th
Mozilla 1.7 and Mozilla Firefox 0.9.3 don't honor multiple CNs, while
the Internet Explorer does. But that is, of course, a different matter
and nothing to worry about on the OpenSSL mailing list. ;-) Thank you
for your suggestions!
Ralph
___
but as I wrote before, there are other mailing
lists probably better suited for this matter. Of course, if you know how
to persuade Mozilla/Firefox to not display their warnings, please do
speak up here! ;-)
Ralph
__
OpenSSL Project
] [info] [client 132.176.162.117] Connection closed to child 1
with abortive shutdown (server...
Can anyone help me?
Thanks
Ralph
---
Ralph Knoche
PKI und Identity Management
FernUniversität in Hagen - Zentrum für Medien und IT
Universitätsstraße
, and
against DNS without looking at CN if DNS is available. Should this
be considered being the correct behaviour?
--
Mit freundlichen Grüßen / Yours sincerely
Dipl. Inform. Ralph Seichter
__
OpenSSL Project
e to do an extra verify? I want to see the certificate chain in any
case, so showcerts is what I am doing right now. Seeing all errors would be
more interesting, however.
Thanks,
Ralph
I use the "openssl verify" command and read the same
certs from file?
Thanks,
Ralph
8 May 2008
What I'm missing?
Kind regards,
Ralph Heinrich
Technical Support Engineer | VMware Global Support Services
Technical Support Phone Numbers:
http://www.vmware.com/support/phone_support.html
_
e and then, because openssl hasn't left the
default action of SIGPIPE, terminate, in place it exits without error
and the while-loop starts it again.
What's the thinking behind this undocumented behaviour? It lessens the
utility of the command and makes it an ill-fit for the Unix w
of
verify seems to be the same regardless whether the option is set (to
"sslserver") or not set.
Am I correct in surveying that openssl verify uses a default of "sslserver"
for -purpose?
(I can't find this in the docs, and Google yields inconclusive stuff)
Thanks,
Ralph
ould be still be evaluated
normally, just without checking for certificate purpose? Because the way the
docs say it, I would have concluded chain evaluation is not done at all -
yet it seems to happen.
Thanks,
Ralph
ords seem to imply that
the correctness of the chain leading up to the root CA is indeed evaluated
(else why bother about the CA cert?). Yet the docs say about -purpose:
"Without this option no chain verification will be done"
If I don't pass -purpose, is the correctness of the chain evaluated at all?
Because if it is, I think the wording in the docs is misleading.
Ralph
, but it will be on the local
file system. Likely in PEM or DER, though, so grep won't help. A Google
lookup on the moz.dev.security.policy or moz.dev.security.crypto groups
might yield the answers, the topic occurs there from time to time.
Ralph
/verify.pod.
Thanks,
Ralph
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord
you have chosen your own roots only.
Also, would the same thing happen if you use libssl-dev?
Thanks for any clarification on this issue.
Thanks,
Ralph
__
OpenSSL Project http://www.openssl.o
kq67h0D
CAPath is indeed evaluated as you say.
So would you argue that this behaviour should be expected? If so, I
would argue it should be stated in the docs (and not just in the code).
Ralph
__
OpenSSL Project
"." and then openssl will not fall back to default settings?
I think that information is what users are really looking for.
Ralph
On 12/06/2012 09:32 PM, Chris Palmer wrote:
> On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea
> wrote:
>
>> There's the same behaviour
he way
> originally intended by the mozilla file (blocking them)? In any case, I
There is:
https://github.com/agl/extract-nss-root-certs
If you need to work on (much) older root stores, too:
https://github.com/ralphholz/root-store-archaeology
Ralph
17 matches
Mail list logo
