BTW: I also need test signed
certificates,
signed by the test CAs from the test
site
you're about to tell me about :-)
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL PROTECTED]
Sent: Monday, December 02, 2002 5:19
PM
Subject: ocsp2.valicert.net
be trusted, and any app that does so is broken.
cj
- Original Message -
From: Jason Haar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, November 25, 2002 10:06 PM
Subject: Re: Combine certificates into chain
On Mon, Nov 25, 2002 at 01:00:18PM -0500, Chris Jarshant wrote:
Another
- Original Message -
From: Vadim Fedukovich [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, November 24, 2002 12:46 PM
Subject: Re: Converting own CA certificate to pkcs12
On Fri, Nov 22, 2002 at 01:50:37PM -0500, Chris Jarshant wrote:
You can't convert a public key
- Original Message -
From: Sebastian Lisken [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, November 22, 2002 11:45 AM
Subject: Combine certificates into chain
Hi, I have been issued a certificate by a CA. They make a
.pkcs12 file available with a password for the
As per my previous mail, I am writing code that,
given a cert,
looks to see if it has an embedded OCSP Responder,
in order
to try and validate the cert with the given
Responder.
So, I am writing a routine that, given an X509
*cert, looks for
the OCSP Responder (all error checking omitted
Since PKCS12 is simply a container for keys and/or
certs, you can certainly craft a PKCS12 file with just
a single key or just a single cert in it.
Unfortunately the current openssl pkcs12 command enforces
a peculiar limitation that each PKCS12 file must have
at least one cert and one private key
, the data after what I ask for disappears.
Is this because what I am asking for isn't aligned on a record boundary ?
Chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9scHcjSE+mhJt7Z4RAlD6AJ0d/mba4m6S4dAMDc71eXQpxSHmpACeLEti
ztC7qLElPs1F2KL4uPEnGhc=
=DpKj
-END PGP
.
Thank you for any assistance.
-
chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL
Which shows the -nd flag (and corresponding
API, PKCS7_set_detached()) has no effect. Anyone
know why? Is this a permanent change?
The preferred method for using PKCS#7 is the high level API or the smime
utility, the 'sign' utility is rather old and clunky.
I'll check to see if
No, but I'm about to for a large project I'm working on...
Will keep the group informed. I will be using the
programmatic APIs rather than the command line.
Hope it's better documented than the other openssl
APIs :-)
Bob Kupperstein wrote:
I'm interested in feedback about reliability,
.. It is not a generic, multi-purpose
compare routine. If anyone has one or knows of one please let me know!!
Chris Jarshant wrote:
Is there documentation (aside from looking at the header files) on how to
use things like STACK_OF(type) and the sk_*_find() functions?
Perhaps I'm going about it wrong
Erwann ABALEA wrote:
Probably a limitation of the actual browsers. But you might want to check
Mozilla 1.0, which seems to be able to save a bunch of private
key/certificate pairs at once. I haven't tested this functionality, but it
might be possible that there's only one output file, and
Chris Jarshant wrote:
Erwann ABALEA wrote:
Probably a limitation of the actual browsers. But you might want to check
Mozilla 1.0, which seems to be able to save a bunch of private
key/certificate pairs at once. I haven't tested this functionality, but it
might be possible
Erwann ABALEA wrote:
friendlyName, then look for their public key cert using that friendlyName,
then look for a corresponding private key using the friendlyName. If I
can't find a private key with that friendlyName, I use the localKeyID from
the public key cert to match. If there is
Is there documentation (aside from looking at the header files) on how to
use things like STACK_OF(type) and the sk_*_find() functions?
Perhaps I'm going about it wrong, but I can't figure it out.
Any help would be most apprecianted. I'm trying to do this:
given a STACK_OF(PKCS12_SAFEBAG)
Then a global PKI protocol server needs to be invented so you can just get the
certs from the domain in question. i dont wanna see DNS system bogged down by
this stuff. IMHOOC!
use dns to get the IP and request from its IP the pki doc.. duh.
6/11/02 6:51:26 PM, Derek Atkins [EMAIL
?
If they are do I have to obtain new certificates et al?
I am therefore in need of guidance because I fear doing damage, but I have to
get this up and running.
Chris Lyon
__
OpenSSL Project http
independant ?
If they are do I have to obtain new certificates et al?
I am therefore in need of guidance because I fear doing damage, but I have
to
get this up and running.
Chris Lyon
p.s. If this message is a repeat to the list please accept my apologies I
have posted but have not recieved it via
I know I posted this the other day, but if I ask for 60bytes, and there
is 200 in the buffer, why is SSL_read() removing it all ?
Chris
__
OpenSSL Project http://www.openssl.org
User Support
On Sun, 2002-05-19 at 13:23, Lutz Jaenicke wrote:
On Sun, May 19, 2002 at 10:11:20AM +0100, Chris Plant wrote:
I have established a connection (using SSL_accept), and sent and
received data over it, before the connection is dropped and the server
reports the error (using
openssl req -out CA.pem -new -x509
To sign the server cert
openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial
file.srl -out server.pem
Add:
-days 1825
in both command lines.
--
Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
Principal
, or have
I misused SSL_peek() ?
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
the expiration date for an x509 certificate by reading the
output of
$ openssl x509 -text -in mycert.pem
Look for something like this:
Validity
Not Before: Mar 22 16:22:15 2002 GMT
Not After : Mar 22 16:22:15 2003 GMT
-cj
--
Chris Cleeland, cleeland_c @ ociweb.com, http
=40373dc3.0108131639.3b69c55d%40posting.google.com#link3
-cj
--
Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
Principal Software Engineer, Object Computing, Inc., +1 314 579 0066
Support Me Supporting Cancer Survivors in Ride for the Roses 2002
Donate at http
On 30 Apr 2002, Eric Rescorla wrote:
Chris Cleeland [EMAIL PROTECTED] writes:
On Tue, 30 Apr 2002, Ed Moyle wrote:
Does anybody know if the wrong signature length problems in JSSE have been
fixed? Otherwise, I don't think this'll work, even if you code it
properly...
Check out
with separate licenses.
Thank you! I hadn't thought of that, and it sounds like fun too.
Sounds like this would be a great facility to stick into a contrib
directory...call it glen--Gnu Linkage ENabler?
--
Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
Principal
a multitude of ways.
-cj
PS BTW, I cobbled together this knowledge from docs/openssl.txt and the
various manpages (req, x509, etc.)
--
Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
Principal Software Engineer, Object Computing, Inc., +1 314 579 0066
Ah I was unclear.
As with many Unix programs there are very basic instructions.
I use the /lib because I don't know better. There are no written rules.
It was handy..I don't think it makes much difference, however I like
trying to do things correctly...
I really dislike the idea of
specify more than one
shared library oldpath:newpath, but each must be
preceded by the +cdp option.
Maybe this could get included in the next release of OpenSSL. ?
If you have questions, please let me know..
Thanks!
Chris
p.s. My entry for do_hpux-shared
# This assumes that GNU utilities
Hi,
I have been following the thread about having problems with building
OpenSSL under HPUX when creating shared libraries.
I am also having the same problem. I created them just fine under Linux
and Solaris 8. But HPUX 11.11 (11i) with either GCC 2.95.3 or HP's Ansi
C compiler, I have
be sending this email to a contact at HP to find out what's going
on.. anybody here have any thoughts on the matter?
Thank for any thoughts or ideas.
Chris
--
__
OpenSSL Project
I'm testing the certificate verification process,
mostly using code from ca.c and verify.c. I've been able to successfully
verify my server certificate against the store context that I've built
(X509_STORE_CTX_init(certVerifyCtx,certStore,OSMSServerCert,NULL);)
I wanted to test CRL
ok, thanks.
I did look at the EVP_EncryptInit man page, but the code I had there,
was loosely based on some code I found on the net, they probably had the
same problem.
Chris
[EMAIL PROTECTED]
__
OpenSSL Project
On Wed, 2002-01-02 at 18:00, Juan Segarra wrote:
On 2 Jan 2002, Chris Plant wrote:
I've compiled the attached code, and it doesn't decrypt the text
correctly. If anyone could explain why to me, or point out a nice
tutorial about using these routines, it would be much appreciated
I've compiled the attached code, and it doesn't decrypt the text
correctly. If anyone could explain why to me, or point out a nice
tutorial about using these routines, it would be much appreciated.
ircd_malloc() is basically malloc() with memset().
Chris Plant
[EMAIL PROTECTED]
#ifndef
usingopensllv0.9.6b on
Win2K.
Thanks.
Chris Mollis
Lutz Jaenicke wrote:
Do we need to resort to a verify callback to permit an 0.9.6b server to
accept server certs from the client?
Yes. You can globally set the purposed to be checked for, but this is
only possible before the handshake is started (SSL_set_purpose()).
This is however a
We're porting some (previously) working code from an ancient version of
ssleay to openssl 0.9.6b (HPUX).
We're having a problem (apparently) with the server-side of a
client-server application, both ends using openssl 0.9.6b.
We're using locally generated certificates (Entrust PKI) for both the
with respect to this problem.
Thanks for following up on this.
-- Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
* 2BEFF - 6159F8795207C11108201
Square test failed!
1
Any ideas?
--
Chris Adams [EMAIL PROTECTED]
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble
Try this: ln -s /usr/local/ssl/bin/c_rehash /usr/local/bin/c_rehash
(or where ever you want it to go in your path). You can say echo
$PATH to check your current PATH. Good luck.
--
chris ciotti
stereo-link (http://www.stereo-link.com)
Key fingerprint = B4B1 2888 6808 64FF 87FB D635 A483
libcrypto.so libcrypto.so.1
Hope this help
Regards,
Chris Lee
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 06, 2001 10:30 AM
To: [EMAIL PROTECTED]
Subject: libssl.so: undefined symbol: sk_X509_NAME_value
I have, for two days, been
I wrote about this a few days ago and have not yet been able to solve it;
I'd appreciate anybody's input...
See http://marc.theaimsgroup.com/?l=openssl-usersm=99922122232541w=2 for
details.
Thanks!
__
OpenSSL Project
pages but it is still unknown to me.
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
!
Chris Drumgoole
email administrator
CAEN, COE, Univ. of Michigan
q
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager
/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/usr/src/openldap-2.0.7/libraries'
make: *** [all-common] Error 1
What am I doing wrong? How can I fix it?
Many thanks in advance.
---
Regards,
Chris Lee
I'm trying to do a modification of the /demos/sign/sign.c code.
I had it working, but have managed to mess up my certificates/keys and
can't
seem to re-create ones that will function.
1) what I'd _like_ to do is generate an RSA private/public key pair and
then read them in directly, without
Does anybody know why this should happen??
I have two identical Dell servers, both exactly the same spec, dual pentium 667 with
512MB ram, Linux6.2. I have successfully
compiled and tested openssl-0.9.6 on one machine
However when I compile it on the second and run
make test
the tests
I have two identical Dell servers, both exactly the same spec, dual pentium 667 with
512MB ram, Linux6.2. I have successfully
compiled and tested openssl-0.9.6 on one machine
However when I compile it on the second and run
make test
the test also hangs and when I look at top
the %CPU
don't the difference. Perhaps
someone who knows the difference and what these flags mean can
explain.
Of course, now apache doesn't want to build with it but that's a
problem for tomorrow.
--
Chris
__
OpenSSL Project
. They said that RSA may try to
claim the algorithm is covered by other patents. I personally don't know
one way or the other. That said though, if I had to make a decision one
way or the other regarding this issue, I'd be sure to talk to lawyers
first.
--Chris
Uhmmm? You're not thinking of the MultiPrime thingy, are you?
Nope, those are Compaq's patents as far as I know.
--Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
. The only thing I can tell you from here is run your code under
Purify and see what it says. It's certainly possible that the may be
stack or heap corruption at some point. If there is a bug in OpenSSL, it
may show up in there as well.
--Chris
the threads a different way and see if your
problem disappears.
The only other thing I see that could be causing problems is the char
buffer that you use for ERR_error_string(), although you'd pick that up
pretty quick if it were overflowing.
--Chris
handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]
I would appreciate ANY help anyone can offer as this is currently
crashing an important production server on a regular basis. Thanks for your
help.
Chris Smith
Programmer
- Nietzsche
MD5 is a checksum (message digest) function. Why would you think
it takes a key? HMAC-MD5 is a keyed MAC, but it's unclear what it
is you want. Could you be a little more vague?
"There's no need to be a jerk when someone asks a q
('.oids.oid','r')344:error:2006D002:BIO
routines:BIO_new_file:system lib:tmp32dll\bss_file.c:105:
344:error:0906D06C:PEM routines:PEM_read_bio:no
start line:.\crypto\pem\pem_lib.c:566:error in req
Can anyone offer any assistance on
this?
Chris
If you remove the password encryption on your
private
KET;goto Error;}else
{m_DebugLog.lfputs( "Success:
SSL_CTX_use_PrivateKey_file()" );}
Thanks,
Chris
Hi,
I have just setup OpenSSL and I am looking for some help. I have looked
at the page and looked on the web and I have not found much support to
date. I was wondering if there was maybe a more complete FAQ than what
is available.
On 09/16/99, David Murphy said:
Chris - I have to admit I really dont know.. We are starting out with
OpenSSL and have been advised that the SSL_DHE_DSS.. cipher suites are free
of patents and should therefore use them rather than RSA suites. We were
also told the the 'ephemeral' would be best
I am trying to find out what the fingerprint is to my cert. If I open it up
in windows, a "thumbprint" is listed. Is this the samething as a
fingerprint?
Is there a way (that I have missed) to get the fingerprint using the OpenSSL
utility?
Sorry about the newbie question, but I have searched
I am currently having this same problem. Were you able to find a
resolution?
I'm using an NT build, following the Verisign CSR
instructions, and am stuck at the "unable to find
'distinguished_name'" error below.
I have generated CSRs for Verisign with OpenSSL from a Unix
build before
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu
As Tri Phan once put it:
I'm using openSSL-0.9.1c's EVP_BytesToKey to generate a DES
encryption key for EVP_des_cbc() and EVP_des_ede3_ofb(). I can run
my application sucessfully as an NT application, NSAPI DLL within
NES 3.6.1 (on NT), Sun Solaris application, or Sun Solaris shared
object
ive though. The package should work fine under any OS
that nCipher supports.
--Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Auto
guess I can live with that.. :)
Therefore, just add 'no-asm' to the ./configure command for now.
like './configure gcc no-asm' ?
Thanks
Chris
__
Pournelle's Law:
If you do not know what you
?
My apologies is this is a 'pain in the butt' newbie question. I am
reasonably installing from source code (optimizing and so forth) but
have had minimal experience with diffs (and have little docs about
them)..
Your help is greatly appreciated.
Thanks
Chris
301 - 368 of 368 matches
Mail list logo