Re: SSL_connect with TLS 1.3 and client Certificates

2021-07-14 Thread Christian Schmidt
On 14/07/2021 13:31, Matt Caswell wrote: > > > On 13/07/2021 19:44, Christian Schmidt wrote: >> Hello all, >> >> I am currently trying to build both client and server of an application >> that uses TLS 1.3 and mutual authentication using certificates. The >> application works so far - I can

Re: SSL_connect with TLS 1.3 and client Certificates

2021-07-14 Thread Matt Caswell
On 13/07/2021 19:44, Christian Schmidt wrote: Hello all, I am currently trying to build both client and server of an application that uses TLS 1.3 and mutual authentication using certificates. The application works so far - I can establish connections, certificates are verified, data is

SSL_connect with TLS 1.3 and client Certificates

2021-07-13 Thread Christian Schmidt
Hello all, I am currently trying to build both client and server of an application that uses TLS 1.3 and mutual authentication using certificates. The application works so far - I can establish connections, certificates are verified, data is successfully transmitted, etc. However, I have an

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

2018-09-11 Thread Viktor Dukhovni
thing you want to pass to SSL_CTX_set_client_CA_list(3) See the docs. Some clients (IIRC Java's TLS stack) don't send any client certificates unless the server solicits a certificate from a matching CA, and leaving the list empty may not work for such clients. -- Viktor. -- openssl-users mailing list

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

2018-09-11 Thread Armen Babikyan
gt; On Sep 11, 2018, at 2:09 AM, Armen Babikyan > wrote: > > > > I have a question regarding openssl and verification of client > certificates. Is there a way to have an openssl-enabled server ask for a > client certificate, and when it receives one it can't verify, ra

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

2018-09-11 Thread Viktor Dukhovni
> On Sep 11, 2018, at 2:09 AM, Armen Babikyan wrote: > > I have a question regarding openssl and verification of client certificates. > Is there a way to have an openssl-enabled server ask for a client > certificate, and when it receives one it can't verify, rather than

[openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

2018-09-11 Thread Armen Babikyan
Hello, I have a question regarding openssl and verification of client certificates. Is there a way to have an openssl-enabled server ask for a client certificate, and when it receives one it can't verify, rather than immediately terminating the handshake, it would allow the connection, but pass

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-28 Thread Robert Moskowitz
ttings allows the reading of Md5 Client certificates (which are still being installed in "not released yet" phones) I am almost concerned this is being done intentionally to meet some security downgrade requirement. I the more reason to only use this cert to bootstrap your own cer

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-28 Thread Stuart Marsden
Hi thanks for all the comments and suggestions, especially the ones I could understand centos 7 yum upgrade openssl version gives: OpenSSL 1.0.2k-fips 26 Jan 2017 it looks like echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings allows the reading of Md5 Client certif

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jeffrey Walton > Sent: Wednesday, September 27, 2017 13:15 > To: OpenSSL Users > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > > > > Heck, MD4 and MDC

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Jochen Bern
On 09/27/2017 10:10 PM, Michael Wojcik wrote: > On Behalf Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 >> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos > >

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Freemon Johnson
FIPS mode is a policy decision in my opinion also but since RedHat prides itself in security e.g. SELinux, etc. I believe that is a RedHat decision as opposed to the OpenSSL community. The alternative would be to use a different Linux distro like Ubuntu, etc. which does not compile their OpenSSL

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Jeffrey Walton
>> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos: > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Freemon Johnson
rs@openssl.org > > Subject: Re: [openssl-users] Hardware client certificates moving to > Centos 7 > > > > I don't know offhand which OpenSSL versions did away with MD5, but you > > *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) > > straight off Ce

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > I don't know offhand w

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Jochen Bern
On 09/27/2017 02:07 PM, Stuart Marsden wrote: > Is there a way a can install a version of openssl on a dedicated standalone > Centos 7 server which will support these phones? > That would be preferable to me than having to leave Centos 6 servers just > for this I don't know

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Robert Moskowitz
On 09/27/2017 08:07 AM, Stuart Marsden wrote: Hi I think I know what you are going to say - MD5? Lots of problems with that cert. If you have some connection with the vendor, have them read IEEE 802.1AR-2009 standard for Device Identity credentials. You will be supporting this phone

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-27 Thread Stuart Marsden
Hi I think I know what you are going to say - MD5? I ran openssl s_server -verify , then ran the x509 command as you suggested using the captured client certificate This phone model has only just gone into production, and I am using a "preview version" of the hardware Is there a way a can

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Robert Moskowitz
On 09/26/2017 08:04 PM, Kyle Hamilton wrote: openssl x509 -noout -text -in clientcertificate.pem You may need to extract the client certificate from wireshark, but you could also get it from openssl s_server. Specifically, that error message is suggesting that there's a message digest

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Kyle Hamilton
openssl x509 -noout -text -in clientcertificate.pem You may need to extract the client certificate from wireshark, but you could also get it from openssl s_server. Specifically, that error message is suggesting that there's a message digest encoded into the certificate which is unknown to the

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Robert Moskowitz
On 09/26/2017 11:26 AM, Stuart Marsden wrote: Hi I have Centos/Apache servers for securely provisioning IP phones using hardware client certificates embedded in the phones. for this test I have allowed all protocols and ciphers on Centos 6 this works fine, the rpms are: openssl098e-0.9.8e

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Stuart Marsden
Sorry how can I tell ? I can run a wireshark if necessary thanks > On 26 Sep 2017, at 16:36, Wouter Verhelst wrote: > > On 26-09-17 17:26, Stuart Marsden wrote: >> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding >>

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Wouter Verhelst
On 26-09-17 17:26, Stuart Marsden wrote: > [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm So which message digest algorithm is the client trying to use? -- Wouter Verhelst -- openssl-users mailing list To

[openssl-users] Hardware client certificates moving to Centos 7

2017-09-26 Thread Stuart Marsden
Hi I have Centos/Apache servers for securely provisioning IP phones using hardware client certificates embedded in the phones. for this test I have allowed all protocols and ciphers on Centos 6 this works fine, the rpms are: openssl098e-0.9.8e-20.el6.centos.1.x86_64 openssl-1.0.1e-57.el6

Re: mod_ssl - client certificates broken after yum update of openssl

2014-06-18 Thread Nelson
On Tue, 6/17/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote: Subject: Re: mod_ssl - client certificates broken after yum update of openssl To: openssl-users@openssl.org Date: Tuesday, June 17, 2014, 10:53 PM On Tue, Jun 17, 2014 at 06:48

Re: mod_ssl - client certificates broken after yum update of openssl

2014-06-18 Thread Viktor Dukhovni
-CAfile /home/ssl/ca_master You need to use either the -verify or the -Verify option to request or demand client certificates. The sever should be using the server certificate, not the client certificate. Then use s_client with a suitable certificate. Signature Algorithm

Re: mod_ssl - client certificates broken after yum update of openssl

2014-06-18 Thread Nelson
On Wed, 6/18/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote: Subject: Re: mod_ssl - client certificates broken after yum update of openssl To: openssl-users@openssl.org Date: Wednesday, June 18, 2014, 11:08 AM On Wed, Jun 18, 2014 at 07

mod_ssl - client certificates broken after yum update of openssl

2014-06-17 Thread Nelson
Perfectly working VM running Amazon Linux with Apache and mod_ssl configured for client certificates. Ran yum update to get the latest openssl (OpenSSL 1.0.1h-fips 5 Jun 2014)/mod_ssl(2.2.27 )/httpd(2.2.27) security updates from Amazon's yum repository. Now the client certificate checks

Re: mod_ssl - client certificates broken after yum update of openssl

2014-06-17 Thread Viktor Dukhovni
On Tue, Jun 17, 2014 at 06:48:28PM -0700, Nelson wrote: Perfectly working VM running Amazon Linux with Apache and mod_ssl configured for client certificates. Ran yum update to get the latest openssl (OpenSSL 1.0.1h-fips 5 Jun 2014)/mod_ssl(2.2.27 )/httpd(2.2.27) security updates from

RE: Help with client certificates

2012-07-27 Thread Fili, Tom
: Thursday, July 26, 2012 6:42 PM To: openssl-users@openssl.org Subject: Re: Help with client certificates On Wed, Jul 25, 2012, Fili, Tom wrote: I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl

Help with client certificates

2012-07-26 Thread Fili, Tom
I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl connection and it works fine if I set the correct certificate using SSL_CTX_use_certificate_ASN1 ENGINE_load_private_key. From what I've read

Filtering client certificates

2012-07-26 Thread Fili, Tom
I need to figure out which client certificates are issued by valid CAs (according to the server). I set a callback with SSL_CTX_set_client_cert_cb In the callback I get the list of CAs from the server with STACK_OF(X509_NAME) *pX509Names = SSL_get_client_CA_list(ssl) Now I have

Re: Help with client certificates

2012-07-26 Thread Dr. Stephen Henson
On Wed, Jul 25, 2012, Fili, Tom wrote: I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl connection and it works fine if I set the correct certificate using SSL_CTX_use_certificate_ASN1

Re: Diffie-Hellman and client certificates...

2012-05-01 Thread Dr. Stephen Henson
Certificate Request Server Hello Done Client: client never responds Wrong ciphersuite. Client certificates cannot be requested by anon DH ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org

Re: Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12 - User error, not a library error

2012-03-06 Thread Marcus . Daniel
I just want to wrap up my problem so that others can learn from my ignorance: Squid's logs aren't very verbose, so I only got SSL unknown certificate error 12 , when it suddenly wouldn't accept my client certificates anymore. That's the same error you get when a certificate has expired

client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

2012-03-05 Thread Marcus . Daniel
I am using squid as a reverse proxy with client certificates and everything was working fine for a month. But after 02 MAR 2012 17:56 CET client certificates stopped working even though my self signed ca and certificates are valid way longer. I think it might be an openssl problem, but feel free

Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

2012-03-05 Thread Marcus . Daniel
I probably shouldn't have posted so hastily. Now I think that it it more of a squid problem, because if I put stunnel in front of it, stunnel handels the certificates fine. pfSense 2.0.1 (FreeBSD 8.1-RELEASE-p6)stunnel-4.35 openssl-1.0.0_5

Re: impact of client certificates to re-negotiation attack

2010-01-19 Thread Steffen DETTMER
* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 12:03 -0800: * Steffen asked... ...on this level [thanks a lot again for all the clarifications: authentication levels, authentication-agnostic, URI-dependent certificates, bugfix because missed intention, MITM tricks twitter to decrypt and

Re: impact of client certificates to re-negotiation attack

2010-01-14 Thread Kyle Hamilton
: there is no way for a man in the middle to attack in the presence of mutual authentication. I thought this data injection attack fails when client certificates would be used correctly. It does, in the event that the server configuration does not allow for non-client-certificated connections in any

Re: impact of client certificates to re-negotiation attack

2010-01-13 Thread Steffen DETTMER
this how TLS is intended to be used and the `add a certificate based on a directory' just some hack because the user interfaces are as they are (and that are passwords and BasicAuth when it comes to HTTP/HTTPS)? I thought this data injection attack fails when client certificates would be used

impact of client certificates to re-negotiation attack (was: Re: Re-negotiation handshake failed: Not accepted by client!?)

2010-01-12 Thread Steffen DETTMER
Hi, thank you too for the detailed explanation. But the impact on the client certificates (and its correct validation etc) is not clear to me (so I ask inline in the second half of this mail). * Kyle Hamilton wrote on Mon, Jan 11, 2010 at 14:28 -0800: The most succinct answer

Re: impact of client certificates to re-negotiation attack (was: Re: Re-negotiation handshake failed: Not accepted by client!?)

2010-01-12 Thread aerowolf
Responses inline. :) On Tue, Jan 12, 2010 at 3:12 AM, Steffen DETTMER steffen.dett...@ingenico.com wrote: Hi, thank you too for the detailed explanation. But the impact on the client certificates (and its correct validation etc) is not clear to me (so I ask inline in the second half

Can I use self-signed client certificates to access ANY secure site?

2009-07-15 Thread Rij
Hi All, I am absolutely new to this world of SSL, as will be evident from my confusions and questions. I am trying to write a client that will securely connect to N web servers every T seconds, and retrieve a document: info.txt. To test it, I wrote the following code (borrowed from:

RE: Can I use self-signed client certificates to access ANY secure site?

2009-07-15 Thread David Schwartz
Rij wrote: Hi All, I am absolutely new to this world of SSL, as will be evident from my confusions and questions. I am trying to write a client that will securely connect to N web servers every T seconds, and retrieve a document: info.txt. To test it, I wrote the following code

RE: Client Certificates

2008-10-07 Thread Dave Thompson
From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Saturday, 04 October, 2008 10:27 2008/10/4 Dave Thompson [EMAIL PROTECTED]: The actual failure is the alert 48 unknown ca from the server. Apparently it doesn't like the cert (or chain) s_client is sending, but the protocol doesn't

RE: Client Certificates

2008-10-04 Thread Dave Thompson
From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Tuesday, 30 September, 2008 10:08 I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to authenticate to their web servers. snip openssl

Re: Client Certificates

2008-10-04 Thread Felix Ingram
Hi Dave, 2008/10/4 Dave Thompson [EMAIL PROTECTED]: From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Tuesday, 30 September, 2008 10:08 I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to

Re: Client Certificates

2008-10-01 Thread Felix Ingram
2008/10/1 vinni rathore [EMAIL PROTECTED]: Hello, As your problem says that you are getting local issuer certificate problem that means that client certificate is signed with a particular CA certificate and that certificate is not found at the time of Handshaking.. so please confirm that

Re: Client Certificates

2008-10-01 Thread Patrick Patterson
Hi Felix Felix Ingram wrote: 2008/10/1 vinni rathore [EMAIL PROTECTED]: Hello, As your problem says that you are getting local issuer certificate problem that means that client certificate is signed with a particular CA certificate and that certificate is not found at the time of

Client Certificates

2008-09-30 Thread Felix Ingram
Hello all, I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to authenticate to their web servers. I can import this into IE and connect to the site without any trouble but when I try and use s_client I

How to load multiple client certificates

2006-01-23 Thread Konark
Hi ALL, Is there any function to load multiple client certificates ? Consider the case that There are multiple certificates to client It should chose one of the certificate appropriate for particular server . It depends the server CA list sent by server. Please

Re: How to load multiple client certificates

2006-01-23 Thread Peter Sylvester
Konark wrote: Hi ALL, Is there any function to load multiple client certificates ? Consider the case that There are multiple certificates to client It should chose one of the certificate appropriate for particular server

RE: Is it legal to distribute the client certificates from Netscape with a comme

2004-12-07 Thread David Schwartz
Eric Wertz wrote: As far as the (re)distribution question has goes, what you probably cannot do without permission is to redistribute the actual *package* of certificates that Netscape has put together for the purpose of embedding in their browser. Since the overwhelming majority (if

Re: Is it legal to distribute the client certificates from Netscape with a commercial app

2004-12-06 Thread Ken Goldman
I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I am not a lawyer. Actyally, can a company X generate

Re: Is it legal to distribute the client certificates from Netscape with a comme

2004-12-06 Thread Eric Wertz
I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I am not a lawyer. Not only am I also not a lawyer, I

Re: Is it legal to distribute the client certificates from Netscape with a comme

2004-12-06 Thread Heikki Toivonen
Eric Wertz wrote: As far as the (re)distribution question has goes, what you probably cannot do without permission is to redistribute the actual *package* of certificates that Netscape has put together for the purpose of embedding in their browser. Since the overwhelming majority (if not 100%)

RE: Is it legal to distribute the client certificates from Netscape with a commercial app

2004-12-05 Thread Biker Conrad
I think I got things mixed up. When I sent the email I thought that the client application needs its own certificate as well, in order to communicate with a server using https... I guess I was wrong. I realize now that the certificates distributed with Netscape serve the purpose of verifying the

Is it legal to distribute the client certificates from Netscape with a commercial app

2004-12-04 Thread Biker Conrad
I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. Actyally, can a company X generate their own certificates to

RE: Is it legal to distribute the client certificates from Netscape with a commercial app

2004-12-04 Thread David Schwartz
I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I'm not sure I understand what you are looking

Re: Is it legal to distribute the client certificates from Netscape with a commercial app

2004-12-04 Thread Paromita Sylvia Adacare
Interesting question - NO it is illegal.Biker Conrad [EMAIL PROTECTED] wrote: I want to do a commercial client application capableto handle https (that is the only purpose to includeopenssl) and I was wondering if it is legal todistribute the file that contains the certificatesthat were bundled

Client certificates with IIS 5.1

2004-10-26 Thread Jas Amidzic
I have IIS 5.1 running with the server certificate that has been certified by a CA supported by openssl. I have also created arbitrary client certificate that has been signed by the same CA. The client certificate has been successfully imported in to IE and Firefox as a personal certificate. But

Re: Setting the key usage for client certificates

2004-05-25 Thread Olaf Gellert
Marcus Carey wrote: When creating client certificates with following extensions: basicContraintsCA:FALSE nsComment OpenSSL Generated Certificate subjectKeyIdentifier hash authoritiyKeyIdentifier keyid,issuer:always keyUsage

Setting the key usage for client certificates

2004-05-24 Thread Marcus Carey
When creating client certificates with following extensions: basicContraintsCA:FALSE nsComment OpenSSL Generated Certificate subjectKeyIdentifier hash authoritiyKeyIdentifier keyid,issuer:always keyUsage nonrepudiation,digitalsignature

Re: client certificates and Net::SSLeay

2003-11-12 Thread Stella Power
ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and

Re: client certificates and Net::SSLeay

2003-11-12 Thread Stella Power
ok never mind, got it working. My server certificate had expired. Thanks for all your help. Stella On Wed, Nov 12, 2003 at 01:23:15PM +, Stella Power wrote: ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was

RE: Re: How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

2003-06-03 Thread Pär Ahrén
To a p800 using different technics both using a file and downloding it from a web page. Trying different extensions and MIME types but no luck ... --- Ursprungligt meddelande --- Från: Dr. Stephen Henson [EMAIL PROTECTED] Ämne: Re: How do one add a client certificates on a p800

Re: How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

2003-05-29 Thread Dr. Stephen Henson
On Wed, May 28, 2003, Pär Ahrén wrote: Hi, I have searched on the net for hours but have not found the right information. I have succeeded added a CA-certificate using a DER encoded file. I have tried to add a client certificate using different formats but no luck! I have even tried to

How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

2003-05-28 Thread Pär Ahrén
Hi, I have searched on the net for hours but have not found the right information. I have succeeded added a CA-certificate using a DER encoded file. I have tried to add a client certificate using different formats but no luck! I have even tried to make a WTLS like certificate but that doesn't

Creating self signed client certificates

2003-02-23 Thread Pj
Please help, I need to test client certificate authorization on my OBI implementation but Im darned if I can get Internet explorer to accept my self signed certificates, my certificates are imported successfully but the browser presents an empty certificate window when I hit my webserver

RE: Question about auth with client certificates

2002-09-24 Thread Jeffrey Altman
There are two things you need to do: authenticate and then authorize. C-Kermit provides hooks to organizations in the form of two functions: X509_to_user() - who does this certificate represent X509_userok() - may the user gain access with this certificate C-Kermit provides two

Re: Question about auth with client certificates

2002-09-23 Thread Christian Pohl
Gastón Christen wrote: Hi, I'm new in the apache/openssl world and I have a question (maybe it's me but I don't understand something about client certificates authentication in Apache) I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a problem. I want to establish

RE: apache with client certificates

2002-09-19 Thread Gastón Christen
Hi, I'm new in the apache/openssl world and I have a question (maybe it's me but I don't understand something about client certificates authentication in Apache) I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a problem. I want to establish an extranet, and let users

RE: apache with client certificates

2002-09-19 Thread Jose Correia (J)
Thanks Paul, I'm busy looking at PureTLS as a solution. -Original Message- From: Paul L. Allen [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 19:53 To: [EMAIL PROTECTED] Subject: Re: apache with client certificates Jose Correia (J) wrote: [...] On my Java side I'm using JSSE

RE: apache with client certificates

2002-09-18 Thread Jose Correia (J)
: apache with client certificates Hi there I set the depth to 1 and I do have my cache set to: SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex Still not working... Argghhh, this is so frustrating... any other

RE: apache with client certificates

2002-09-18 Thread Jose Correia (J)
To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi all I'm actually now getting in ssl_engine.log: [18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known

Re: apache with client certificates

2002-09-18 Thread Paul L. Allen
Jose Correia (J) wrote: [...] On my Java side I'm using JSSE 1.0.3 together with Innovation's HTTPClient like: That's probably your problem. I tried to get a Java/JSSE client to do client-side authentication with a C/OpenSSL server recently and couldn't get it to work. I posted a query

RE: apache with client certificates

2002-09-18 Thread Patrick Tronnier
, printed or electronic. -Original Message- From: Jose Correia (J) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Actually how does Apache know about the client certificate

Re: apache with client certificates

2002-09-17 Thread Xperex Tim
I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication works for me. I have SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise my setup is roughly the same as yours. --- Jose Correia (J) [EMAIL PROTECTED] wrote: Hi all Is anyone aware of Apache version

Client certificates

2002-07-30 Thread Svein E. Seldal
Hi, I have a CA, and I have a web server. The web server's cert is signed by the CA. On this server I want to only allow those clients which have valid cert's for accessing it (no anonymous access that is). In apache this is done by adding a list of the user's certs. This is fairly simple. If I

Re: Requiring client certificates - how?

2002-07-11 Thread M.E. Post
- Original Message - From: David C. Tuttle [EMAIL PROTECTED] To: OpenSSL [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 1:13 AM Subject: Re: Requiring client certificates - how? On Wed, 10 Jul 2002, Keary Suska wrote: on 7/10/02 4:33 PM, [EMAIL PROTECTED] purportedly said: How

Creating client certificates with OpenSSL on Win2000 Advanced Server.

2002-04-03 Thread fatih . dokmeci
do this with openssl but I could not find enough documantation for this. * So if anyone can help me for creating and managing client certificates in a step by step format I wiill be really happy. * Any other suggestion and ideas for client authentication in our situation will also

Creating client certificates

2002-03-13 Thread Steve Boals
So I created a cert request with IIS 5.0 and signed the cert with my Red Hat Linux box. I installed the cert and all works well. Now I want to require client certificates on the IIS box. How do I go about creating client certs? I would like to do the creation on the Linux box

Re: Creating and Installing Client Certificates - ??

2002-01-10 Thread Bear Giles
I would like to have a user open a webpage and supply DN info. I would then like the CGI client-side scripts to request a certificate from OpenSSL on the server (Linux) side, return it to the client and have it imported into the client's (MSIE/Win2K) store. As an aside, this is exactly

Client certificates and IIS (403.7 error)

2001-10-15 Thread Jared Clinton
Dear Openssl users, In a windows 2000 environment I am attempting to create 1- Root CA 2- IIS https cert 3- multiple client certificates. (to install on IE browsers) I seem to be able to do the above, although when attempting to use my client certs I receive a 403.7 error The root cert

Signing Browser Client Certificates

2001-09-26 Thread Christopher L. Everett
Hello again: I read the OSPKI book, which pointed me at the sign.sh script which helped quite a bit. I'm wondering if anyone can help me with a few specifics. So far, how I understand a certificate request gets signed is: 1) put the CSR into a file. 2) generate a configuration file that

Web Client Certificates (Apache-IIS)

2001-09-21 Thread Andres Pastor, Nuria
Hi, Can the web client certificates generate for an Apache Server be used against an IIS Server if we transfor the certificate format from Apache to IIS? Many Thanks. Nuria _ Uni2 - Lince Telecomunicaciones, S.A.U. Aviso

Client certificates on smart card ?

2001-05-02 Thread Rainer Kaufmann
Hello, I have a question using certificates when using client authentication on server side. Normally the client's X509 certificate is stored on the local harddisk and SSL_CTX_use_certificate_file is used to tell the library were it can be found, is that right ? Is it possible to 'forward' an

asking for client certificates

2001-03-12 Thread Alan McIlwain Perez
Hi, I have a server with openssl 0.9.6. When someone makes a connection to it, I'd like it to requestforaclient certificate. I am using the function SSL_get_peer_certificate( ) once the handshake is finished, after the call to SSL_accept( ). Every time I get "client does not have a

Re: asking for client certificates

2001-03-12 Thread jkunz
On 12 Mar, Alan McIlwain Perez wrote: I am using the function SSL_get_peer_certificate( ) once the handshake is finished, after the call to SSL_accept( ). Every time I get "client does not have a certificate". You have to enable client verification first: SSL_CTX_set_verify( sslctx,

Re: asking for client certificates

2001-03-12 Thread Alan McIlwain Perez
? Thanks, Alan - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 12, 2001 2:00 PM Subject: Re: asking for client certificates On 12 Mar, Alan McIlwain Perez wrote: I am using the function SSL_get_peer_certificate( ) once the handshake is finished

creating client certificates

2001-03-12 Thread Dan Diodati
I've been trying to create a client certificate for IE or Netscape that can be used to verify a user. For testing I created a CA certificate which I used to sign a client and server certificate. I created the client and server certificates using the openssl command. I can load the CA certifcate

RE: Client certificates: Key store per workstation, not per user?

2001-03-10 Thread Derek.Browne
, March 10, 2001 2:58 AM ::To: [EMAIL PROTECTED] ::Subject: Re: Client certificates: Key store per workstation, not per ::user? :: :: ::So users sharing passwords are at least limited to within an organisation. ::Sounds perfectly reasonable. :: ::I don't know the ins and outs of your client base but I did

Re: Client certificates: Key store per workstation, not per user?

2001-03-10 Thread bruce cartland
of PKI At the moment I'm inclined to think that no-one shares certs and we all become our own root CA!!! - Original Message - From: "Derek.Browne" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 11, 2001 3:48 AM Subject: RE: Client certificates: Key store per w

Re: Client certificates: Key store per workstation, not per user?

2001-03-10 Thread Dj Browne
.txt Later, derek : :- Original Message - :From: "Derek.Browne" [EMAIL PROTECTED] :To: [EMAIL PROTECTED] :Sent: Sunday, March 11, 2001 3:48 AM :Subject: RE: Client certificates: Key store per workstation, not per user? : : : Hi, : : This is an interesting problemYou said someth

RE: Client certificates: Key store per workstation, not per user?

2001-03-09 Thread Rainer . Hoerbe
the security threat #1. Second, I think, that without client-certificates man-in-the-middle attacks are possible, using tools like dsniff. Hence, lacking smart cards, an authentication scheme using userid/pw plus client certificates werde devised. An administrator can only download and install

Re: Client certificates: Key store per workstation, not per user?

2001-03-09 Thread Greg Stark
Rainer, You write, "...Second, I think, that without client-certificates man-in-the-middle attacks are possible, using tools like dsniff." and this is not correct. As long as the client does proper checking of the server certificate AND you use SSLv3 or h

RE: Client certificates: Key store per workstation, not per user?

2001-03-09 Thread Rainer . Hoerbe
I need to use the client certificates with IE. I will have a look into the crypte API. Thanks rainer -Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: Freitag, 9. März 2001 18:34 To: [EMAIL PROTECTED] Subject: Re: Client certificates: Key store per workstation

Re: Client certificates: Key store per workstation, not per user?

2001-03-09 Thread bruce cartland
PROTECTED] Sent: Saturday, March 10, 2001 4:55 AM Subject: RE: Client certificates: Key store per workstation, not per user? I need to use the client certificates with IE. I will have a look into the crypte API. Thanks rainer -Original Message- From: Greg Stark [mailto:[EMAIL

Client certificates from private CA, with Outlook or Outlook Express

2001-02-14 Thread Tim Small
Hi, I'm wondering if anyone can shed any light on a problem I'm having with Outlook Express? Apologies for posting a load of debug output to the list, but I didn't really know what was safe to omit. I'm trying to setup secure IMAP, using stunnel (stage 2 is to go for secure SMTP as well,

Re: Client certificates from private CA, with Outlook or Outlook Express

2001-02-14 Thread Lutz Jaenicke
/home/tim/server_cert3_pub_priv.pem -d simap -r imap2 simap i.e. redirect to local imap port, listen on simap port (993), and insist on client certificate authentication. I don't think UofW imapd supports client certificates, but see below... In Outlook 2000, and Outlook Express 5 (under Win98, with a

  1   2   >