. Thanks,
-Dave
smime.p7s
Description: S/MIME cryptographic signature
Is there a chance you're compiling using the 1.0.2 headers but linking
against 1.1.1?
-D.
On Fri, 2021-04-09 at 20:48 +, Robert Smith via openssl-users
wrote:
> Unfortunately I am unable to link:
>
> ../bin/arm_release/libAppcrypt.a(Certificate.o): In function
>
.1 = http://cps.groupesti.com
[Cert_other_policy_server]
policyIdentifier = GroupeSTIDevice
Good luck,
-Dave
> On Apr 7, 2020, at 11:57, Richard Simard wrote:
>
> Libor Chocholaty
>
> openssl ca -config etc/intermediate.cnf -extensions server_cert -days 1825
>
Hi,
They're macros, defined in SKM_DEFINE_STACK_OF() in safestack.h. If you
DEFINE_STACK_OF(Foo), you'll automatically end up with a sk_Foo_num() macro.
Cheers,
-Dave
> On Nov 13, 2019, at 12:20, Jason Schultz wrote:
>
> Hello-
>
> I am updating my Linux application fro
ode a
given X509_REQ's X509_REQ_INFO for you.)
Good luck,
-Dave
smime.p7s
Description: S/MIME cryptographic signature
*nids =
> supported_nids;
> return 2;
> }
I think this should be "return 3", to reflect the number of NIDs you're
implementing support for.
-Dave
smime.p7s
Description: S/MIME cryptographic s
, as far as I know.
-Dave
> On Oct 16, 2018, at 10:32, Opa114 wrote:
>
> Hi,
>
> thanks for this - what about the ASN1_BIT_STRING? Is there such a predefined
> function?
>
> Von: openssl-users <mailto:openssl-users-boun...@openssl.org>> im Auftrag von Dave Coo
Hi,
You can use i2a_ASN1_INTEGER() to print an ASN1_INTEGER to a BIO.
-Dave
> On Oct 16, 2018, at 05:37, Opa114 wrote:
>
> Hi there,
>
> i have to print out some data, which is an ASN1_BIT_STRING and an
> ASN1_INTEGER with BIO_printf. For GENERAL_NAME for example
Hi Matt,
this make sense. As if I disable TLS1.3, the issue is gone. Thanks for your
help.
Regards,
Dave
On Thu, Oct 11, 2018 at 2:36 AM Matt Caswell wrote:
> I opened this issue to track this problem:
>
> https://github.com/openssl/openssl/issues/7384
>
> Matt
>
>
>
SSL_get_peer_certificate, it returns NULL,
which is different from openssl 1.1.0h.
I do set SSL_VERIFY_PEER on both sides.
any thoughts on this?
Regards,
Dave
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hello,
That syntax looks correct, yes. It belongs in the [section] name you are
passing to the "-extensions" argument on the "openssl ca" command when issuing
the certificate.
I hope this helps.
-Dave
> On Oct 2, 2018, at 05:47, DUPALUT, Benjamin wrote:
>
]
issuerOID = subjectOID
And if you want to map more than one subject domain policy OID to the same
issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2,
etc, to differentiate them in the policy_mappings section.
Good luck,
-Dave
--
openssl-users mailing list
To uns
e3 which is two-key 3DES in ECB, so no need.
-Dave
> Thank you!
>
>
>
> El vie., 15 de jun. de 2018 a la(s) 10:53, Matt Caswell (m...@openssl.org
> <mailto:m...@openssl.org>) escribió:
>
>
> On 15/06/18 14:34, Fernando A wrote:
> > Hi all,
>
:sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING [HEX
DUMP]:52FC16876E7015A17C401E1AE0830C74F6BB761B96564DF75EDD02ACF414BD5B
As to how this *happened*, I'm afraid I've no idea.
-Dave
> On Mar 26, 2018, at 12:15, Felipe Gasper <fel...@felip
Hello,
This is just a guess, but try AES_set_decrypt_key() before trying to unwrap?
-Dave
> On Jan 4, 2018, at 13:08, InMotion Man <inmoti...@gmail.com> wrote:
>
> Hello all,
> I'm having trouble using the AES_unwrap_key function. I have tried different
> things bu
ow confirmed with a quick test program and valgrind.
Oops,
-Dave
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hello,
Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your
X509 *cc_cert -- you don't need to (and probably shouldn't) free it.
Cheers,
-Dave
> On Jan 2, 2018, at 19:38, Karl Denninger <k...@denninger.net> wrote:
>
> Assume the following code snip
Hi,
Wikipedia has some information.
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
What is produced by "dgst -sha" is what the above link is calling SHA-0
(originally just called SHA).
All the best,
-Dave
> On Dec 25, 2017, at 22:44, Swapnil Deshpande &l
fore, you can do this multiple times and add additional DIST_POINTs.
Good luck,
-Dave
> On Nov 23, 2017, at 03:54, Dirk Menstermann <noadsple...@web.de> wrote:
> Thanks Dave,
>
> It seems that I do something wrong when filling the STACK_OF(DIST_POINT):
>
Hi,
You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk
is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.
Cheers,
-Dave
> On Nov 22, 2017, at 06:58, Dirk Menstermann <noadsple...@web.de> wrote:
> Hi,
>
> can anybody
the best,
-Dave
> On Nov 20, 2017, at 09:03, Libor Chocholaty <o...@mts.cz> wrote:
> Hello,
>
> thanks a lot. Works nice. Just it is interesting that I get X509_ATTRIBUTEs
> what should be a SEQUENCE but need to parse as SET.
>
> And to free the memory:
>
&
)
ASN1_ITEM_TEMPLATE_END(SEQ_X509_ATTRIBUTE)
IMPLEMENT_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE)
Now your type has its own d2i and i2d functions, and you can use them:
STACK_OF(X509_ATTRIBUTE) *attrs = d2i_SEQ_X509_ATTRIBUTE(NULL, ,
length);
Cheers,
-Dave
> On Nov 15, 2017, at 07:26, Li
Hi Marcus,
Try giving -CAfile a concatenated file with both CA certificates inside.
hulk:/tmp $ cat DSS* > chain.pem
hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq
-CAfile chain.pem
Verification: OK
Cheers,
-Dave
> On Nov 14, 2017, at 02:30, Marcus Lu
X509_CRL_get0_signature(),
>> CMS_SignerInfo_get0_algs()) provide a way to get any combination of bit
>> string, algorithm, and signer cert.
>
> Kind of like https://github.com/openssl/openssl/pull/4573 ?
Quite a lot like that, yes. Neat. Is there any chance this might be inclu
the
bit string. Comparable functions in other modules (eg: X509_get0_signature(),
X509_REQ_get0_signature(), X509_CRL_get0_signature(),
CMS_SignerInfo_get0_algs()) provide a way to get any combination of bit string,
algorithm, and signer cert.
Cheers,
-Dave
--
openssl-users mailing list
To unsub
oo bad.
The alternative would be to change the OCSP_BASICRESP_verify() macro into an
externally available function, and then both it and OCSP_basic_verify() could
call the former macro, suitably renamed and internally scoped. Clearly I'd be
happy with that, though I understand if you don't want to go that
(the code in question is *part of* our own path-validation
routine), or might there be some other way?
Either way, I hereby report you've got a few macros in a public header that
can't possibly work as things stand. :-)
Thanks,
-Dave
--
openssl-users mailing list
To unsubscribe: https
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
* Dave Serls Littleton, CO, USA *
* dashs.denv
A file DES3 encrypted here by OpenSSL 1.0.1t 3 May 2016 (Debian 7 or earlier
version) is not accessible
by OpenSSL 1.1.0f 25 May 2017 (Debian 9). Is this expected behavior?
--
* Dave Serls
ing at to not require EVP_CIPHER_CTX variable
declaration?
Thanks!
Dave Poirier
skype: ekscrypto
twitter: @ekscrypto
facebook: /ekscrypto
email: ekscry...@gmail.com
All I need is a towel, everything else can be answered by 42.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mail
From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Friday, June 12, 2015 02:47
1) 1.0.1l
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
With SSL 3.0, no
From: openssl-users On Behalf Of Aaron
Sent: Wednesday, June 10, 2015 03:47
We are using executable 'apps/openssl' in our test cases. We upgraded from
OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test
cases
started to fail. After checking, I noticed that the default
From: openssl-dev On Behalf Of Nayna Jain
Sent: Wednesday, June 10, 2015 20:31
If I have a pem file with private key in that, how do I check if that is
RSA/DSA ?
If it uses a legacy format, the BEGIN line specifies the algorithm
-BEGIN RSA PRIVATE KEY-
-BEGIN DSA PRIVATE KEY-
From: openssl-users On Behalf Of Marcus Vinicius do Nascimento
Sent: Tuesday, May 12, 2015 16:50
I did some quick research and found this:
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
If my understanding is correct, the public key is (p, q, g, y).
You might want to look at the
From: openssl-users On Behalf Of Nayna Jain
Sent: Friday, May 01, 2015 22:37
I have a privatekey file written using the call
PEM_write_bio_RSAPrivateKey(...)
The file write operation has been successful.
Do you mean the PEM_write_ returned 1, or do you mean the file contains
correct (or at
From: openssl-users On Behalf Of jonetsu
Sent: Wednesday, April 29, 2015 10:07
snip
The man page (the one online from OpenSSL project - SHA256.html)
gives a description using SHA1() which computes a message digest.
Note this is the same page for
From: openssl-users On Behalf Of m.de.groot
Sent: Thursday, April 30, 2015 14:46
I converted the pfx file to a pem file using the following command
openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes
After this I trying to sign a file using this key with the following
From: openssl-users On Behalf Of jonetsu
Sent: Tuesday, April 28, 2015 13:53
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD
From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Monday, March 09, 2015 12:47
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
and 1024?
You only need
Hi Victor,
I am getting following error while verifying the certificate:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest
algorithm ,handle_error
PKCS7_verify call is getting failed.
I have attached the certificate.
Thanks,Nirav Dave
On Wednesday, March 4
On Thursday, March 5, 2015 4:51 PM, postmas...@disney.com
postmas...@disney.com wrote:
550 5.1.2 ... Message Not delivered due to restricted attachment
*** NOTICE *** *** NOTICE *** *** NOTICE *** *** NOTICE ***
The message you sent:
RECIPIENT(s):
facing unknown digest error from ASN1 while verifying certificate from
client using PKCS7_verify.
Thanks,Nirav Dave
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Friday, February 20, 2015 17:24
On Fri, Feb 20, 2015, Nathaniel McCallum wrote:
I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an
incoming message. However, given that types like ASN1_OCTET_STRING
have
From: openssl-users On Behalf Of open...@lists.killian.com
Sent: Wednesday, February 18, 2015 13:26
I noticed that openssl(1) says that various things have been superseded by
genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
man page is not very helpful on EC.
From: openssl-users On Behalf Of Rajeswari K
Sent: Monday, February 16, 2015 03:05
Our current signature and verification logics are working just fine
with TLS1.0 and TLS1.1 for ECDHE_ECDSA cipher suite.
But, when tested the same cipher suite with TLS1.2, SSL handshake
always failing
From: openssl-users On Behalf Of Rajeswari K
Sent: Friday, February 13, 2015 23:50
Hello Dave,
Based on your input, have stopped calling i2d_ECDSA_SIG()
and used BN_bn2bin() to overcome the der headers.
And now, my verification is working fine.
ECDSA_verify in ecs_vrf.c only uses i2d
From: openssl-users On Behalf Of Rajeswari K
Sent: Friday, February 13, 2015 09:48
snip
As part of [ECDSA] signature verification, we first take lenght_of_signature
received
and compare with double the size of number_of_bytes from curve parameter.
Have converted the ECDSA_SIG to unsigned
From: openssl-users On Behalf Of Rajeswari K
Sent: Thursday, February 12, 2015 00:40
I have a query on d2i_PUBKEY() and i2d_PUBKEY().
i have a EC public key in form of character buffer.
Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY format
EC key.
To be exact, a
From: openssl-users On Behalf Of Jörg Eyring
Sent: Wednesday, February 11, 2015 03:44
I'm generating a certificate request and the necessary entries are added
with:
...
if(!X509_NAME_add_entry_by_txt(subj,C, MBSTRING_ASC, (unsigned
char *) CountryName,-1,-1,0)) snip
From: openssl-users On Behalf Of Jerry OELoo
Sent: Wednesday, February 04, 2015 21:54
I am using openssl 1.0.2 on windows 7 OS.
I have put some root certificate files into a folder certs. when I
using X509_STORE_load_locations() to load this folder into store, it
returns 1 means success,
From: openssl-users On Behalf Of Rajeswari K
Sent: Monday, February 02, 2015 22:17
Thanks for responding. Following is the output printed by openssl
./openssl req -in csr.csr -noout -text
snip
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
From: openssl-users On Behalf Of Rajeswari K
Sent: Sunday, February 01, 2015 21:18
Am facing an issue of no shared cipher error during SSL Handshake,
when tried to negotiate ECDHE cipher suite.
snip
*Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C
*Feb 2 01:00:47.894:
and sockaddr format,
and then uses the right BIO calls, it should work. We do our own name/address
handling and don't use BIO in my application so I have never studied how to do
it there.
Thanks for your advice
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC
Hi Rich. Excellent. That's exactly what I thought.Thank you very much.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978
From: openssl-users On Behalf Of Kurt Roeckx
Sent: Tuesday, January 27, 2015 17:14
On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
snip
What browsers do is cache the intermediate certificates. snip
That's one possibility. Another is that it uses AuthorityInfoAccess
to fetch the cert
circumvented the issue.
Thanks to all for all the interest in and traffic on this question.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027
circumvented the issue.
Thanks to all for all the interest in and traffic on this question.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027
Thanks very much. Most appreciated.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546,
dave.mclel...@emc.com
on
AIX?
Thanks for any enlightenment shareable.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546,
dave.mclel...@emc.com
Thank you Rich.
The sentence you couldn't understand is my bad, s/b:
In fact, on some, even non-AIX hosts, permissions would suggest that the
permission error should be returned.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Wednesday, January 21, 2015 09:28
On Wed, Jan 21, 2015, John Laundree wrote:
Ok, so I will naively ask the question How does one do TLS 1.0/1.1 in
FIPS
mode? Or is this no longer allowed, i.e. TLS 1.2 only?
The use of MD5 for
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Wednesday, January 21, 2015 09:28
On Wed, Jan 21, 2015, John Laundree wrote:
Ok, so I will naively ask the question How does one do TLS 1.0/1.1 in
FIPS
mode? Or is this no longer allowed, i.e. TLS 1.2 only?
The use of MD5 for
From: openssl-users On Behalf Of Jerry OELoo
Sent: Tuesday, January 20, 2015 00:34
I am reading cer file into X509 object,
http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
cert = d2i_X509_fp(fp, NULL);
it will return fail, as below
Error: error:0D07207B:asn1 encoding
From: openssl-users On Behalf Of Purushotham Nayak
Sent: Wednesday, December 31, 2014 12:22
I have some data that was encrypted using the openssl (`AES_*`) functions.
I want update this code to use the newer (EVP_*) functions which are
FIPS compliant. But I should be able to decrypt data
From: openssl-users On Behalf Of Jaya Nageswar
Sent: Tuesday, December 30, 2014 02:36
... the output [is] different between openssl 0.9.8 and 1.0.1x versions as
the following methods
are being used in the code flow for the method PEM_write_bio_PrivateKey.
1.0.1x -
From: openssl-users On Behalf Of Bear Giles
Sent: Tuesday, December 30, 2014 16:53
I've been able to read and write most objects using both the PEM bio
and i2d/d2i functions. I know I can write an encrypted PKCS8 file with
PEM_write_bio_PKCS8PrivateKey().
How do I read encrypted PKCS8
From: openssl-users On Behalf Of Jaya Nageswar
Sent: Monday, December 22, 2014 05:51
In our application, we have been using openssl 0.9.8 and trying to move to
openssl 1.0.1x as 0.9.8 is going to be EOS by December 2015. We have a
sample application where we try to read a sample pem key
From: openssl-users On Behalf Of Michael Wojcik
Sent: Thursday, December 18, 2014 21:27
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf
Of Kurt Roeckx
Sent: Thursday, December 18, 2014 16:36
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL
From: openssl-users On Behalf Of Kurt Roeckx
Sent: Thursday, December 18, 2014 16:36
On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
***
This is for *Client - Agent*
***
[...]
Version
From: openssl-users On Behalf Of Hooman Fazaeli
Sent: Monday, December 08, 2014 09:36
1. The SSL_read in my http server app always reads the first byte of
http request, instead of the whole. To read the rest, I should do
further SSL_reads: snip
I have seen this pattern with firefox,
From: owner-openssl-us...@openssl.org On Behalf Of Prabhat Puroshottam
Sent: Tuesday, December 02, 2014 07:04
We have a product which uses OpenSSL to connect and transfer
application level data. There are two ways to connect, and get the
application level data from *Agent* to *Client*
1.
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
Sent: Monday, December 01, 2014 16:18
(reordered)
On Mon, Dec 1, 2014 at 3:47 PM, Tanel Lebedev tanel.lebe...@gmail.com wrote:
I'm building and packaging OpenSSL as a third party library in my app. I
also include a
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
Sent: Friday, November 21, 2014 12:30
Thanks. I guess I may have to open a problem with IBM. The IBM
documentation
clearly lists a number of cipher suites (at they call them) that use
SHA1
(including the one we (IBM+OpenSSL)
From: owner-openssl-us...@openssl.org On Behalf Of Malatesh Ankasapur
Sent: Tuesday, November 18, 2014 23:17
Note: you should post a new topic as a new message, not a reply. subject fixed
citrix reciever using the symbolic link .pem certificate so i did c_rehash
for my ceritficate
1.
From: owner-openssl-us...@openssl.org On Behalf Of Joerg Schmitz
Sent: Saturday, November 15, 2014 12:16
I hope you can help me. I'm about to sign jar-files with a self created
certificate
using OpenSSL. The jar-File contains an old Java-Applet which Java is
blocking
(as long as it is
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
Sent: Wednesday, November 19, 2014 14:08
10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:.\ssl\s3_pkt.c:1275:SSL alert number 51
http://tools.ietf.org/html/rfc5246.html#section-7.2
decrypt_error
From: owner-openssl-us...@openssl.org On Behalf Of Dan Si Atat
Sent: Wednesday, November 19, 2014 14:32
I am trying to emulate in OpenSSL java encryption algorithm.
When using RSA_public_encrypt are there parameters to emulate any of
these
combinations of parameters in Java?
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
Sent: Friday, November 14, 2014 22:03
SSL_OP_* are bitmasks.
SSL_CTX_set_options(conn-ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote:
conn-ssl_ctx =
Your questions are confused and I don’t have time to read through a lot of
code, but:
In OpenSSL, type RSA (typedef struct rsa_st) is used for both/all RSA keys.
When you generate a new keypair, the RSA structure is filled with fields for
both private key and public key. If you use the
From: owner-openssl-us...@openssl.org On Behalf Of Marcus Meissner
Sent: Wednesday, November 05, 2014 04:10
On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan)
wrote:
Hi,
Does Openssl support IPv6 officially?.
AFAIK the libssl and libcrypto libraries do not use sockets
From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
Sent: Wednesday, November 05, 2014 03:11
But when I go to www.google.com website, I find the leaf certificate
and intermediate certificate is ok, but root CA certificate (GeoTrust
Global CA) is not.
snip
Public Key SHA1:
From: owner-openssl-us...@openssl.org On Behalf Of Amir Reda
Sent: Wednesday, November 05, 2014 02:42
1- i generate rsa key pairs and try to print it in a pem file but when i open
the file it was empty
You never close or even flush the file. openssl uses C I/O and C I/O by default
is
Thanks. I am still having issues with doing a debug. Mingw 32 with
only code blocks still does not work. As best I can tell this thing is
made to not look inside. Give me an idea on this. There is no way to
tell how private keys are made.
Dave
On 11/4/2014 7:13 AM, Steve Marquess wrote:
I
From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
Sent: Thursday, October 30, 2014 14:50
I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
I would expect the two to form a valid chain. And indeed,
verification succeeds:
... openssl verify -CAfile
From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
Sent: Tuesday, October 28, 2014 04:20
snip
Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which
will show same as [Chrome]
One more thing, I find use i2d_RSAPublicKey() will be get same public
between openssl API
and TLSv1.1, and THEN try to
connect with an old client (using 0.9.8r), I now get the ‘unknown protocol’
message I expect.
Thanks to all who contributed to this thread. I hope Pradeep got the answer he
needed (since he started this in the first place).
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan
with the options call coded as above. (server would be
configured to refuse SSLv3)
The only way I found to eliminate SSLv3 from negotiation was to insist on a
cipher suite that is TLS only. But in that case, I get 'no shared cipher'
during negotiation.
Any advice is helpful. Thanks.
Dave
on customer’s compatibility needs.
Thanks again.
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546,
dave.mclel
:
#0;. SSL_new()
#0;. ssl_set_options (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3)
#0;.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile
on this thread.
Dave
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546,
dave.mclel...@emc.com
+-+-+-+-+-+-+-+-+-
From: owner-openssl-us
SSLv3.
+-+-+-+-+-+-+-+-+-
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546,
dave.mclel...@emc.com
+-+-+-+-+-+-+-+-+-
-Original Message
From: owner-openssl-us...@openssl.org On Behalf Of Lewis Rosenthal
Sent: Wednesday, October 08, 2014 10:57
Actually, Jakob, I think it's the second one (the first one after the
pipe) which can come out, i.e.:
Yes.
openssl s_client -showcerts -connect google.com:443 \
/dev/null | openssl
verify status 18 (not strictly an openssl error) means that you (usually as a
client)
received a cert chain (usually from the server) with a root cert that is not in
your
truststore. Yes, this is a slightly confusing error description for this case.
If the root cert used should be
From: owner-openssl-us...@openssl.org On Behalf Of salih ahi
Sent: Thursday, October 02, 2014 04:03
I wrote an openssl server, which uses an on-the-fly created certificate
and signs it with the private key of another already created self-signed
certificate file. I am adding them both to
(Sorry, got stuck in my outbox and I didn't notice for a while)
From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
Sent: Monday, September 22, 2014 02:44
Thanks a lot for the explanation, so instead of generating new parameters
on
the fly I could just create them once and then
From: owner-openssl-us...@openssl.org On Behalf Of Andy Schmidt
Sent: Wednesday, September 17, 2014 18:28
I just tracked down an obscure bug in our certificate authentication
code to a change in in the global mask for ASN.1 strings in
crypto/asn1/a_strnid.c.
From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
Sent: Friday, September 19, 2014 12:04
my server needs to accept DHE ciphers from clients so I think I would need
to
be able to load static dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem
certificates on server side. In order
From: owner-openssl-us...@openssl.org On Behalf Of Francis GASCHET
Sent: Wednesday, September 17, 2014 13:35
We use openSSL in OFTP2 implementation. The OFTP2 working group
decided
to strongly recommend to use preferably the cipher suites including PFS
(ephemeral Diffie Hellman).
snip
To
From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
Sent: Monday, September 15, 2014 22:50
And, one more question:
How can I tell what format/encryption my pkcs12 files are in?
[I believe for Android platform use, I need p12 certs/keys - so I'm working
on the
From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
Sent: Friday, September 12, 2014 04:31
*If* you are now using a legacy-format encrypted private-key (and your
original
error message suggested you might need some form of private key, which does
necessarily mean legacy
1 - 100 of 1293 matches
Mail list logo
