a get_by_fingerprint function, but it never gets called.
--
Chris Bare
Thanks, I'll check those out.
On Tue, May 3, 2022 at 4:53 PM William Roberts
wrote:
> On Tue, May 3, 2022 at 3:18 PM Chris Bare wrote:
> >
> >
> > On Tue, May 3, 2022 at 3:10 PM William Roberts
> wrote:
> >>
> >> On Tue, May 3, 2022 at 1:14 PM Chris
On Tue, May 3, 2022 at 3:10 PM William Roberts
wrote:
> On Tue, May 3, 2022 at 1:14 PM Chris Bare wrote:
> >
> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get
> the coordinates
> > in a 3.0 way.
> > The old code is:
> > BN_CTX *ctx =
= EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
What would be the 3.0 way to get X and Y without using deprecated functions?
--
Chris Bare
Thanks,
Chris
On Wed, 30 Mar 2022 at 16:32, Todd Short wrote:
> Each OS distribution may choose to enable/disable features as they see
> fit. And they may also patch the code.
>
> It's likely RHEL disabled the functionality.
>
> You would need to download the RPM source, buil
me output
Would someone be able to confirm what is going on here?
Does the above script suggest a problem with the OpenSSL-Libs?
Am I looking in the right places to confirm a difference between the two
VMs?
Thanks,
Chris
This is my first post. OpenSSL is not my forte.
The code below returns an unexpected checksum value for openssl-1.1.1i..
Strangely, when the same code is run for a previous version, the correct
checksum value is returned. Here is what I’ve tried:
1. Downloaded the current SHA256 value for
Hi openssl-users,
I am researching the known vulnerabilities of open source software that we
are considering. According to the NIST NVD web site, the 1.1.1d version of
OpenSSL has a few known vulnerabilities:
Hello,
I am trying to compile an openSSL wrapper for use on android, using fipsld to
generate a fips compliant so file.
It seems that android favors cmake now, so I was wondering if anyone got the
fipsld steps working within cmake successfully and can give any pointers
Thanks
> On Jan 7, 2019, at 11:52, Chris Fernando via openssl-users
> wrote:
>
>>
>> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
>> wrote:
>>
>> I perused the list archives for all of 2018 and did not see anything current
>> relat
>
> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
> wrote:
>
> I perused the list archives for all of 2018 and did not see anything current
> relating to this problem, so if this is a question that has been asked &
> answered, please feel free to
it work?
Any help would be greatly appreciated.
Thanks,
Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ace to
put the client's identity, but maybe it is still better to use
subjectAltName?
- Chris
> Actually, per the latest CA/Browser forum guidelines, subject.CN is not
> only optional but âdiscouragedâ.
>
> -FG
>
>> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton wrote:
&g
Is there a simple way of excluding unwanted ciphers or cipher suites
during a build?
I would like to remove ARIA in particular, but may want to remove
additional ones in order to use a smaller footprint.
--
openssl-users mailing list
To unsubscribe:
1.1-stable-SNAP-20181018.
On Tue, Oct 23, 2018 at 3:31 AM Chris Clark wrote:
>
> Next I tried an older stable snapshot
> openssl-1.1.1-stable-SNAP-20181018 which configured without issue, but
> I got a different compile result:
>
> cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /
clared identifier
crypto\rand\drbg_ctr.c(422) : error C2065: 'INT32_MAX' : undeclared identifier
crypto\rand\drbg_ctr.c(423) : error C2065: 'INT32_MAX' : undeclared identifier
crypto\rand\drbg_ctr.c(424) : error C2065: 'INT32_MAX' : undeclared identifier
NMAKE : fatal error U1077: '"C:
gt; > You found a bug in crypto\sm2\sm2_sign.c, thank you. Are you willing
> > to write up a Github issue for it?
> >
> > In message
> > on
> > Tue, 23 Oct 2018 01:22:34 -0700, Chris Clark said:
> >
> > > Thank you Richard. Adding the "no-makedepe
XE"' : return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual
Studio 9.0\VC\BIN\amd64\nmake.exe"' : return code '0x2'
Stop.
On Tue, Oct 23, 2018 at 12:19 AM Richard Levitte wrote:
>
> I suspect you'll find some kind of error message in
> cry
> HTH,
> > Matthias
> >
> >
> > > -Ursprüngliche Nachricht-
> > > Von: openssl-users Im Auftrag von
> > > Chris Clark
> > > Gesendet: Dienstag, 23. Oktober 2018 08:51
> > > An: openssl-users@openssl.org
> > > Betreff: [open
I am attempting to upgrade a project using OpenSSL 1.0.0h to version
1.1.1 under Visual Studio 2008-SP1, but when I try to compile version
1.1.1 for VC-WIN64A I get the following compile error:
cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo
/O2 /I "." /I "crypto\include"
On Behalf
>> Of Matt Caswell
>> Sent: Wednesday, September 12, 2018 14:29
>>
>> On 12/09/18 19:24, Chris Outwin wrote:
>>> I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for
>> receipt validation in an iOS application.
>>>
>>>
I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for receipt
validation in an iOS application.
Is there a list of checksums to verify openssl download versions? I believe I
should be using openssl-1.0.2p. Can openssl-1.1.1 be used in a production
application yet? Why
> Of course people have been harvesting entropy, or trying to, from network
> sources for decades. There's a famous paragraph regarding it in RFC 4086,
> which is an expanded version of a similar statement from RFC 1750 (1994):
>
> Other external events, such as network packet arrival times
As it happens I am the proud owner of a made-in-UK Mathmos Lava Lamp and a
couple of their Space Projectors : however I don't use them as a RNG.
I am thinking more about the fact that there are a lot of devices which
* have no hardware TRNG on board
* do have one or more connections to wired or
I've also encountered this quite often, and I have a feeling that on
today's connected devices there may be a lot of entropy "in the air"
(quite literally) which is not being captured. Does any one know of
research in this area?
> Hi Scott
>
> I donât know your OS or environment, have you
false);
but after that the nmap script doesn't find any ciphers.
Any suggestions?
--
Chris Bare
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
for taking an encrypted string, and
"backing in" to the details of how it was created? (ie what algorithm,
etc?)
Thanks,
Chris
On Mon, Jan 15, 2018 at 2:01 PM, Chris B <cryptoassetrecov...@gmail.com>
wrote:
> Hi Daniel,
>
> >Option #1 from the possibilities you mentione
Hi Daniel,
>Option #1 from the possibilities you mentioned below seems to be the most
logical to me.
Thank you, that's very helpful.
Thanks,
Chris
On Mon, Jan 15, 2018 at 1:29 PM, Sands, Daniel <dnsa...@sandia.gov> wrote:
> On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote:
Hi Matt,
>If you *are* using 1.1.0 then the default digest was changed between 1.0.2
and 1.1.0.
Awesome thought, but I'm also using 1.0.2:
$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
(I also tried adding -md md5 to the previous command, but I got the same
error message).
Thanks,
Ch
t
139845090879392:error:0606506D:digital envelope
routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
Which brings me back to the original question. Does anyone know how to
interpret "EVP_DecryptFinal_ex:wrong final block length"
Thanks!
-Chris
On Sun, Jan 14, 2018 at 11:2
routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:581:
Thanks,
Chris
On Sun, Jan 14, 2018 at 10:39 AM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
> For CBC the encrypted text will be a multiple of the cipher size. So your
> use of CBC is wrong. The quoted post uses aes2
private key -- its length
must be a multiple of the AES block length.
o Something else entirely
Can anyone help me understand how to interpret this error message?
Thanks,
Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
?
Note that we are not only talking about servers here, rather we currently
have only one internet-facing server (HTTPS) and a growing number of
XXX-over-TLS clients, so if anything these are a greater source of
concern.
Any pointers are very welcome!
Chris Gray
--
openssl-users mailing list
I'm struggling with a PKCS7 signing operation using openssl 1.0.2g.
I want to create signed messages like the one in my 'original' file
(below). It seemed like extracting and then re-signing this message would
be a good start.
I'm able to verify/unpack the original message, but not able to sign
own protocol
and BIO_do_connect fails as expected, but BIO_free gives this error:
SSL_shutdown:shutdown while in init
If I don't free it, I have a memory leak.
Is there something else I need to do to clean up the BIO?
I tried calling BIO_do_handshake, but that crashes (not surprised).
--
Chris B
You should be able to do this using stunnel: see for example
https://www.elastic.co/guide/en/cloud/current/tunneling-ssl.html
where your telnet commands would be the "client which supports only http".
But you can also learn a lot by playing with curl ...
> I know that this is a TLS related
My application links to OpenSSL 1.1.0 dynamically, and I would like to
be able to determine if the CPU supports the AES-NI instruction set.
Is there an OpenSSL API that can do this?
-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Thu, Jan 19, 2017 at 10:36 AM, Matt Caswell <m...@openssl.org> wrote:
> Try this:
>
> openssl ciphers -v "ALL:@SECLEVEL=0"
Okay that worked! Thanks to everyone that responded. I saw Rich Salz
mentioned using ALL, but I didn't realize it was a parameter.
-Chris
--
o
c=AES(128) Mac=SHA256
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
T PREFIX=C:\openssl64
SET OPENSSLDIR=C:\openssl64
perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4
nmake
>> I would also like to know, is it possible to also enable the depreciated SSL3
>> ciphers?
>
> Do you mean the ciphers or the protocol? Many SS
C4 ciphers.
Is there another parameter needed?
I would also like to know, is it possible to also enable the
depreciated SSL3 ciphers?
-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
we
and our customers use (which includes OpenSSL).
Thanks for any indications
Chris Gray
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
a function that
will return just the digest algorithm?
I'm trying to be as flexible as possible, so I don't want to hard code this
or have my own limited lookup table.
On Thu, Jul 7, 2016 at 2:54 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> On 07/07/2016 20:08, Chris Bare wrote:
>
>&g
BJ_NAME_get = (nil)
EVP_get_digestbyobj failed
So it looks like my sig_alg_oid is good, but OBJ_NAME_get fails.
I am using openssl 1.0.2d-0ubuntu1.5 in ubuntu 15.10
Am I doing something wrong, or could this be a bug in the library?
Any suggestions appreciated.
--
Chris Bare
--
openssl-users ma
Is there a public interface to access the X and Y elements of an Ecc public
key?
I tried:
EC_KEY *ecc;
BN_num_bytes (ecc->pub_key->X);
but get the compiler error:
error: dereferencing pointer to incomplete type ‘EC_KEY {aka struct
ec_key_st}’
--
Chris Bare
--
openssl-users mailin
sort of SSL handshake fallback error? Is there anything we can do
in terms of configuration? Are we barking up the wrong tree?
All input/questions welcome.
Thanks
Chris
---
Chris Puttick
CEO & Chief Asst to the duck
TwoTen
http://twoten.is
Making the Internet better. For kids.
+44 7908 997
> On Wed, Mar 2, 2016 at 12:27 PM, Neptune wrote:
> [...]
> You can perform initialization in a static C++ ctor, but it can be
> tricky because the C++ committee has never addressed the problem of
> initialization order across translation units. Also see What's the
> "static
Hi Rich,
I'm curious why the new download page lists version 1.01p before version 1.02d?
Is it suggesting that users download the 1.01 branch instead of the later one?
-Chris
On Fri, Aug 14, 2015 at 1:26 PM, Salz, Rich rs...@akamai.com wrote:
From: Salz, Rich [mailto:rs...@akamai.com]
Sent
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_DES_CBC_SHA
The above are weak (e.g. vulnerable to freak), no argument there, but just
want to ensure these are not vulnerable to this newly published bug.
Thanks all!
Chris.
___
openssl-users mailing list
To unsubscribe: https
What is the security risk?
Management ? :)
There could be a perceived problem that the world now knows that company
X has problems with OpenSSL, and a competitor could even try to make
mischievous use of this information - it happened to me once (with
another technology).
Death of developer
.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Many thanks Steve for the prompt response!
That fixed it.
Chris
___
openssl-users mailing list
To unsubscribe: https
Hi,
I am playing with openssl 1.0.2a - specifically CMS support for ECC.
But what I think should work doesn't.
Commands used and parsed data shown.
(I gave an RSA example as a known good working example)
./openssl version
OpenSSL 1.0.2a 19 Mar 2015
echo -n 12345678123456781234567812345678
Dr. Stephen Henson wrote (on Wed 21-Jan-2015 at 14:53 +):
On Tue, Jan 20, 2015, 'Chris Hall' wrote:
...
I find that the EVP_aes_256_gcm for decrypt requires the Tag to be
set before the first call of EVP_DecryptUpdate(), and
EVP_DecryptFinal_ex() with then return 0 if the Tag is found
encrypts an arbitrary amount
of data and starts sending it before all of it has been encrypted. What
I have found so far seems to require me to receive all the cipher-text,
and only when the Tag (finally) arrives, can I start to decrypt :-(
Thanks,
Chris
I have implemented a H/W encryption driver and have integrated it with cryptodev. In eng_cryptodev.c there is an array digests[]. In that array it defines CRYPTO_MD5 to have a keylen of 16. In cryptodev, the xform.c file definedes MD5 to have a keylen of 0. Why is the keylen not zero for the MD5
!
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
--
Chris Bare
___
openssl-users mailing list
openssl-users@openssl.org
https
generation.
Chris.
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
As the maintainer of an alternative JavaVM I can confirm that we
absolutely had to support library unloading because one customer was using
it heavily - and that was quite a few years ago. Early Sun VMs didn't
support library unloading, but then those VMs also did not garbage-collect
obsolete
that Windows has
started to favor the slower ECC ciphers, but I need a way to prove it.
--
Chris Bare
Henson st...@openssl.org
wrote:
On Fri, Nov 21, 2014, Chris Bare wrote:
Is there a way to query the BIO or SSL object to see which cipher is
being
used?
I have a case where my openssl client's performance is significantly
slower
when talking to server A vs server B. AFAIK, the only
this via openssl functions, can anyone enlighten me?
--
Chris Bare
Thanks Wim.
On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis w...@omnigroup.com wrote:
On 8 Apr 2014, at 7:14 PM, Chris Hill wrote:
Team, I am having a discussions with a few friends about why this
OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for
many of you
Can anyone confirm my understanding that the FIPS 140-2 certified module is
NOT affected by the CVE 2014-0160 vulnerability?
--
Chris Bare
Regards
Chris Gray
On 11 January 2014 19:46, M. V. bored_to_deat...@yahoo.com wrote:
Hi everybody,
I'm writing an application that creates multiple non-blocking SSL
connections to an https server, in each one I send a request and read
the
server's response. my problem is, whatever I do, I can't
meetup.com.
Thanks,
Chris Westin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
in
1.0.1e?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord
Issue is fixed.
So long as it's OK to generate the same random bytes at each power-on.
This is quite a common problem with embedded devices: even after boot it
can be hard to find entropy with which to seed the PRNG. The usual
sources which are used in a PC environment (keystrokes, ethernet
On Aug 8, 2013, at 2:45 PM, Ted Byers r.ted.by...@gmail.com wrote:
I obtained a NAS, with a view toward running MySQL on a sever running
MS Small Business Server 2003 (yes, I know, it is old, but I don't
have authority to upgrade it or wipe it and install Linux on it).
Anyway, the latest
On May 12, 2013, at 6:38 PM, Salz, Rich wrote:
Many people find the four-letter word at the start of your domain name
offensive.
I'm assuming you know English well enough to know that, and chose it
deliberately.
That's reading beyond the cover.
It broadcasts a general lack of respect
in CMS_verify.
If not, I have some experience working with the openssl source code, but
some pointers would be appreciated.
--
Chris Bare
On Mon, Sep 12, 2011, Stef Hoeben wrote:
Hi,
we have an SOD (a CMS for e-passports and e-ID cards) file that we can
read
out and verify nicely
.
--
Chris Bare
On Mon, Sep 12, 2011, Stef Hoeben wrote:
Hi,
we have an SOD (a CMS for e-passports and e-ID cards) file that we
can read
out and verify nicely if the signature algo is RSA_PKCS1_PADDING.
But if the algo is RSA_PKCS1_PSS_PADDING (see attached txt for an asn1
dump
with the openssl code, and could try to fix it
myself, but pointers would be helpful.
-- Chris Bare
On Mon, Sep 12, 2011, Stef Hoeben wrote:
Hi,
we have an SOD (a CMS for e-passports and e-ID cards) file that we can
read
out and verify nicely if the signature algo is RSA_PKCS1_PADDING
, but it seems it should be possible to do something
more general.
Chris Dodd
d...@csl.sri.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz
ralph-openssl-...@ralphholz.de wrote:
-CAfile fileA file of trusted certificates.
The lookup first looks in the list of untrusted certificates and if no
match is found the remaining lookups are from the trusted certificates.
The root CA is
On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
There's the same behaviour with -CAfile. If -CAfile isn't specified, then
the default platform CA file is used (by default, /usr/lib/ssl/cert.pem).
This is true for verify, ocsp, smime, and cms.
Oh, right. New
is it the
OpenSSL library that is creating the actual alert pop-up boxes? And if
so, how can I suppress them?
Thanks,
--
Chris Long
Programmer/Analyst
Charitable Gaming Division
Canadian Bank Note Company Ltd.
Phone: 705-251-1559
Cell: 705-257-1261
Hi,
Just a quick question. Does OpenSSL 1.0.1c support renegotiation of TSL
clients? I'm programming a small server/client and if my SSL_method is
SSLv23_method()'s or TLSv1_method()'s and they negotiate a TLS
connection I'm having trouble getting them to renegotiate.
--
Chris Long
information or clarification as requested.
Thank you,
--
Chris Long
Programmer/Analyst, Bingo Systems
Lottery Systems Division
Canadian Bank Note Company Ltd.
__
OpenSSL Project http://www.openssl.org
Hi all! I am trying to generate Certs for use with strongswan VPN.
Specifically, I am trying to fulfill:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
So as to use windows 7 builtin VPN client. Has anyone here done this with
strongswan? Can anyone point me to a doc that has
clear
that using 112 bits of entropy to generate an RSA key (of any length)
cannot possibly give you more that 56 bits of security, and probably
far less.
Chris Dodd
d...@csl.sri.com
__
OpenSSL Project
I love this toolset; definitely value-add for the community!
I am using OpenSSL to run through a sizable number of web server
connections (~500), and tell me which certs are getting ready to expire. My
utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I
recently upgraded to
Hi Dave,
Thanks for your ideas and response. Especially the explanation of CApath;
very informative.
You're right, I'm on version 'g' not 'n'. I'd say it was a typo, but I
really thought I was on 'n'. ;)
-Chris
On Fri, Feb 3, 2012 at 4:48 PM, Dave Thompson dthomp...@prinpay.com wrote
(val); - uninitialied variable val used
...
Since the variable is uninitialized, it could be non NULL, which if
passed to OPENSSL_free could potentially cause a crash.
A solution to this problem would be to assign val to 0.
Thanks,
Chris
--
Chris Wilson
http://vigilantsw.com/
Vigilant
...the certificate part of the command is displayed with the
hashed cert.
What can I do to fix this problem?
Regards, Thanks for the help ahead of time.
Chris Johnson
SR. Software Engineer, MSE.
FEMA NCP RE
Office: (202)646-3531
Cell: (202)577-7441
inline: image001.gif
with RSA and prepend that
to the encrypted file.
-chris
On 06/27/2011 09:00 AM, ml.vladimbe...@gmail.com wrote:
Hello.
I tried to encrypt a file(1Mb), with RSA private key of 4096-bit
length with command:
openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in 2.txt -out
2
stack
traces in the leak reports. You need a depth of 15-20 to get far enough
to see where your code is calling into the OpenSSL code in most cases.
There's probably a similar option for IBM purify.
-chris
and
wrapping a mutex acquire around every call into the library. Is
this kind of locking expected to be needed?
Chris Dodd
cd...@csl.sri.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing
.
Is this the expected behavior of the BIO_f_buffer on a read?
If so, is the only alternative to track a read and a write bio? I assume that
I can read from the bio under the BIO_f_buffer without causing problems, is
that correct.
--
Chris Bare
ch...@bareflix.com
that expect 0.9.8 data files. Also programs linked with 0.9.8
libraries will have to be rebuilt to use the 1.0.0 libraries since the major
version number has changed.
Let's hope debian or ubuntu packages 1.0.0 soon.
--
Chris Bare
ch...@bareflix.com
Has anyone seen .deb packages for openssl 1.0.0?
I took a quick stab at converting the 0.9.8 debian files, but I ran into a lot
of problems and it takes a long time to debug.
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project
Not discouraged at all (just short on time trying to meet a deadline).
I'll check out TinyCA (and the like) in the meantime, but actually do
hope to delve into the source and figure out those directives when I get
some time. I do appreciate your time and attention!!
On 09/28/2010 09:41 AM,
in my type of situation?
I at least know CA=True and keyUsage needs to include certSign (many
thanks to Patrick!)... but what, if anything, else?
Then, same for the end-user certificates... anything special there?
Thanks!
Chris
Sure.. but please excuse me as this is the first time posting on this
forum ~ post in plain text or does this system support attached files?
Patrick Patterson wrote:
Hi Chris:
Can you post the certificates in question? My guess is that you don't have the
various extensions set according
:name=basicConstraints, value=CA:True
What is the best way to include my file contents for you? (worried about
posting something a mile long)
Patrick Patterson wrote:
Hi Chris:
On 2010-09-22, at 4:13 PM, Chris Rider wrote:
For now, I've just copied the CA's public .crt file
/ scope... and when I generate my end user CSR, it has
its own config file / scope. I am, however, granting my CSR from within
the scope of my CA and its configuration. In other words, I'm
replicating a real world type situation -- or that is the hope!
Chris Rider wrote:
I think we're
of
installing in every browser I have. I agree with you about the latest
versions of MSIE and that stupid wizard they now use!
I'm pretty sure it something in my generating keys, rather than client
issues.
John R Pierce wrote:
On 09/22/10 11:57 AM, Chris Rider wrote:
We have a client/server
o, what am I missing?
--
Chris Rider,
Systems Architect
MessageNet Systems
chris.ri...@messagenetsystems.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopens
, what am I missing?
--
Chris Rider,
Systems Architect
MessageNet Systems
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
like the browser is hanging up on the
fact that the CA's certificate is self-signed. (??)
-Chris
Hugo Garza wrote:
Hi Chris, how are you installing the root CA on the client machines?
In windows once you double click the root certificate you get a
message dialog box and click the install
/Asn1Editor/
There's also a very neat online ASN.1 parser available here:
http://geminisecurity.com/parse.php
Regards,
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
1 - 100 of 368 matches
Mail list logo