Re: SSL_connect with TLS 1.3 and client Certificates

On 14/07/2021 13:31, Matt Caswell wrote: > > > On 13/07/2021 19:44, Christian Schmidt wrote: >> Hello all, >> >> I am currently trying to build both client and server of an application >> that uses TLS 1.3 and mutual authentication using certificates. The >> application works so far - I can

Re: SSL_connect with TLS 1.3 and client Certificates

On 13/07/2021 19:44, Christian Schmidt wrote: Hello all, I am currently trying to build both client and server of an application that uses TLS 1.3 and mutual authentication using certificates. The application works so far - I can establish connections, certificates are verified, data is

SSL_connect with TLS 1.3 and client Certificates

Hello all, I am currently trying to build both client and server of an application that uses TLS 1.3 and mutual authentication using certificates. The application works so far - I can establish connections, certificates are verified, data is successfully transmitted, etc. However, I have an

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

thing you want to pass to SSL_CTX_set_client_CA_list(3) See the docs. Some clients (IIRC Java's TLS stack) don't send any client certificates unless the server solicits a certificate from a matching CA, and leaving the list empty may not work for such clients. -- Viktor. -- openssl-users mailing list

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

gt; On Sep 11, 2018, at 2:09 AM, Armen Babikyan > wrote: > > > > I have a question regarding openssl and verification of client > certificates. Is there a way to have an openssl-enabled server ask for a > client certificate, and when it receives one it can't verify, ra

Re: [openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

> On Sep 11, 2018, at 2:09 AM, Armen Babikyan wrote: > > I have a question regarding openssl and verification of client certificates. > Is there a way to have an openssl-enabled server ask for a client > certificate, and when it receives one it can't verify, rather than

[openssl-users] Preventing Handshake Termination Because of Unverifiable Client Certificates

Hello, I have a question regarding openssl and verification of client certificates. Is there a way to have an openssl-enabled server ask for a client certificate, and when it receives one it can't verify, rather than immediately terminating the handshake, it would allow the connection, but pass

Re: [openssl-users] Hardware client certificates moving to Centos 7

ttings allows the reading of Md5 Client certificates (which are still being installed in "not released yet" phones) I am almost concerned this is being done intentionally to meet some security downgrade requirement. I the more reason to only use this cert to bootstrap your own cer

Re: [openssl-users] Hardware client certificates moving to Centos 7

Hi thanks for all the comments and suggestions, especially the ones I could understand centos 7 yum upgrade openssl version gives: OpenSSL 1.0.2k-fips 26 Jan 2017 it looks like echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings allows the reading of Md5 Client certif

Re: [openssl-users] Hardware client certificates moving to Centos 7

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jeffrey Walton > Sent: Wednesday, September 27, 2017 13:15 > To: OpenSSL Users > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > > > > Heck, MD4 and MDC

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 10:10 PM, Michael Wojcik wrote: > On Behalf Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 >> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos > >

Re: [openssl-users] Hardware client certificates moving to Centos 7

FIPS mode is a policy decision in my opinion also but since RedHat prides itself in security e.g. SELinux, etc. I believe that is a RedHat decision as opposed to the OpenSSL community. The alternative would be to use a different Linux distro like Ubuntu, etc. which does not compile their OpenSSL

Re: [openssl-users] Hardware client certificates moving to Centos 7

>> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos: > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL

Re: [openssl-users] Hardware client certificates moving to Centos 7

rs@openssl.org > > Subject: Re: [openssl-users] Hardware client certificates moving to > Centos 7 > > > > I don't know offhand which OpenSSL versions did away with MD5, but you > > *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) > > straight off Ce

Re: [openssl-users] Hardware client certificates moving to Centos 7

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > I don't know offhand w

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 02:07 PM, Stuart Marsden wrote: > Is there a way a can install a version of openssl on a dedicated standalone > Centos 7 server which will support these phones? > That would be preferable to me than having to leave Centos 6 servers just > for this I don't know

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 08:07 AM, Stuart Marsden wrote: Hi I think I know what you are going to say - MD5? Lots of problems with that cert. If you have some connection with the vendor, have them read IEEE 802.1AR-2009 standard for Device Identity credentials. You will be supporting this phone

Re: [openssl-users] Hardware client certificates moving to Centos 7

Hi I think I know what you are going to say - MD5? I ran openssl s_server -verify , then ran the x509 command as you suggested using the captured client certificate This phone model has only just gone into production, and I am using a "preview version" of the hardware Is there a way a can

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/26/2017 08:04 PM, Kyle Hamilton wrote: openssl x509 -noout -text -in clientcertificate.pem You may need to extract the client certificate from wireshark, but you could also get it from openssl s_server. Specifically, that error message is suggesting that there's a message digest

Re: [openssl-users] Hardware client certificates moving to Centos 7

openssl x509 -noout -text -in clientcertificate.pem You may need to extract the client certificate from wireshark, but you could also get it from openssl s_server. Specifically, that error message is suggesting that there's a message digest encoded into the certificate which is unknown to the

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/26/2017 11:26 AM, Stuart Marsden wrote: Hi I have Centos/Apache servers for securely provisioning IP phones using hardware client certificates embedded in the phones. for this test I have allowed all protocols and ciphers on Centos 6 this works fine, the rpms are: openssl098e-0.9.8e

Re: [openssl-users] Hardware client certificates moving to Centos 7

Sorry how can I tell ? I can run a wireshark if necessary thanks > On 26 Sep 2017, at 16:36, Wouter Verhelst wrote: > > On 26-09-17 17:26, Stuart Marsden wrote: >> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding >>

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 26-09-17 17:26, Stuart Marsden wrote: > [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm So which message digest algorithm is the client trying to use? -- Wouter Verhelst -- openssl-users mailing list To

[openssl-users] Hardware client certificates moving to Centos 7

Hi I have Centos/Apache servers for securely provisioning IP phones using hardware client certificates embedded in the phones. for this test I have allowed all protocols and ciphers on Centos 6 this works fine, the rpms are: openssl098e-0.9.8e-20.el6.centos.1.x86_64 openssl-1.0.1e-57.el6

Re: mod_ssl - client certificates broken after yum update of openssl

On Tue, 6/17/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote: Subject: Re: mod_ssl - client certificates broken after yum update of openssl To: openssl-users@openssl.org Date: Tuesday, June 17, 2014, 10:53 PM On Tue, Jun 17, 2014 at 06:48

Re: mod_ssl - client certificates broken after yum update of openssl

-CAfile /home/ssl/ca_master You need to use either the -verify or the -Verify option to request or demand client certificates. The sever should be using the server certificate, not the client certificate. Then use s_client with a suitable certificate. Signature Algorithm

Re: mod_ssl - client certificates broken after yum update of openssl

On Wed, 6/18/14, Viktor Dukhovni openssl-us...@dukhovni.org wrote: Subject: Re: mod_ssl - client certificates broken after yum update of openssl To: openssl-users@openssl.org Date: Wednesday, June 18, 2014, 11:08 AM On Wed, Jun 18, 2014 at 07

mod_ssl - client certificates broken after yum update of openssl

Perfectly working VM running Amazon Linux with Apache and mod_ssl configured for client certificates. Ran yum update to get the latest openssl (OpenSSL 1.0.1h-fips 5 Jun 2014)/mod_ssl(2.2.27 )/httpd(2.2.27) security updates from Amazon's yum repository. Now the client certificate checks

Re: mod_ssl - client certificates broken after yum update of openssl

On Tue, Jun 17, 2014 at 06:48:28PM -0700, Nelson wrote: Perfectly working VM running Amazon Linux with Apache and mod_ssl configured for client certificates. Ran yum update to get the latest openssl (OpenSSL 1.0.1h-fips 5 Jun 2014)/mod_ssl(2.2.27 )/httpd(2.2.27) security updates from

RE: Help with client certificates

: Thursday, July 26, 2012 6:42 PM To: openssl-users@openssl.org Subject: Re: Help with client certificates On Wed, Jul 25, 2012, Fili, Tom wrote: I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl

Help with client certificates

I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl connection and it works fine if I set the correct certificate using SSL_CTX_use_certificate_ASN1 ENGINE_load_private_key. From what I've read

Filtering client certificates

I need to figure out which client certificates are issued by valid CAs (according to the server). I set a callback with SSL_CTX_set_client_cert_cb In the callback I get the list of CAs from the server with STACK_OF(X509_NAME) *pX509Names = SSL_get_client_CA_list(ssl) Now I have

Re: Help with client certificates

On Wed, Jul 25, 2012, Fili, Tom wrote: I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl connection and it works fine if I set the correct certificate using SSL_CTX_use_certificate_ASN1

Re: Diffie-Hellman and client certificates...

Certificate Request Server Hello Done Client: client never responds Wrong ciphersuite. Client certificates cannot be requested by anon DH ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org

Re: Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12 - User error, not a library error

I just want to wrap up my problem so that others can learn from my ignorance: Squid's logs aren't very verbose, so I only got SSL unknown certificate error 12 , when it suddenly wouldn't accept my client certificates anymore. That's the same error you get when a certificate has expired

client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

I am using squid as a reverse proxy with client certificates and everything was working fine for a month. But after 02 MAR 2012 17:56 CET client certificates stopped working even though my self signed ca and certificates are valid way longer. I think it might be an openssl problem, but feel free

Re: client certificates suddenly not accepted anymore: squid: SSL unknown certificate error 12

I probably shouldn't have posted so hastily. Now I think that it it more of a squid problem, because if I put stunnel in front of it, stunnel handels the certificates fine. pfSense 2.0.1 (FreeBSD 8.1-RELEASE-p6)stunnel-4.35 openssl-1.0.0_5

Re: impact of client certificates to re-negotiation attack

* Kyle Hamilton wrote on Thu, Jan 14, 2010 at 12:03 -0800: * Steffen asked... ...on this level [thanks a lot again for all the clarifications: authentication levels, authentication-agnostic, URI-dependent certificates, bugfix because missed intention, MITM tricks twitter to decrypt and

Re: impact of client certificates to re-negotiation attack

: there is no way for a man in the middle to attack in the presence of mutual authentication. I thought this data injection attack fails when client certificates would be used correctly. It does, in the event that the server configuration does not allow for non-client-certificated connections in any

Re: impact of client certificates to re-negotiation attack

this how TLS is intended to be used and the `add a certificate based on a directory' just some hack because the user interfaces are as they are (and that are passwords and BasicAuth when it comes to HTTP/HTTPS)? I thought this data injection attack fails when client certificates would be used

impact of client certificates to re-negotiation attack (was: Re: Re-negotiation handshake failed: Not accepted by client!?)

Hi, thank you too for the detailed explanation. But the impact on the client certificates (and its correct validation etc) is not clear to me (so I ask inline in the second half of this mail). * Kyle Hamilton wrote on Mon, Jan 11, 2010 at 14:28 -0800: The most succinct answer

Re: impact of client certificates to re-negotiation attack (was: Re: Re-negotiation handshake failed: Not accepted by client!?)

Responses inline. :) On Tue, Jan 12, 2010 at 3:12 AM, Steffen DETTMER steffen.dett...@ingenico.com wrote: Hi, thank you too for the detailed explanation. But the impact on the client certificates (and its correct validation etc) is not clear to me (so I ask inline in the second half

Can I use self-signed client certificates to access ANY secure site?

Hi All, I am absolutely new to this world of SSL, as will be evident from my confusions and questions. I am trying to write a client that will securely connect to N web servers every T seconds, and retrieve a document: info.txt. To test it, I wrote the following code (borrowed from:

RE: Can I use self-signed client certificates to access ANY secure site?

Rij wrote: Hi All, I am absolutely new to this world of SSL, as will be evident from my confusions and questions. I am trying to write a client that will securely connect to N web servers every T seconds, and retrieve a document: info.txt. To test it, I wrote the following code

RE: Client Certificates

From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Saturday, 04 October, 2008 10:27 2008/10/4 Dave Thompson [EMAIL PROTECTED]: The actual failure is the alert 48 unknown ca from the server. Apparently it doesn't like the cert (or chain) s_client is sending, but the protocol doesn't

RE: Client Certificates

From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Tuesday, 30 September, 2008 10:08 I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to authenticate to their web servers. snip openssl

Re: Client Certificates

Hi Dave, 2008/10/4 Dave Thompson [EMAIL PROTECTED]: From: [EMAIL PROTECTED] On Behalf Of Felix Ingram Sent: Tuesday, 30 September, 2008 10:08 I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to

Re: Client Certificates

2008/10/1 vinni rathore [EMAIL PROTECTED]: Hello, As your problem says that you are getting local issuer certificate problem that means that client certificate is signed with a particular CA certificate and that certificate is not found at the time of Handshaking.. so please confirm that

Re: Client Certificates

Hi Felix Felix Ingram wrote: 2008/10/1 vinni rathore [EMAIL PROTECTED]: Hello, As your problem says that you are getting local issuer certificate problem that means that client certificate is signed with a particular CA certificate and that certificate is not found at the time of

Client Certificates

Hello all, I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to authenticate to their web servers. I can import this into IE and connect to the site without any trouble but when I try and use s_client I

How to load multiple client certificates

Hi ALL, Is there any function to load multiple client certificates ? Consider the case that There are multiple certificates to client It should chose one of the certificate appropriate for particular server . It depends the server CA list sent by server. Please

Re: How to load multiple client certificates

Konark wrote: Hi ALL, Is there any function to load multiple client certificates ? Consider the case that There are multiple certificates to client It should chose one of the certificate appropriate for particular server

RE: Is it legal to distribute the client certificates from Netscape with a comme

Eric Wertz wrote: As far as the (re)distribution question has goes, what you probably cannot do without permission is to redistribute the actual *package* of certificates that Netscape has put together for the purpose of embedding in their browser. Since the overwhelming majority (if

Re: Is it legal to distribute the client certificates from Netscape with a commercial app

I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I am not a lawyer. Actyally, can a company X generate

Re: Is it legal to distribute the client certificates from Netscape with a comme

I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I am not a lawyer. Not only am I also not a lawyer, I

Re: Is it legal to distribute the client certificates from Netscape with a comme

Eric Wertz wrote: As far as the (re)distribution question has goes, what you probably cannot do without permission is to redistribute the actual *package* of certificates that Netscape has put together for the purpose of embedding in their browser. Since the overwhelming majority (if not 100%)

RE: Is it legal to distribute the client certificates from Netscape with a commercial app

I think I got things mixed up. When I sent the email I thought that the client application needs its own certificate as well, in order to communicate with a server using https... I guess I was wrong. I realize now that the certificates distributed with Netscape serve the purpose of verifying the

Is it legal to distribute the client certificates from Netscape with a commercial app

I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. Actyally, can a company X generate their own certificates to

RE: Is it legal to distribute the client certificates from Netscape with a commercial app

I want to do a commercial client application capable to handle https (that is the only purpose to include openssl) and I was wondering if it is legal to distribute the file that contains the certificates that were bundled with Netscape. I'm not sure I understand what you are looking

Re: Is it legal to distribute the client certificates from Netscape with a commercial app

Interesting question - NO it is illegal.Biker Conrad [EMAIL PROTECTED] wrote: I want to do a commercial client application capableto handle https (that is the only purpose to includeopenssl) and I was wondering if it is legal todistribute the file that contains the certificatesthat were bundled

Client certificates with IIS 5.1

I have IIS 5.1 running with the server certificate that has been certified by a CA supported by openssl. I have also created arbitrary client certificate that has been signed by the same CA. The client certificate has been successfully imported in to IE and Firefox as a personal certificate. But

Re: Setting the key usage for client certificates

Marcus Carey wrote: When creating client certificates with following extensions: basicContraintsCA:FALSE nsComment OpenSSL Generated Certificate subjectKeyIdentifier hash authoritiyKeyIdentifier keyid,issuer:always keyUsage

Setting the key usage for client certificates

When creating client certificates with following extensions: basicContraintsCA:FALSE nsComment OpenSSL Generated Certificate subjectKeyIdentifier hash authoritiyKeyIdentifier keyid,issuer:always keyUsage nonrepudiation,digitalsignature

Re: client certificates and Net::SSLeay

ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and

Re: client certificates and Net::SSLeay

ok never mind, got it working. My server certificate had expired. Thanks for all your help. Stella On Wed, Nov 12, 2003 at 01:23:15PM +, Stella Power wrote: ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was

RE: Re: How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

To a p800 using different technics both using a file and downloding it from a web page. Trying different extensions and MIME types but no luck ... --- Ursprungligt meddelande --- Från: Dr. Stephen Henson [EMAIL PROTECTED] Ämne: Re: How do one add a client certificates on a p800

Re: How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

On Wed, May 28, 2003, Pär Ahrén wrote: Hi, I have searched on the net for hours but have not found the right information. I have succeeded added a CA-certificate using a DER encoded file. I have tried to add a client certificate using different formats but no luck! I have even tried to

How do one add a client certificates on a p800 Symbian 7.0 (Sony Ericsson)

Hi, I have searched on the net for hours but have not found the right information. I have succeeded added a CA-certificate using a DER encoded file. I have tried to add a client certificate using different formats but no luck! I have even tried to make a WTLS like certificate but that doesn't

Creating self signed client certificates

Please help, I need to test client certificate authorization on my OBI implementation but Im darned if I can get Internet explorer to accept my self signed certificates, my certificates are imported successfully but the browser presents an empty certificate window when I hit my webserver

RE: Question about auth with client certificates

There are two things you need to do: authenticate and then authorize. C-Kermit provides hooks to organizations in the form of two functions: X509_to_user() - who does this certificate represent X509_userok() - may the user gain access with this certificate C-Kermit provides two

Re: Question about auth with client certificates

Gastón Christen wrote: Hi, I'm new in the apache/openssl world and I have a question (maybe it's me but I don't understand something about client certificates authentication in Apache) I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a problem. I want to establish

RE: apache with client certificates

Hi, I'm new in the apache/openssl world and I have a question (maybe it's me but I don't understand something about client certificates authentication in Apache) I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a problem. I want to establish an extranet, and let users

RE: apache with client certificates

Thanks Paul, I'm busy looking at PureTLS as a solution. -Original Message- From: Paul L. Allen [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 19:53 To: [EMAIL PROTECTED] Subject: Re: apache with client certificates Jose Correia (J) wrote: [...] On my Java side I'm using JSSE

RE: apache with client certificates

: apache with client certificates Hi there I set the depth to 1 and I do have my cache set to: SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex Still not working... Argghhh, this is so frustrating... any other

RE: apache with client certificates

To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi all I'm actually now getting in ssl_engine.log: [18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known

Re: apache with client certificates

Jose Correia (J) wrote: [...] On my Java side I'm using JSSE 1.0.3 together with Innovation's HTTPClient like: That's probably your problem. I tried to get a Java/JSSE client to do client-side authentication with a C/OpenSSL server recently and couldn't get it to work. I posted a query

RE: apache with client certificates

, printed or electronic. -Original Message- From: Jose Correia (J) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Actually how does Apache know about the client certificate

Re: apache with client certificates

I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication works for me. I have SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise my setup is roughly the same as yours. --- Jose Correia (J) [EMAIL PROTECTED] wrote: Hi all Is anyone aware of Apache version

Client certificates

Hi, I have a CA, and I have a web server. The web server's cert is signed by the CA. On this server I want to only allow those clients which have valid cert's for accessing it (no anonymous access that is). In apache this is done by adding a list of the user's certs. This is fairly simple. If I

Re: Requiring client certificates - how?

- Original Message - From: David C. Tuttle [EMAIL PROTECTED] To: OpenSSL [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 1:13 AM Subject: Re: Requiring client certificates - how? On Wed, 10 Jul 2002, Keary Suska wrote: on 7/10/02 4:33 PM, [EMAIL PROTECTED] purportedly said: How

Creating client certificates with OpenSSL on Win2000 Advanced Server.

do this with openssl but I could not find enough documantation for this. * So if anyone can help me for creating and managing client certificates in a step by step format I wiill be really happy. * Any other suggestion and ideas for client authentication in our situation will also

Creating client certificates

So I created a cert request with IIS 5.0 and signed the cert with my Red Hat Linux box. I installed the cert and all works well. Now I want to require client certificates on the IIS box. How do I go about creating client certs? I would like to do the creation on the Linux box

Re: Creating and Installing Client Certificates - ??

I would like to have a user open a webpage and supply DN info. I would then like the CGI client-side scripts to request a certificate from OpenSSL on the server (Linux) side, return it to the client and have it imported into the client's (MSIE/Win2K) store. As an aside, this is exactly

Client certificates and IIS (403.7 error)

Dear Openssl users, In a windows 2000 environment I am attempting to create 1- Root CA 2- IIS https cert 3- multiple client certificates. (to install on IE browsers) I seem to be able to do the above, although when attempting to use my client certs I receive a 403.7 error The root cert

Signing Browser Client Certificates

Hello again: I read the OSPKI book, which pointed me at the sign.sh script which helped quite a bit. I'm wondering if anyone can help me with a few specifics. So far, how I understand a certificate request gets signed is: 1) put the CSR into a file. 2) generate a configuration file that

Web Client Certificates (Apache-IIS)

Hi, Can the web client certificates generate for an Apache Server be used against an IIS Server if we transfor the certificate format from Apache to IIS? Many Thanks. Nuria _ Uni2 - Lince Telecomunicaciones, S.A.U. Aviso

Client certificates on smart card ?

Hello, I have a question using certificates when using client authentication on server side. Normally the client's X509 certificate is stored on the local harddisk and SSL_CTX_use_certificate_file is used to tell the library were it can be found, is that right ? Is it possible to 'forward' an

asking for client certificates

Hi, I have a server with openssl 0.9.6. When someone makes a connection to it, I'd like it to requestforaclient certificate. I am using the function SSL_get_peer_certificate( ) once the handshake is finished, after the call to SSL_accept( ). Every time I get "client does not have a

Re: asking for client certificates

On 12 Mar, Alan McIlwain Perez wrote: I am using the function SSL_get_peer_certificate( ) once the handshake is finished, after the call to SSL_accept( ). Every time I get "client does not have a certificate". You have to enable client verification first: SSL_CTX_set_verify( sslctx,

Re: asking for client certificates

? Thanks, Alan - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 12, 2001 2:00 PM Subject: Re: asking for client certificates On 12 Mar, Alan McIlwain Perez wrote: I am using the function SSL_get_peer_certificate( ) once the handshake is finished

creating client certificates

I've been trying to create a client certificate for IE or Netscape that can be used to verify a user. For testing I created a CA certificate which I used to sign a client and server certificate. I created the client and server certificates using the openssl command. I can load the CA certifcate

RE: Client certificates: Key store per workstation, not per user?

, March 10, 2001 2:58 AM ::To: [EMAIL PROTECTED] ::Subject: Re: Client certificates: Key store per workstation, not per ::user? :: :: ::So users sharing passwords are at least limited to within an organisation. ::Sounds perfectly reasonable. :: ::I don't know the ins and outs of your client base but I did

Re: Client certificates: Key store per workstation, not per user?

of PKI At the moment I'm inclined to think that no-one shares certs and we all become our own root CA!!! - Original Message - From: "Derek.Browne" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 11, 2001 3:48 AM Subject: RE: Client certificates: Key store per w

Re: Client certificates: Key store per workstation, not per user?

.txt Later, derek : :- Original Message - :From: "Derek.Browne" [EMAIL PROTECTED] :To: [EMAIL PROTECTED] :Sent: Sunday, March 11, 2001 3:48 AM :Subject: RE: Client certificates: Key store per workstation, not per user? : : : Hi, : : This is an interesting problemYou said someth

RE: Client certificates: Key store per workstation, not per user?

the security threat #1. Second, I think, that without client-certificates man-in-the-middle attacks are possible, using tools like dsniff. Hence, lacking smart cards, an authentication scheme using userid/pw plus client certificates werde devised. An administrator can only download and install

Re: Client certificates: Key store per workstation, not per user?

Rainer, You write, "...Second, I think, that without client-certificates man-in-the-middle attacks are possible, using tools like dsniff." and this is not correct. As long as the client does proper checking of the server certificate AND you use SSLv3 or h

RE: Client certificates: Key store per workstation, not per user?

I need to use the client certificates with IE. I will have a look into the crypte API. Thanks rainer -Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: Freitag, 9. März 2001 18:34 To: [EMAIL PROTECTED] Subject: Re: Client certificates: Key store per workstation

Re: Client certificates: Key store per workstation, not per user?

PROTECTED] Sent: Saturday, March 10, 2001 4:55 AM Subject: RE: Client certificates: Key store per workstation, not per user? I need to use the client certificates with IE. I will have a look into the crypte API. Thanks rainer -Original Message- From: Greg Stark [mailto:[EMAIL

Client certificates from private CA, with Outlook or Outlook Express

Hi, I'm wondering if anyone can shed any light on a problem I'm having with Outlook Express? Apologies for posting a load of debug output to the list, but I didn't really know what was safe to omit. I'm trying to setup secure IMAP, using stunnel (stage 2 is to go for secure SMTP as well,

Re: Client certificates from private CA, with Outlook or Outlook Express

/home/tim/server_cert3_pub_priv.pem -d simap -r imap2 simap i.e. redirect to local imap port, listen on simap port (993), and insist on client certificate authentication. I don't think UofW imapd supports client certificates, but see below... In Outlook 2000, and Outlook Express 5 (under Win98, with a

  1   2   >