Re: [EXTERNAL] RE: enforcing mutual auth from the client

On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief

RE: [EXTERNAL] RE: enforcing mutual auth from the client

> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to > will > require a client

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> My latest attempt to code the below DER is this. It compiles, but the d2i > segfaults on apparently the second element. > > Anything obviously wrong? > > typedef struct { > ASN1_INTEGER *version; > ASN1_INTEGER *serialNumber; > X509_ALGOR *signature; > X509_PUBKEY *key; >

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> >> Now I would like to do the other end, where I have der and I want to > >> parse back to the structure, using d2i() > >> > >> 1 - Is there a tutorial on this? > > > > Seems like you don't need one. If you got i2d working you should have d2i > already! > > > > I wasn't clear. The input and

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

From: Narayana, Sunil Kumar Sent: Thursday, December 17, 2020 8:17 AM To: Sands, Daniel ; openssl-users@openssl.org Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0 Hi, For the equivalent replacement of DH_compute_key in 3.0, we tried to perform the steps

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

Hi Daniel, Thanks we will try it out. One more doubt regarding DH_generate_key, as per earlier suggestion we tried following changes to replicate the generate key, but we observe that the out put key is not matching with the one that is obtained by DH_generate_key() of older

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

We do have generated the key using EVP_PKEY_gen as suggested in earlier emails, but since this was a non-ephemeral and we wanted to store the key in "raw" octet bytes, so we did extracted the whole DH priv/pub key pair out from the key generated via EVP_PKEY_gen ( using as suggested…

RE: DH_compute_key () - replacement in 3.0

to exactly replace this we are generating “pubparam_key/priparam_key” using bn_publicKey/dh->priv_key as below OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL; OSSL_PARAM *pubparams = NULL, priparams = NULL; EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL; EVP_PKEY_CTX *pubctx =

RE: DH_generate_key

Dear openssl team, While migrating from 1.0.2 to 3.0, we found that DH_generate_key() has be deprecated. And as per the man page, it is advised to use EVP_PKEY_derive_init &

RE: [EXTERNAL] How to get all certs into a .der file.

According to the documentation, cURL can use p12 files just fine. curl --cert bob.p12:bobspassword --cert-type p12 https://some.secure.site Or you can omit the password part and use -key mykey with your password in the mykey file, in order to hide the password from PS queries. From:

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Fri, 2018-11-30 at 23:55 +, Michael Wojcik wrote: > > "Self-signed certificate in certificate chain" does not to me > > > convey "No > > > certificate hash links" (or "CA certificate not found in hash > > > links"). > > > Viktor's points are all good ones, but considering how often this >

Re: [openssl-users] [EXTERNAL] Re: OpenSSL error message when decrypting Ethereum encrypted private key

On Sun, 2018-01-14 at 18:26 -0500, Chris B wrote: Hi Matt, >If you *are* using 1.1.0 then the default digest was changed between 1.0.2 and >1.1.0. Awesome thought, but I'm also using 1.0.2: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 (I also tried adding -md md5 to the previous

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote: > Unfortunately this didn't work either. The end result is the same; > OpenSSL still emits a "certificate signature failure" with an error > depth of 0. > In light of what Salz said about verification, could we assume that the openssl

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

I'm a fellow SSL-USER and not an expert, but my verification flow goes as follows: X509_STORE_CTX_new() X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this is the difference? X509_verify_cert(ctx) On Thu,

Re: [openssl-users] [EXTERNAL] How do I connect to this server

On Fri, 2017-04-21 at 16:09 -0400, Jeff Archer wrote: > I have a server that requires that username and password be used as > https://username:passw...@server.com > > > How do I specify this username and password when using SSL_connect()? You don't. The username and password are encoded into

Re: [openssl-users] [EXTERNAL] Re: error making Private RSA

First, to get intelligible text errors, replace your initial call with ERR_load_crypto_strings(). The ERR_load_ERR_strings call doesn't even seem to be documented, likely because it only loads the strings associated with the ERR API, and you likely need PEM and BIO error strings. When I did

Re: [openssl-users] [EXTERNAL] Re: SOLVED --- ASN.1: Parsing a 'context-specific' class (or app/private class)

> Well at first sight that looks like an IMPLICIT tag which replaces > the normal > tag with the context specific value. It is not possible to determine > the > underlying type from the encoding itself as it has been replaced. So > you need > the ASN.1 spec to see the appropriate type to use. > >

Re: [openssl-users] [EXTERNAL] imap.gmail.com

IMAP is probably based on the Telnet protocol, so the server is expecting CRLF instead of just CR. Try running s_client with the -crlf option. On Wed, 2015-07-15 at 19:34 +0200, Henrie Cuijpers wrote: Hi all, i try to connect to the gmail imap service, but after the connection has been set

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

On Mon, 2014-08-04 at 22:45 +0200, Michael Felt wrote: And finally - read exactly what is there: -- Dependent module libcrypt.so could not be loaded, not as above 0509-150 Dependent module /usr/lib/libssl.a(libssl.so.0.9.8) could not be loaded. (libssl.a(member)) The problem there is

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

To generate a .a of shared objects instead of static objects, really all you do is build the shared object(s) and create an archive out of them. There is no special magic about it beyond creating the shared object in the first place. When linking a new program to an archive of shared objects,

Re: [EXTERNAL] howto get a .so.X.Y.Z file rather than indivdual .o files in a libSOMETHING.a

On 8/4/2014 7:06 PM, Sands, Daniel wrote: To generate a .a of shared objects instead of static objects, really all you do is build the shared object(s) and create an archive out of them. There is no special magic about it beyond creating the shared object in the first place. When