Did you call "SSL_library_init()","SSL_load_error_strings()", etc.?
gary clark <[EMAIL PROTECTED]> wrote: Hello,
After performing the following:
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
Huh! Dumped the result of theh failure and errorcode.
The ctx value is:
ctx=0x0
OPENSSL_Uplin
You're missing the -CAfile option in s_client."M. Fioretti" <[EMAIL PROTECTED]> wrote: On Wed, Jun 14, 2006 12:11:55 PM +0200, io ([EMAIL PROTECTED])wrote:> Hello,> > I am configuring a remote x86 Centos 4.3 box (running in UML) as> personal web and email server. Openssl version is openssl-0.9.7a-
Thank you very much! -DavidVictor Duchovni <[EMAIL PROTECTED]> wrote: On Fri, Jun 09, 2006 at 12:25:52AM +0200, Goetz Babin-Ebell wrote:> -BEGIN PGP SIGNED MESSAGE-> Hash: SHA1> > david kine schrieb:> Hello David,> > > One more question: how do I, usin
an openssl.cnf file setting for this purpose? I notice the line "#subjectAltName=email:copy" in the system's openssl.cnf file. Thanks, -DavidVictor Duchovni <[EMAIL PROTECTED]> wrote: On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote:> My code to retrieve
Hello, My secure client application performs post-connection fully-qualified-domain-name authentication. According to RFC 2818, "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject fiel
Hello, I have a certificate authority A who signs an entity B, who then signs and entity C. I will use C as the server certificate in s_server. This is a chain of three certificates. How do I load all three into s_server? The "-cert" option seems to allow only one certificate.
Try "openssl ca -revoke"
-David
--- Anthony Azzopardi <[EMAIL PROTECTED]>
wrote:
> I'm reading the 'SSL Certificates HOWTO', by F.
> Martin. In the
> 'Certificate Management' chapter it tells how to
> 'revoke' the
> certificate by this command:
>
> openssl -revoke newcert.pem,
>
> but this
]> wrote:
> On Thu, Nov 10, 2005, david kine wrote:
>
> > I tried your suggestion to set only
> > X509_V_FLAG_CRL_CHECK, but unfortunately it did
> not
> > help. Attempting to connect to ANY secure server
> > still causes the same "unable to get certifi
,
with the "unable to get certificate CRL" message.
Perhaps this is a clue.
To summarize, my program works perfectly unless I set
the X509_V_FLAG_CRL_CHECK flag, whether or not I add a
CRL using X509_load_crl_file().
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
I have a secure client application that loads a pkcs12
file containing client cert, client key, and trusted
root CA's. It works perfectly, connecting only to
servers signed by the trusted CA's.
However, when I load a single CRL file, then all
connections fail:
"unable to get certificate CRL"
"SS
Very clever, thanks for the tips.
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 09, 2005, david kine wrote:
>
> > I've switched over to a Linux system running
> OpenSSL
> > 0.9.7a Feb 19 2003, and copied the CA.pl fro
ver CA?
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 09, 2005, david kine wrote:
>
> > I'm attempting to use CA.pl on a Solaris 10 Sparc
> > system. OpenSSL is provided on the distribution
> CD's
> > (OpenSS
m".
Should I use a custom openssl.cnf to fix this problem?
Or modify CA.pl?
Thanks,
-David
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 08, 2005, david kine wrote:
>
> > In the book "Network Security with OpenSSL" on
> pages
In the book "Network Security with OpenSSL" on pages
124-125 is a list of OpenSSL commands to create a root
CA, and a server CA signed with the root CA.
My question is, how would I use the openssl CA command
to revoke the server CA certificate by the root CA,
and generate a CRL?
I have tried "o
Looking for the cause of this error in my secure
client application, coming from the SSL_connect()
function:
-
ERROR 3: unable to get certificate CRL
SSL_connect error 1,
error:0001:lib(0):func(0):reason(1)
SSL error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
I think that I found the answer - get the error code
from the X509_STORE_CTX and check for the value
X509_V_ERR_CERT_HAS_EXPIRED (defined in x509_vfy.h).
-David
--- david kine <[EMAIL PROTECTED]> wrote:
> My application requires a feature that allows
> connection to secure s
My application requires a feature that allows
connection to secure servers whose certificates may
have expired.
I suppose that the OpenSSL verify callback function,
set with the function SSL_CTX_set_verify(), can
inspect an error condition and return "true" to
establish the secure connection.
My
that 0.9.7 is
necessary for handling CRL's, yet I see CRL functions
in 0.9.6.
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Tue, Aug 09, 2005, david kine wrote:
>
> > I am implemeting CRL support in an application on
> > Solaris using OpenSSL 0.9.6
I am implemeting CRL support in an application on
Solaris using OpenSSL 0.9.6d 9 May 2002.
According to the information I have gathered, CRL
support is not available in pre-0.9.7 OpenSSL
releases.
I have the opportunity to easily upgrade to 0.9.7g.
Will 0.9.7g provide the suport necessary for
in
How do I access the client certificate and private key
from an SSL_CTX?
It was previously loaded into the SSL_CTX with
SSL_CTX_use_certificate() and
SSL_CTX_use_PrivateKey().
Thanks for the help,
-David
__
Do You Yahoo!?
Tired of spam? Yahoo! Ma
How do I access the client certificate and private key
from an SSL_CTX?
It was previously loaded into the SSL_CTX with
SSL_CTX_use_certificate() and
SSL_CTX_use_PrivateKey().
Thanks for the help,
-David
__
Do You Yahoo!?
Tired of spam? Yahoo! M
Hello,
I'm having great success securing my application with
OpenSSLL, but I have a small question regarding client
certificates and private keys.
I load a PKCS#12 file into an SSL_CTX as follows:
1. Use PKCS12_parse() to read the client certificate,
private key, and trusted CA stack
2. Use S
structure or the
> SSL_CTX) to prohibit the use of SSLv2. This way, you
> got an SSLv3 and
> TLSv1 client.
>
> Cesc
>
> On 6/29/05, david kine <[EMAIL PROTECTED]>
> wrote:
> > Hello,
> >
> > How should I program my client application to
> suppo
Hello,
How should I program my client application to support
both TSLv1 and SSLv3?
According to RFC2246 appendix E, the client sends a
single SSLv3 record format HELLO message with the
version field set to {3, 1}.
Is this possible with OpenSSL?
If not, do I connect with the TLSv1_client_method(
Hello,
I am developing a secure HTTP web proxy server using
OpenSSL 0.9.6d. It supports SSL/TLS on both client
and server sides. I have already implemented the
basic secure connection and authentication functions
using examples found in OpenSSL books.
I am not a security expert, and my customer
Thank you Heikki Toivonen and Goetz Babin-Ebell, your
suggestions were very helpful.
-David
> david kine wrote:
> > How does one load verify locations into a SSL_CTX
> from
> > in-memory X509 certificates?
>
> You can get the X509_STORE from the SSL_CTX.
> There yo
I am writing an SSL client which utilizes a PKCS12
keystore.
I am able to create the keystore using OpenSSL
utilities, read the .p12 file using d2i_PKCS12_fp(),
and parse it using PKCS12_parse(). The X509 and
STACK_OF( X509 ) return parameters are all correct.
The next thing I need to do is set
27 matches
Mail list logo