-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Donald Beck wrote:
| I am a bit new to this, so I need a little help.
|
| I created my own CA using openssl and I just want to make sure I have
| this right. I imported my signed certificate on my server from the
| request I created from my server.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
skar karthikeyan wrote:
| My requirements are(again):
|
| 1) Content should be encrypted only on the server. And public key must
| stay only on the server. No other person should have access to the
| public key.
| 2) Private key on the client machine
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
roxaz wrote:
| Hey, EVP_DecryptFinal returns 0 for me, but no data is returned to
| supplied output buffer, and returned data length is set to 0. What could
| be the issue? bdec receives some correct data tho.
|
| u32 szbdec = 0;
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vishal saraswat wrote:
| Hi all,
Hello vishal,
| I am sorry, I forgot to tell you that the final PEM I create is composed
| of key and certificate both.
|
| cat server_key.pem server server_cert.pem server.pem
| Now I suppose that one a client is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vishal saraswat schrieb:
| Hi Serge,
Hello cishal,
| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /port number/ -cert /certificate I create/
You do know that the server needs the private
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge Fonville schrieb:
| Hi,
Hello Serge,
| I am trying to setup subjectAlNames in openssl.cnf
| I created a copy of usr_cert and named it srv_cert
| in this section I added the subjectAltNam.
| With the req I specified -reqopts srv_cert the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln wrote:
| Hi Goetz,
Hello deblarinteln,
| | It is called subjectAltName extension.
|
| would you mind telling me how and where I have to define the AltName(s) ?
There is the man page x509v3_config.
It should contain the info you need.
A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
deblarinteln schrieb:
| Hi,
|
| well I have to create a certificate for our maindomian as well as for some
| subdomains.
|
| The structure will look pretty much like this:
|
| mydomain.tld
| mail.mydomain.tld
| owa.mydomain.tld
It is called
, owa.mydomain.tdl)
you use the subjectAltName extension.
Wildcard certificates (*.mydomain.tdl) are AFAIK deprecated.
| 2009/8/12 Goetz Babin-Ebell go...@shomitefo.de
mailto:go...@shomitefo.de
|
| deblarinteln schrieb:
| | Hi,
| |
| | well I have to create a certificate for our maindomian as well
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vichy wrote:
| Dear all:
| I try to use d2i_PrivateKey_bio to get the RSA keys in a der file, but
| the binary content is written in an unsigned char array.
| I know I can write the unsigned char array as a file and then read it in.
| But I want to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
vichy wrote:
| Hi:
|
| 2009/8/9, Goetz Babin-Ebell go...@shomitefo.de:
| vichy wrote:
| | Dear all:
| | I try to use d2i_PrivateKey_bio to get the RSA keys in a der file, but
| | the binary content is written in an unsigned char array.
| | I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
openssl-us...@coreland.ath.cx wrote:
| Hello.
Hello xw,
| I'm considering writing a server program (which provides mostly
| hypothetical services, for the purpose of this discussion). The server
| requires users to register an account on the server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
dan_mit...@ymp.gov wrote:
| What is to prevent someone from forging a root CA and then creating
| intermediate certificates signed with SHA1, based on the forged root CA?
Nothing.
Now his problem is to get the users to include it into their list
of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun R. wrote:
| OK, i converted over to EVP_*, the sign/verify works but now i'm
| confused about decrypt, for EVP_DecryptInit i need to tell it a CIPHER
| but i dont see RSA in the cipher listings on
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| Ok, so then, do I still need to sign the data from seal and verify
before I
| open?
Sign and verify are two different steps.
When you do sign and when encrypt depends on your needs.
Goetz
- --
DMCA: The greed of the few outweighs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| Is there another way in C to use openssl's sign/verify/encrypt/decrypt
| without using the low-level api? I got my test prog working, I guess
I need
| to figure out how to do a SHA1 hash of my data next.
Your friends are
* to sign:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun wrote:
| I'm really going to be using php to encrypt/sign (
| openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions
| from php,
Hm. There must be something wrong here.
I'm almost sure that the EVP interface is available to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aravinda babu wrote:
| Hi,
|
| Is there any openssl API to know this ?I have to use it in a C program.
Look into the data.
If it is a DER encoded X509 cert,
the first 3 bytes are 0x30,0x82,0x05
Goetz
- --
DMCA: The greed of the few outweighs the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Ribe wrote:
| Thanks Tom for the help.
Hello Dan,
|
| It seems that there is some problem with the private key which I am
| passing. With your key or newly generated key this logic works fine. Now
| the error which I am getting is like :
|
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter Walker wrote:
| But the peer uses RSA_PKCS1_PADDING. Is this interchangeable with OAEP?
No, it is not.
Without further information it is impossible to tell what these 16 bytes
are.
It could be some kind of ASN1 coding indicating that the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
biswatosh chakraborty wrote:
| I dont think so. The actual content is wrapped within the headers and
| footers and
| how can your buffer contain them as well? U have to extract the main
| content out.
Why do you think that can't be done ?
everything
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Ribe schrieb:
| I am using the private key just to authenticate the client. Once server
| has authenticated the client (by using the public key of client), it
| will give access to that client. So I will say that in this case users
| of my client
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
thejokester wrote:
| Hi everybody,
Hello Jokester,
| i would like to know if it's normal to be able to sign a certificate with
| one which have anti-signing rules : i mean basicConstraints = CA:false.
| Could you enlight me ?
Signing doesn't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kenneth Goldman wrote:
| The decision in the case of OpenSSL was that 1.x would have a
stable API,
| permitting shared libraries to be used interchangeably. OpenSSL
does not
| have a stable API yet, officially.
|
| If that's the rationale, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dhaval Thakar wrote:
| Hi list,
Hello Daval,
| i have a hosted site over internet for the branch users, which i want to
| restrict over internet,
| e.g only certain computers will be allowed to access site.
| i want to restrict it to only branch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| (sorry that previous one looked so terrible. Here it is with plain text)
|
| Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at
| the same time? For example, if a client device has both 1024-bit and
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sergio wrote:
| I think so and you're right. Signing a client cert with a server cert is
| inefficient and all my problems would solve itself if radius has ocsp
| support.
The missing support for OCSP is not your problem.
Your problem is the broken
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sergio wrote:
| Hi people,
Hello Sergio,
| client.pem are signed by
| server.pem, and server.pem are signed by ca.pem.
It is a bad bad idea to sign a client certificate with
a server certificate.
Usually server certificates don't have the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard Gappmeier wrote:
| Thanks for that tip.
|
| It works now this way:
|
| UaPkiCertificateInfo UaPkiCertificate::info() const
| {
[...]
| switch ( pName-type )
| {
| case GEN_OTHERNAME:
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard Gappmeier wrote:
| Hi,
Hello Gerhard,
| I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
| For the X509_NAME entries the same procedure works,
| but this ASN1_STRING seems to be different.
That is because only in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tomas Neme wrote:
| The documentation's poor at best, and I don't completely get the
| general concepts. From reading examples I figure that only the
| BIO_f_ssl does encryption-decryption when written into? so what should
| I do if I want to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
GeraGray schrieb:
| Yes, this is bug, in any case when key type is not recognized (not
| RSA/DSA/EC)
| error with information of unknown public key will be printed.
| This should be corrected.
| EVP_PKEY_RSA instead of SSL_FILETYPE_ASN1 should
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Neale Pickett schrieb:
Hello Neale,
| People keep sending me .ent files (example at the bottom of this
| message). They look to me a lot like Privacy-Enhanced Mail (remember
| Privacy-Enhanced Mail?) files. I've got all my S/MIME stuff set up and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ian jonhson schrieb:
| Besides certificate verification and session reconnect I don't
| know any details what you have to retest.
|
|
| You imply that the mechanism of X509-based certificate verification
| has been embedded in openssh mainstream,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Victor Duchovni schrieb:
| On Thu, Mar 06, 2008 at 01:15:03PM -0600,
[EMAIL PROTECTED] wrote:
|
| So we're testing out an upgrade from OpenSSL 0.9.7e to 0.9.8g,
| and we're mostly using the SSL network connection functionality,
| not the crypto lib.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hou, LiangX schrieb:
| Hi, Steve,
|I used openssl dgst -sha1. Is there anything wrong with my code?
| Is it right to get certificate object by using X509 *cert =
ctx-cert; in this case?
openssl dgst -sha ... reads the data in the file and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] schrieb:
Hello all!!
Hello Lidia,
I've a problem. I need to cypher a buffer of bytes with pkcs7 format but
I can't use certificates,i need encrypt using only a key or password.
Are you really sure PKCS#7 supports encrypting of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Piotr Skwarna schrieb:
Hi
i try complie apache with my openssl
./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
--with-ssl=/opt/NEW/openssl/
[...]
checking for OpenSSL version... checking openssl/opensslv.h
--On August 08, 2007 08:24:10 +0200 Piotr Skwarna [EMAIL PROTECTED]
wrote:
Hello
Hello Piotr,
I have problem with openssl cooperating with nCipher (nShield F3) engine
bash-2.03# uname -a
SunOS sun250 5.8 Generic_117350-35 sun4u sparc SUNW,Ultra-250
bash-2.03# ./openssl speed rsa
Hello,
--On Juli 22, 2007 14:22:42 + nobody [EMAIL PROTECTED] wrote:
On Fri, 20 Jul 2007 21:38:47 +0200
Goetz Babin-Ebell [EMAIL PROTECTED] wrote:
--On Freitag, Juli 20, 2007 14:49:54 + nobody [EMAIL PROTECTED]
wrote:
[...]
Then I exported it in pkcs12 format and imported
Hello,
--On Freitag, Juli 20, 2007 14:49:54 + nobody [EMAIL PROTECTED] wrote:
[...]
Then I exported it in pkcs12 format and imported it into Internet
Explorer and Thunderbird. I've sent encrypted and signed mails with
Thunderbird and Outlook, they verify and decrypt fine at the other end
Hello Florian,
--On Montag, Juli 09, 2007 09:25:01 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
I saw that it needs PEM format... but even if I convert the certs in PEM,
links are created but my app still returns an error on verification.
Hm.
Try to store roots, intermediate certs and
Hello Florian,
--On Freitag, Juli 06, 2007 09:14:41 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
OK I see but It's always not working after
c_rehash ./root
c_rehash ./certs
c_rehash ./crls
Oups:
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
I have a directory where I store CA root certificates. I want my app to
check if a certificate is signed by the mentioned CA on the ISSUER field.
In order to do this, it might look on this directory and
Hello Florian,
--On Donnerstag, Juli 05, 2007 17:59:01 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
No, I didn't even know that function.
What does it do ?
It loads all certificate files (and CRL files) in the directory
and generates a short 4 byte hash from the common name of the cert.
Hello,
--On Juli 03, 2007 13:31:27 +0530 Vishal V [EMAIL PROTECTED] wrote:
Many thanks for the information.
But my query is partially answered.
Here it goes
A) Doesn't client need server's self-signed certificate to validate the
transmitted certificate?
- Is Question A is true then how to
--On Juni 16, 2007 13:25:33 +0200 Alain Spineux [EMAIL PROTECTED] wrote:
Hello
Hello Alain,
I would like to create a individual space for all my customers, using
their own domain name.
For example
debian.org - debian.org.example.com
linux.org - linux.org.example.com
uk.debian.org -
--On Samstag, Juni 09, 2007 05:03:54 -0400 Richard [EMAIL PROTECTED] wrote:
Hello! My goal is to write a simple function for use in C programs of
mine that can encrypt and output strings. This would seem to be an easy
task at first, only through attempting it have I realized some
--On Samstag, Juni 09, 2007 06:24:06 -0400 Richard [EMAIL PROTECTED] wrote:
1. I am aware the input and output will work upon binary data, this isn't
a problem for me.
OK
2. I suppose I am not entirely aware of all potential pitfalls.
Perhaps you should look into a book about cryptography
--On Mai 15, 2007 13:56:39 +0700 Endhy Aziz [EMAIL PROTECTED] wrote:
Hi all,
I'm trying to compile OpenSSL-0.9.8c with debug option, but some
errors shown below occurs :
...
...
[...]
/usr/lib/gcc/i586-suse-linux/4.1.2/../../../../i586-suse-linux/bin/ld:
cannot find -lefence
Hello Christopher,
--On Mai 10, 2007 11:29:25 +0200 Christopher Kunz
[EMAIL PROTECTED] wrote:
I have isolated the problem to the private key that seems to be
incorrectly generated.
[...]
-BEGIN RSA PRIVATE KEY-
MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q
Hello Usman,
--On Mai 05, 2007 14:11:08 +0500 Usman Riaz [EMAIL PROTECTED] wrote:
I want to issue my customers certificate signed by my certificate
(a self-signed certificate). I want to limit the issued certificate to
not to act as a CA.
I would like to specify the cert chain
length in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rocky S schrieb:
1) I have installed openssl sources. In the certs directory,
there are various certificates. I looked at a couple of
them - aol1.pem vsign1.pem.
The vsign1.pem starts with
[...]
The aol1.pem directly starts with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Usman Riaz schrieb:
Sorry to be rude, but your post just told me what I already know
:),
my lack of knowledge at security, but didn't help me a bit :( (not sure if
the
post was meant to be helpful).
Davids post was meant in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Usman,
Usman Riaz schrieb:
Thanks for the reply Jean-Claude, appreciated! Actually the whole senario is
like this. I have a software that I am selling to the customers. I want to
encrypt the information (license info) with my private key,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Usman Riaz schrieb:
I believe with signing the
license information (correct me if I am wrong), I have to provide the
actually license info/data (in plain clear text) along with the data
generated during the signing process.
Yes.
The problem with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Suchindra Chandrahas schrieb:
Hi All,
Hi Suchindra,
Saw the part1 and part2. Trying to understand the stuff.
I got some client examples given there. I have downloaded sclient.
???
Which part1 and part2 ?
snip
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
I'm beginning to get this now, but I still have a problem :-((
How do I obtain this result
sXD2SsGQxI7DDFMwHwONxjGOaoI=
from the data object in the soap envelope?
For that you have to study the SOAP / XMLDSIG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Snuggles wrote:
Hi,
Hello Snuggles,
I'm writing my own webserver and I want it to be able to do SSL based client
authentication. It can already do HTTPS, but when I try to do the SSL based
client authentication, the connection gets dropped. I use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
also Goetz,
Doing digest and sign in two steps is very unusual.
Usually you process the digest and generate the signature
in one step.
Unfortunately, I think I do need both the digest and the signature to stuff
my
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello David,
WCR wrote:
Julius
You're probably pointing me in the right direction.
Not really.
I tried openssl dgst -sha224 and yes I got a 56byte hex string / 28byte
character string. My problem now is I can't use it in my xml message because
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Julius Davies wrote:
RSA keypair, right? If so, compare that the modulus of both the
certificate and the private key is equal. These two commands do the
trick:
openssl x509 -in cert.pem -modulus -noout
openssl rsa -in rsa.pem -modulus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
domi wrote:
Hello all together,
Hello Domi,
I’m not quite sure where to post my question because I wasn’t able to locate
my fault. So I’ll post my question in the OpenSSL-user forum and in the
Apache http server-users forum. A similar post in a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bertram Scharpf wrote:
Hi,
Hello Bertram,
$ wc -c xxx
118 xxx
$ openssl rsautl -encrypt -certin some.crt -in xxx
RSA operation error
5747:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too
large for key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bertram Scharpf wrote:
Hi Goetz,
Hi Bertram,
Am Samstag, 03. Feb 2007, 16:05:46 +0100 schrieb Goetz Babin-Ebell:
Bertram Scharpf wrote:
$ wc -c xxx
118 xxx
$ openssl rsautl -encrypt -certin some.crt -in xxx
RSA operation error
5747
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
domi wrote:
Goetz wrote:
I think your security model is broken.
A CRL and with that the server clients can download it from is part of
the chain of security of the CA.
So theses servers must be on (best case) dedicated servers that are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Covington schrieb:
Hi all,
Hello Chris,
Suppose one wants to secure a server application which accepts
incoming HTTPS connections from anywhere. We'll call this Server A.
This server application is intended to only accept connections from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Clem Taylor schrieb:
Hi,
Hello Clem,
Firefox seems to accept the subjectAltName extension, but I'm having
troubles getting firefox to trust the additional level of certificate
hierarchy.
[...]
Root CA cert (self signed) [added to trust store on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vincenzo Sciarra schrieb:
Hi,
Hello Vincenzo,
just check if issuer and holder are the same!
or do it the correct way:
openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem
should return:
self_signed_cert.pem: OK
2006/10/25, Bhat,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ambarish Mitra schrieb:
Hello Ambarish,
On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote:
openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem
should return:
self_signed_cert.pem: OK
Maestro Steve appended:
Indeed, technically
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mouse schrieb:
Traditionally the term self-signed applied to certificates that are NOT
signed by anybody but the owner of the given key pair. With all the relevant
security implications.
What is the purpose of checking for self-signed cert? To
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Jason,
edf green schrieb:
Very straight forward and well documented? You gotta be kidding.
Perhaps for a long time openssl developer, but not for your run of the
mill C developer. I spent all last night going through the example
provided,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marten Lehmann schrieb:
Hello,
Hello Marten,
I recently read, that it is possible the have more than one ssl-host per
ip-address. This shall be possible with two special requirements:
- all ssl-hosts share the same key
- all certs for the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] schrieb:
PKI newbie in need of help.
Hello Steward,
When I sign a SSL cert with my CA, the certification path only lists the
web server. Not my SubCA or the Windows Root CA.
???
Which certification path do you mean ?
The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
david kine schrieb:
Hello David,
One more question: how do I, using the CA.pl script, generate a
certificate with a subjectAltName extension of type dNSName? The ones I
have already generated do not have this field set.
I suppose there is an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Simon schrieb:
Hello Simon,
What I'm looking for is a way to get a PDF file or something like
that, so I can ask the printer to print 2-pages per page +
recto/verso, this way I can kill 75% less trees! ;)
That's what I was talking about when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dibowitz schrieb:
Hello Phil,
In some cases I see serial numbers as octet strings, i.e.:
Serial Number:
ef:e1:73:da:b3:6a:cf:ad:6b:18:dd:58:7f:6b:49:fe
And other cases as an integer, i.e.:
Serial Number: 2
Lee Colclough schrieb:
Hello Lee,
I couldn't get this to work either. I think that something is either
wrong with my cnf file, or my command line batch file I use generate and
sign certificates is wrong.
Your config file is wrong.
Is anyone willing to have a look at them? I know it's a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Lee Colclough schrieb:
Hi,
Hello Lee,
I have created a client/server app that talks via SOAP using SSL.
Generating the certificates is fine provided the commonName is just for
the machine on which a particular server is running. I would like
Tom Horstmann schrieb:
It would help if you posted the certificate request or at
least tried this:
openssl req -in req.pem -noout -subject -nameopt multiline,show_type
ah, clear now. Thank you. Output as follows:
countryName = PRINTABLESTRING:DE
organizationName
[EMAIL PROTECTED] schrieb:
Pretty much confirm what I thought. The OPENSSL API is so rich and I
havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.
An alternative would be one host certificate with multiple
subject alt names.
This way you can issue a certificate that
Hallo Alberto,
Alberto Alonso schrieb:
I personally don't know why pipes are even in use in the openssl
internals (though I bet there is a good reason for it :-)
OpenSSL doesn't use pipes.
You get a SIGPIPE if you write to a socket for that
the other end is closed.
I prefer using send() with
Folkert van Heusden wrote:
What would be the way to obtain the fingerprint of the peer to which my
program connects? I looked in the sources of fetchmail but there a
call-back is used and I would like to implement it without a callback
function.
X509 * SSL_get_peer_certificate(const SSL *s);
Mark wrote:
Hello Mark,
You are still using 0.9.6 ?
I strongly recommend that you update OpenSSL to a newer version.
3 year old software is almost like back to stone age...
Indeed I have already recommended this too. However we will be
using OpenSSL on OpenVMS 7.3-1 and HP's implementation
Mark wrote:
I do things pretty much as you described except for the following:
* On server:
* if your server cert is signed by the root,
you can turn off sending of the root to the cert by
SSL_CTX_set_mode(ctx,SL_MODE_NO_AUTO_CHAIN)
I can't find this option (or similar) in the
Mark wrote:
Our application is a client/server application for which we (i.e. the
server)
need to authenticate the client (users) and hence we are the only CA
allowed.
This is not a public application so the server and all the client certs
are
signed by us. Client authorisation is very
Mark wrote:
Hi Fred,
Hello Mark,
I have read the manual page ;-) However I don't understand the full
implications of using or not using this function in a server. If I
use it what does the client do with it? Does the client still need
a copy of the root certificate or is this provided
Mark wrote:
cat ca_directory/*.pem ca.pem
openssl verify -CAfile ca.pem cert_to_check
works, there is something really strange with your system ...
Same error:
error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any of the *.pem
Mark wrote:
Hi Goetz,
But since you are using an own program, this doesn't matter.
Could you do an
c_rehash ca_directory
openssl verify -CApath ca_directory cert_to_check
error 20 at 0 depth lookup:unable to get local issuer certificate
If this doesn't work, but a
cat ca_directory/*.pem
Mark wrote:
Hi Goetz,
Hello Mark,
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific
root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged
Mark wrote:
in OPENSSL_DIR/ssl/misc is a demo script that does something like
a very small and dump CA...
I don't seem to have this directory.
Replace OPENSSL_DIR with the installation path of your openssl
version...
Bye
Goetz
--
DMCA: The greed of the few outweighs the freedom of the
Mark wrote:
You point at it in the context before the handshake. You can either
point at a dir full of digest named ones or a specific root cert file.
Strangely I tried the former which did not work. The latter method
appears to work fine (it connected and exchanged data anyway).
did you a
.domain2,...
line in the section containing the extensions.
But this doesn't work with stone age (broken) browsers.
On 11/23/05, *Goetz Babin-Ebell* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
Farid Izem wrote:
I d'like to generate a Sefl Signed SSL Certificates which
Mark wrote:
Hi,
Hello,
# openssl req -newkey rsa:1024 -keyout nuckey.pem
-keyform PEM -out nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem is a private key (does this need loading with
Farid Izem wrote:
Hi all,
New to this mailling lists. Hope you can help me in compelting my task.
I d'like to generate a Sefl Signed SSL Certificates which will be serve for
multi hosted sites on the same server.
Can someone tell me how to that please ?
Mark wrote:
Hi,
The following command seems to create a new public and private key:
# openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out
nucreq.pem -nodes -outform PEM
What are these key files for?
I'm still not sure what these files are for. I guess that the
nuckey.pem
is
Gerd Schering wrote:
Hi,
Hello Gerd,
in the template config file that came with 0.9.8, I found that
subjectAltName=email:copy
subjectAltName=email:move
are both possible, but what is the difference?
it's obvious you never bothered to try it or apply
a little bit of syntactical reasoning.
Mark van Beek wrote:
Thanx for all the info, after a lot of trying I have created a working
certificate. For now I have just a few question left, is it possible
(without (shell)scripts) to (and how to do so):
1) include a .conf file with the subjectAltName extension configured for a
certain
if connected from the inside
than connected from the outside (but this is goog for testing...)
As long as you issue your own certificates it is trivial...
On Nov 4, 2005, at 3:17 PM, Goetz Babin-Ebell wrote:
Joseph Oreste Bruni wrote:
You can have as many commonNames as you want. That goes
Joseph Oreste Bruni wrote:
You can have as many commonNames as you want. That goes for
subjectAltName fields too. I do that on an apache server (not using TLS)
that needs to host more than one SSL site. Every browser I've used is
okay with certs. that have multiple CN's.
But he should use
1 - 100 of 152 matches
Mail list logo
