Hello,
I inherited the code for web-server like server that i need to
maintain. It is setup that when you request a certain URL, the server
will renegotiate and request a client certificate. They said it worked
when they use OpenSSL 0.9.8, but we are seeing issues with 1.0.2l. When
it
(with the understanding it has not been
validated for compliance).
if this has been discussed already, i apologize. i could not find
anything on this issue, just on whether or not there will be a FIPS
140-3 validation in the future for OpenSSL.
thank you very much,
-=- adam grossman
confuses me:
Re-enable renegotiation but require the extension as needed.
i do not know what it means require extensions. Short of setting
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION , what do i need to do to
have renegotiations work again?
thanks for the patience and hand holding,
-=- adam grossman
already built into the OpenSSL APIs.
thank you,
-=- adam grossman
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Peter-Michael,
thanks for the info, but this is on linux.
-=- adam grossman
On Sun, 2010-04-04 at 19:40 +0200, PMHager wrote:
Adam Grossman wrote:
is there a way i can set a timeout for an SSL_accept, either if the
handshake does not complete within X seconds (prefered), or even
i have done networking programming for a while, and i have never run
across that before. thank you so much, you have just saved me a lot of
development time!
-=- adam grossman
On Sun, 2010-04-04 at 22:34 +0200, PMHager wrote:
Adam Grossman wrote:
thanks for the info, but this is on linux
hello.
After FIPS_set_mode() passes, and i am in FIPS mode, is there anyway to
retrieve a version strings, such as FIPS 1.2 or anything like that so
i can verify that the correct FIPS module is being used?
thank you,
-=- adam grossman
is perhaps OpenSSL compiled with fipsld,
therefore i do not need to use it in my application? i just want to
make sure i understand the role of the fipsld in case i am getting a
false positive...
thank you,
-=- adam grossman
:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad record mac:s3_pkt.c:422:
and the problem does not always happen on every connection, but it is
pretty frequent (about half the time). also, this did not happen with
0.9.7.
any ideas?
thanks to everyone yet again,
-=- adam grossman
to host a wiki or
anything like that.
openssl is pretty powerful, but the lack of documentation can make it
rather daunting when you are first learning, or if you need to deviate
from what the sample code you get is doing.
thank you,
-=- adam grossman
. what am i doing wrong?
just as a warning, once this is setup, i have a few more follow
questions.
thanks everyone ahead of time,
-=- adam grossman
__
OpenSSL Project http://www.openssl.org
User
On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
On Thu, Feb 04, 2010, Adam Grossman wrote:
hello once again,
i am trying to get CRLs working for client certs. i have read about a
million different ways of doing this, but this is how i am doing it:
X509_CRL *x509_c
On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote:
On Thu, Feb 04, 2010, Adam Grossman wrote:
On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
On Thu, Feb 04, 2010, Adam Grossman wrote:
hello once again,
i am trying to get CRLs working for client
On Thu, 2010-02-04 at 15:59 -0500, Adam Grossman wrote:
On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote:
On Thu, Feb 04, 2010, Adam Grossman wrote:
On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
On Thu, Feb 04, 2010, Adam Grossman wrote:
hello once
On Fri, 2010-01-29 at 01:52 +0100, Dr. Stephen Henson wrote:
On Thu, Jan 28, 2010, Adam Grossman wrote:
hello,
so close, yet so far
i fixed it where the client is sending the it's certs over and the
handshake is complete. but i have two problems:
1. for different
(X509_NAME)
*ca_stack)? that would really make my day.
thanks everyone for all there help on this questions, the past
questions, and the undoubtedly future questions,
-=- adam grossman
On Wed, 2010-01-27 at 23:29 -0500, Adam Grossman wrote:
i am trying to emulate something that mod_ssl does
am i missing?
thanks everyone once again,
-=- adam grossman
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
nevermind... i had blinders on while reading the error, and i just
concentrated on the server. i just noticed the browser says:
Peer does not recognize and trust the CA that issued your certificate.
so i need to go make sure my certs are set up properly.
thanks,
-=- adam grossman
On Wed
i just tried 0.9.7m, and to no avail. i double checked my certs, i made
sure my CA cert on the server is correct, and i am still getting the
same error on the server and the browser is giving to Peer does not
recognize and trust the CA that issued your certificate.
thanks,
-=- adam grossman
something incorrectly?
thanks,
-=- adam grossman
On Wed, 2010-01-27 at 22:01 -0500, Brett Schoppert wrote:
Not sure if the problem I had it is the same as yours, but I meant 0.9.8k (
not 7k ).
I first verified my setup was working ( certs were correct, etc. ) by setting
up client-side SSL
On Fri, 2010-01-15 at 17:06 -0500, Victor Duchovni wrote:
On Fri, Jan 15, 2010 at 04:11:04PM -0500, Adam Grossman wrote:
A simpler question might be (hopefully), is after i call SSL_accept,
is there a way to retrieve all the raw data which was read in by
SSL_accept?
Don't call
On Sat, 2010-01-16 at 11:41 -0500, Victor Duchovni wrote:
On Sat, Jan 16, 2010 at 10:39:13AM -0500, Adam Grossman wrote:
On Fri, 2010-01-15 at 17:06 -0500, Victor Duchovni wrote:
On Fri, Jan 15, 2010 at 04:11:04PM -0500, Adam Grossman wrote:
A simpler question might be (hopefully
Adam Grossman wrote:
One last questions, and i am done bugging you about this...
These are the steps i am taking:
SSL_set_fd(ssl_data-ssl_ssl, sock_fd);
sslbio=SSL_get_rbio(ssl_data-ssl_ssl);
internalBIO=BIO_new(BIO_s_bio());
BIO_set_write_buf_size(internalBIO, 1024
you,
-=- adam grossman
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord
A simpler question might be (hopefully), is after i call SSL_accept,
is there a way to retrieve all the raw data which was read in by
SSL_accept?
thanks,
-=- adam grossman
On Fri, 2010-01-15 at 11:51 -0500, Victor Duchovni wrote:
On Fri, Jan 15, 2010 at 10:57:35AM -0500, Adam Grossman wrote
25 matches
Mail list logo