Hi Stephen,
>
> Is that a bug or is OpenSSL using stateless session resumption? FF also
> supports that. In that case the session cache is not used.
>
It is somehow related to FF 3.5.x! I tried different 3.0.x builds on windows and
debian, as well as an old seamonkey 1.1.14 and it works all tim
Hi,
I am using 098h with the non default configure option 'enable-tlsext' and have a
problem with the TLS extension servername in conjunction with ssl session
caching.
It seems that sessions that contain the SNI extension will not be cached by
openssl. (I tried with FF 351)
During the handshake
Thanks!
> No it means that the service is an RFC3161 time stamp which OpenSSL doesn't
> currently support. You can perform limited verification of these using the
> smime command line utility for example...
>
> openssl smime -verify -inform DER -out ts.der -in timstamp -noverify
>
> will verify
Hi Stephen,
What exactly does it mean? Does it mean that the wrong digest was signed? If so
what is with the correct digest that is also present in the pkcs7 file?
Dr. Stephen Henson wrote:
>
> That particular failure is caused by the digest contained explicitly in the
> PKCS #7 structure not ma
Hi,
Dr. Stephen Henson wrote:
>> $ openssl.exe smime -verify -inform DER -in sig -content
>> openssl-0.9.8h.tar.gz
>> -noverify -out c.tar.gz
>> Verification failure
>> 3776:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
>> failure:pk7_doit
>> .c:948:
>> 3776:error:21075069:PKCS7 r
Hi,
I try to verify a signature made by time.certum.pl. This is what I did: I obtain
a pkcs7 signature using wget. When I look into the binary data that will be
returned I can find the given sha1 checksum, but the verification fails.
1) What did I miss?
2) How can I extract the signed attributes
Hi Stephen,
thank you very much! The snapshot build compiles without these warnings.
Bye
Jan
Dr. Stephen Henson wrote:
The cause is OpenSSL doing some things which gcc 4.2 doesn't like. These have
been corrected in newer versions of OpenSSL but not when the source
was submitted for testing.
Hi Stephen,
thank you very much! The snapshot build compiles without these warnings.
Bye
Jan
Dr. Stephen Henson wrote:
The cause is OpenSSL doing some things which gcc 4.2 doesn't like. These have
been corrected in newer versions of OpenSSL but not when the source
was submitted for testing.
Hi Stephen,
I have downloaded ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz,
extracted it and:
./config fipscanisterbuild
make
make install
and then
make clean
./config fips shared no-idea no-mdc2
--with-fipslibdir=/usr/local/ssl/fips-1.0/lib
make depend
make
The libraries
Hello Stephen,
thanks for your very quick reply.
1) Can it be linked dynamically?
Yes it can.
2) If I would like to link it dynamically when/where do I link the
fipscanister.o?
You build and install fipscanister.o from the FIPS 1.2 test source.
Then obtain the 0.9.8-fips source with
Hello list,
I am unsure how OpenSSL FIPS 1.2 can be deployed. I read that it can be linked
static but also loaded dynamically, but I also read that it can only be linked
static (as FIPS 1.1.2)
1) Can it be linked dynamically?
2) If I would like to link it dynamically when/where do I link the
Hi,
I have problems to establish a SSL connection where the server certificate is
based on an EC key. I first tried via the c-api, but I can't make it working
even with the command line tool. This is what I did:
xxx:~./openssl ecparam -name secp256r1 -genkey -out ecc1.pem
using curve name pr
Hi,
After applying the patch http://cvs.openssl.org/chngview?cn=17196 the problem is
gone!
Any ideas, what has been changed and how I can work around it?
Thanks
__
OpenSSL Project http://w
Hello,
since the upgrade from 0.9.8g to 0.9.8h the code below to generate a PKCS12
object failed! I have observed this on linux64 (debian 3.1) and WinXP. The
parameter have not been changed and 'key' is an RSA key.
The code:
ERR_clear_error();
PKCS12 *pkcs12cont = PKCS12_create ((char*) pwd.
Hi Stephen,
Dr. Stephen Henson wrote:
>
> Servers can renegotate an SSL connection and request a client certificate
> later. This might be due to a script or clcking on a "login" link for example.
>
Oh, I didn't remember this! Thanks for your quick help.
Jan
signature.asc
Description: Open
Hello,
When I use my browser to go to https://creditportal.bankofamerica.com/ I am
redirected to a page telling me that there is something wrong with my client
certificate (the fact is that I don't have one).
But when I am looking at a tcp dump I cannot find that the server asks for a
client cert
Victor Duchovni wrote:
>
> Download a 0.9.9 dev snapshot and see the CHANGES file:
>
> New functions (subject to change):
>
> SSL_get_servername()
> SSL_get_servername_type()
> SSL_set_SSL_CTX()
>
Thanks Victor.
This seem to be what I was looking for. Do you k
Hello,
can anybody explain how I can use the server name extension from the first TLS
handshake message (Client Hello)?
I would like to use it to return an appropriate certificate to avoid a CN
mismatch.
Which version of open ssl is required for this?
Thanks
Jan
___
Hello Marek,
thanks for the hint.
> One workaround of this problem is to disable EDH ciphers, for example:
>
> $ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH'
I tried this, but got exact the same error messages! Then I looked up the cipher
specs on http://www.openssl.org/docs
Hello,
it seems that there are some incompatibilities out there. For some hosts
establishing a SSL connection fails, when using openssl, but it succeeds when
using a browser. This in one example:
F:\openssl>openssl.exe s_client -connect bshop.esprit.com:443
Loading 'screen' into random state - do
20 matches
Mail list logo