new security certificates can be issued and am
Hi,
Based on
https://tools.ietf.org/pdf/draft-wilson-wpkops-browser-processing-02.pdf
section 3.3.1.2. I ran my own tests. I wrote an email
(https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html)
with the results (attachments in
2015-05-27 8:17 GMT+02:00 Jakob Bohm jb-open...@wisemo.com:
Maybe the Android user interface is really asking about
something other than the issuing CA cert.
What are you trying to achieve by selecting a CA cert
in the client UI?
The official Google documentation as well as other sources say
2015-05-27 14:02 GMT+02:00 Jakob Bohm jb-open...@wisemo.com:
Just to clarify: The log messages in your original post,
were those from Android or from the server?
These are from the RADIUS server debug output.
___
openssl-users mailing list
To
Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why.
The complete Cert Chain:
Root CA
-
Technical report: https://weakdh.org/imperfect-forward-secrecy.pdf
Check your browser (currently all are affected) at https://weakdh.org/
Check your Server at https://weakdh.org/sysadmin.html
Deploying Guide: https://weakdh.org/sysadmin.html
___
Ok, after plenty of testing and some googling: the name constraints
extension is ... improvable. I ran plenty of tests but it looks like
that the extension is not very well implemented in todays browsers.
I have attached three txt files (DOS format) with the settings and
results of each test run.
I love that when it happens :)
2015-05-12 16:56 GMT+02:00 Ben Humpert b...@an3k.de:
Ok, after plenty of testing and some googling: the name constraints
extension is ... improvable. I ran plenty of tests but it looks like
that the extension is not very well implemented in todays browsers.
I
Hi,
I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured
nameConstraints so I adapted it for my setup.
First I tried the following but that doesn't work.
permitted;DNS.0=lan
permitted;DNS.1=local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
2015-05-09 21:47 GMT+02:00 Salz, Rich rs...@akamai.com:
After getting into building and especially configuring my own CA again I'm
nearly at the end and I've noticed some errors in the documentation I want
to report.
I like the again :)
Yeah, once upon a time I had done a comprehensive
Hello list!
After getting into building and especially configuring my own CA again
I'm nearly at the end and I've noticed some errors in the
documentation I want to report.
1) On https://www.openssl.org/docs/apps/ca.html for the -md option not
all possible values (sha256, sha384, etc.) are list
26 matches
Mail list logo