On Thu, 2015-01-15 at 04:52 -0800, Adam Williamson wrote:
> If anyone can point out what I'm missing I'd be very grateful :)
So I think I may actually know more or less what's going on, now.
Passing -purpose to `verify` seems to really enable only *purpose*
checking. It doesn't actually enable
Whew, that was a long title!
Hi, folks. I'm a Fedora QA person who's been poking at SSL stuff as a
sort of sideline lately; please don't give me too much credit for my
email address, I'm not one of RH's official security / SSL folks, so
please be gentle when I'm wrong ;)
This is all with OpenS
Le 25/09/2012 18:45, Jakob Bohm a écrit :
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Le 25/09/2012 14:16, Jakob Bohm a écrit :
> On 9/25/2012 11:11 AM, Erwann Abalea wrote:
[...]
Any signature algorithm works by dividing the universe of N bit strings
into those that are validsignatures for the
her by removing the nonexpired certificate from
the CAfile or by changing to the CApath mode and using strace to see
OpenSSL opens the second CA certificate (named 415660c1.1).
>> When trying to build a valid certification path, all possibilities have
>> to be tested until one of them
and 1.1.0 (from sources).
The 1.0.1 version displays a warning if it finds the expired certificate
first, but the verification goes on with the next certificates, and it
finally gives an OK result.
That can be checked either by removing the nonexpired certificate from
the CAfile or by changing to
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
> Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gi
-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
*Sent:* Thursday, September 13, 2012 9:42 AM
*To:* openssl-users@openssl.org
*Subject:* RE: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile
Would it make sense to delete the expired certificate from the Windows
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gives a good signature,
but fails for whateve
> SubjectKeyIdentifier fieldsbeing absent from the root
>> CA certificates in his scenario.
>>
>> On 9/24/2012 6:26 PM, Ashok C wrote:
>>
>> Hi,
>>
>> One more observation was made here in another test case.
>>
new root CA.
_*Test case 1:*_
Using CAFile option in openssl verify of the ee.pem,
If oldca.pem is placed on top and newca.pem below, verification
fails.
i.e., cat oldca.pem > combined.pem;cat newca.pem >> combined.pem
_*Test case 2:*_
If n
t;> One more observation was made here in another test case.
>> _*Configuration:*_
>> One old root CA certificate oldca.pem with subject name say, C=IN
>> One new root CA certificate newca.pem with same subject name.
>> One EE certificate, ee.pem issued by new root CA.
name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
_*Test case 1:*_
Using CAFile option in openssl verify of the ee.pem,
If oldca.pem is placed on top and newca.pem below, verification fails.
i.e., cat oldca.pem
Hi,
One more observation was made here in another test case.
*Configuration:*
One old root CA certificate oldca.pem with subject name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
*Test case 1:*
Using CAFile option in
On 9/13/2012 3:41 PM, Charles Mills wrote:
Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.
/Charles/
Windows has built in support for using and checking time stamping
c
-us...@openssl.org [mailto:
>> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
>> *Sent:* Thursday, September 13, 2012 9:42 AM
>> *To:* openssl-users@openssl.org
>> *Subject:* RE: certificate validation issues with openssl 1.0.0 and
>> expired certificates i
**
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
> *Sent:* Thursday, September 13, 2012 9:42 AM
> *To:* openssl-users@openssl.org
> *Subject:* RE: certificate validation issues with openssl 1.0.0 and
> expired
lto:owner-openssl-us...@openssl.org]
On Behalf Of Charles Mills
Sent: Thursday, September 13, 2012 9:42 AM
To: openssl-users@openssl.org
Subject: RE: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile
Would it make sense to delete the expired certificate from the Windo
, September 13, 2012 12:49 AM
To: openssl-users@openssl.org
Subject: Re: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at
lidate its certificate:
>>
>> openssl s_client -connect www.google.com:443 -CAfile dump.crt
>>
>> When using openssl0.9.8k or openssl0.9.8x everything works as expected.
>>
>> When using openssl1.0.0g or openssl 1.0.1c the certificate validation
>> fails wi
into a file. Then I use openssl to connect to Google and
> validate its certificate:
>
> openssl s_client -connect www.google.com:443 -CAfile dump.crt
>
> When using openssl0.9.8k or openssl0.9.8x everything works as expected.
>
> When using openssl1.0.0g or openssl 1.0.1c the cer
Hi!
I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google
and validate its certificate:
openssl s_client -connect www.google.com:443 -CAfile dump.crt
When using openssl0.9.8k or openssl0.9.8x everything
Hi Dave,
>>But even with that done/fixed in my test environment I DO get
>>verify error 24 invalid CA cert depth 1 (my only intermediate).
>>Is that what you're getting? If so, it looks like maybe the
>>'purpose' checks have been made stricter since the last time
>>I did this in test, where I have
Accidentally sent privately, copying to list for anyone else interested
> From: Dave Thompson [mailto:dthomp...@prinpay.com]
> Sent: Friday, 02 December, 2011 17:47
> To: 'Ashok C'
> Subject: RE: Usage of CAPath/CAFile options in int
> SSL_CTX_load_verify_locations Reg.
> work with -CAPath options? Internally does it use just
> > load_verify_locations(*,CAPath) ? Or does it translate
> > the hashes present in CAPath to X509 objects and then
> > use the use_certificate* APIs?
>
> s_server and s_client call _load_verify_locations, which u
with -CAPath options? Internally does it use just
> load_verify_locations(*,CAPath) ? Or does it translate
> the hashes present in CAPath to X509 objects and then
> use the use_certificate* APIs?
s_server and s_client call _load_verify_locations, which uses
CAfile and/or CApath to ver
shes present
in CAPath to X509 objects and then use the use_certificate* APIs?
To be more clear, is there any option in which we can use CAPath to "send"
certificates?
>>1. I doubt there's a bug in OpenSSL here; this is very widely
>>used functionality; both CAfile and CApath have w
ur openssl-based
> PKI solution and had the following query:
The usual term for what I think you mean is multi-LEVEL CAs,
or hierarchical CAs.
> Currently our PKI solution supports only single layer CA support
> and we use SSL_CTX_load_verify_locations API with the CAFile option,
the client?
P.S. My previous query also is unanswered. It would be great if I get some
responses to that also ;)
Regds,
Ashok
-- Forwarded message --
From: Ashok C
Date: Wed, Nov 23, 2011 at 12:55 PM
Subject: Usage of CAPath/CAFile options in int
SSL_CTX_load_verify_locations Reg
Hi,
We are implementing multi-layer support for our openssl-based PKI solution
and had the following query:
Currently our PKI solution supports only single layer CA support and we use
SSL_CTX_load_verify_locations API with the CAFile option, meaning that the
service loads the CA certificate from
On 2010-11-09, Dr. Stephen Henson wrote:
> On Tue, Nov 09, 2010, Jens Lechtenboerger wrote:
>
>> Hi there,
>>
>> I received an SMIME certificate and want to know the correct
>> filename to use in the command "openssl smime -verify -CAfile
>> ..."
&g
On 2010-11-09, Dr. Stephen Henson wrote:
> On Tue, Nov 09, 2010, Jens Lechtenboerger wrote:
>
>> Hi there,
>>
>> I received an SMIME certificate and want to know the correct
>> filename to use in the command "openssl smime -verify -CAfile
>> ..."
&g
On Tue, Nov 09, 2010, Jens Lechtenboerger wrote:
> Hi there,
>
> I received an SMIME certificate and want to know the correct
> filename to use in the command "openssl smime -verify -CAfile
> ..."
>
The hash based filename doesn't apply to the -CAfile option: y
Hi there,
I received an SMIME certificate and want to know the correct
filename to use in the command "openssl smime -verify -CAfile
..."
In my particular example,
openssl x509 -in smime.pem -issuer_hash -noout
results in 9ec3a561. However, if I use that certificate (available
a
I'm not sure, but shouldn't it be possible to simply use cat? Something
like:
cat ca1.pem ca2.pem ... caN.pem > CAfile.pem
But I might be wrong...
Regards
Carolin
[EMAIL PROTECTED] wrote:
> Hello everybody
>
> For some hours now I try to find out how to create CAfile (a
[EMAIL PROTECTED] schrieb:
Hello everybody
For some hours now I try to find out how to create CAfile (a file with multiple
CAs inside, the one file counterpart of -CApath).
I need such a file for HTTPS Client authentification together with the yaws webserver. In the yaws user guide they write
* [EMAIL PROTECTED] wrote on Wed, Mar 26, 2008 at 18:26 +0100:
> For some hours now I try to find out how to create CAfile (a
> file with multiple CAs inside, the one file counterpart of
> -CApath).
>
> Could anybody please give me an example
Not sure if I understand you right,
Hello everybody
For some hours now I try to find out how to create CAfile (a file with multiple
CAs inside, the one file counterpart of -CApath).
I need such a file for HTTPS Client authentification together with the yaws
webserver. In the yaws user guide they write that
it is a plain old
You are right! I renamed the files and then c_rehash them. It seemed
that hash files were generated. And yes, I guess my *.crt files
actually already encoded in PEM format.
I am a newbie, and do not know much about CoSign. If you have
interest, you can check its website: www.weblogin.org :) This
Buffalo Dickens schrieb:
Dear Ted, yes, I found that too. It just looks for *.pem files. I just
used the c_rehash from the source code package of openssl-0.9.8e. Is
it feasible for me to just rename file.crt to file.pem?
openssl usually does not rely on filenames or extensions, with only a
fe
ating system.
But for something completely different, is there any specific reason why
you want to use -CApath instead of -CAfile? The only reason I can think
of is working with hundreds of CA certificates...
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/
elp I'd need to know your version of openssl (output of
"openssl version") and maybe your operating system.
But for something completely different, is there any specific reason why
you want to use -CApath instead of -CAfile? The only reason I can think
of is working with hundreds of CA
sl verify -verbose -purpose sslclient -CApath
> /path/to/CA/ /path/to/cert.crt
> /path/to/cert.crt: /C=US/ST=America/L=CA/O=UC/OU=CS/CN=www.abc.org
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> [EMAIL PROTECTED] openssl verify -verbose -purpose sslclient -CAf
/CN=www.abc.org
error 20 at 0 depth lookup:unable to get local issuer certificate
[EMAIL PROTECTED] openssl verify -verbose -purpose sslclient -CAfile
/path/to/CA/ca.crt /path/to/cert.crt
/var/cosign/certs/cosignserver.crt: OK
I am not at all familiar with openssl and certificate. Please help me
at 0 depth lookup:unable to get local issuer certificate
[EMAIL PROTECTED] openssl verify -verbose -purpose sslclient -CAfile
/path/to/CA/ca.crt /path/to/cert.crt
/var/cosign/certs/cosignserver.crt: OK
I am not at all familiar with openssl and certificate. Please help me!
Any suggestion is welcome
How i can set the locations for certificate trusted
?
***Marc BoilyCGI
inc.Consultant - Bell CanadaSolutions Informatiques en
Téléphonie/Computer Telephony Solutions930 d'Aiguillon, bureau
520Québec, G1R 5M9Tel.: (418) 691-1120Fax.: (418)
691-3578
Title: RE: cafile question
I would like to add that I have the same questions as below and look forward to seeing this answered.
Thanks,
Kevin
-Original Message-
From: Mel [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 30, 2000 1:25 PM
To: [EMAIL PROTECTED]
Subject: cafile question
erous to have cert file exposed?
>
> 2) is there anyway to embed the cafile in my app? if so how?
>
> i don't seem to find my answer in the docs
>
> many thanks,
> Mel
>
> __
> Do You Yahoo!?
>
i am a newbeee
i am planning to ship my application and have the following questions:
1) is it ok to send the cert file along with my application?. if so can
it be dangerous to have cert file exposed?
2) is there anyway to embed the cafile in my app? if so how?
i don't seem to find my a
48 matches
Mail list logo
