I setup a apache/mod_ssl with SSLVerifyClient require. My netscape
browser can connect to it both in sslv2 and sslv3 mode. But IE failed in
sslv2, passed in sslv3 and tls mode.
Does IE(5.0) offically unsupport sslv2 client auth mode or there is
something wrong with my configuration?
Thanks.
Hi,
I have the following certificates:
root.cert - self signed CA
node1root.cert - issued by root
node2root.cert - issued by root
daemon.cert - issued by node1root
client1.cert - issued by node2root
I have an SSL server which use the daaemon.cert and has root.cert and node1.cert
in its
On Tue, Apr 24, 2001 at 12:27:28PM +0200, Peter Lindsäth wrote:
I have the following certificates:
root.cert - self signed CA
node1root.cert - issued by root
node2root.cert - issued by root
daemon.cert - issued by node1root
client1.cert - issued by node2root
I have an SSL server which
Lutz Jaenicke wrote:
On Tue, Apr 24, 2001 at 12:27:28PM +0200, Peter Lindsäth wrote:
I have the following certificates:
root.cert - self signed CA
node1root.cert - issued by root
node2root.cert - issued by root
daemon.cert - issued by node1root
client1.cert - issued by node2root
On Tue, Apr 24, 2001 at 03:41:58PM +0200, Peter Lindsäth wrote:
Well, now there seems to be a problem making a intermediate CA using the self signed
CA.
I've been trying some different approaches but I don't seem to get it right. The most
commonly proposed method, in the mail-archive, would
[EMAIL PROTECTED]
Subject:Client Authentication Windows NT
Windows NT and 2000 presents other problems, and I was wondering if
anyone
has an answer or can point me in the right direction. On NT or 2000
you
select a directory for client authentication. When
Have a look in the archive:
http://marc.theaimsgroup.com/?l=openssl-users
under the author 'Dale Peakall' and
look for the subject 'Client Auth in IE'.
- Dale.
__
OpenSSL Project
Thanks,
I'm sure this will sort it out. It's the same problem we've experienced.
Tell me on Win2000 and NT can you have client authentication that will check
multiple root certificates?
Oliver
Have a look in the archive:
http://marc.theaimsgroup.com/?l=openssl-users
under the author 'Dale
problems, and I was wondering if anyone
has an answer or can point me in the right direction. On NT or 2000 you
select a directory for client authentication. When you go to that page it
brings up the authentication box, but only Verisign certificates are
displayed there.
What do you have to do
People;
I've been asked to review a document for some PKI system which
deals with some issues I have not come across before and was hoping
someone could verify what I believe is true. This is more a browser/SSL
issue than openssl, but I think I can generalize it enough.
If an
]
_
- Original Message -
From: "Jeffrey Burgoyne" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 9:46 AM
Subject: Question on client authentication and signing
People;
I've been asked to review a document for some PKI system which
deals with some iss
]
_
- Original Message -
From: "Jeffrey Burgoyne" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 9:46 AM
Subject: Question on client authentication and signing
People;
I've been asked to review a documen
- Original Message -
From: "Greg Stark" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 8:39 PM
Subject: Re: Question on client authentication and signing
Jeffrey,
The short answer is neither. The client's only use of its p
]
_
- Original Message -
From: "Jeffrey Burgoyne" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 10:32 AM
Subject: Re: Question on client authentication and signing
Greg;
Thanks. Therefore if I read this right, all the actually data
passed across the session
.
_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_
- Original Message -
From: "Sandipan Gangopadhyay" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 10:38 AM
Subject: Re: Question
07, 2001 9:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Question on client authentication and signing
Greg;
Thanks. Therefore if I read this right, all the actually data
passed across the session (i.e. all the real data passed after the
handshae has been completed) is encoded
ey through
the browser; we have no
way of knowing. The private key is needed for
successful client
authentication. The client does in fact have to sign
all the handshake
messages (which include a server random value).
_
Greg Stark
Ethentica, Inc.
[EMAIL
Hi,
I am working on doing client authentication. I
could successfully import the certificate in the
browser and could authenticate the client.
My question is: How does the browser get the private
key? Shouldn't it be needing that for authentication?
Isn't that there is some challenge thrown
PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, October 29, 2000 2:26 AM
Subject: RE: IIS client authentication?
iis will walk up the chain 'til it reaches the root - so you need the root
loaded in the machine store. also, by default iis5 will check the crl, if
it's location is listed in the c
Sent: Friday, October 27, 2000 11:45 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: IIS client authentication?
Hi, all,
One question for a case where strong CLIENT authentication is needed: we
use open ssl on
client side and use Microsoft IIS on the server side. How will the Microsoft
IIS
Hi, all,
One question for a case where strong CLIENT authentication is needed: we
use open ssl on
client side and use Microsoft IIS on the server side. How will the Microsoft
IIS check the validity
of the client certificate? Will it need to validate the whole certificate
chain
Look at http://www.aquasecurity.com/protect/other/sslcli.cpp and
http://www.aquasecurity.com/protect/other/sslsrv.cpp
Robert Sandilands
Carlos Serrao wrote:
Hi all,
can someone provide me with a good example how to handle client
authentication on a SSL connection. I've already take
Thanks for your contribution,
but the examples are quite similar to my implementation and
therefore
I still have the same problem... No client
authentication.
I'm starting to suspect of my client and server certificates.
Perhaps
its is something wrong with them...
... can you give some
Hi,
I am using Openssl in my client, and Apache-ssl in my content server.
I am using a test cert signed by verisign to authenticate my client.
But my server is refusing it, using error 19: self-signed certificate.
It is confusing because it is not a self-signed cert at all, but a normal
cert.
,
SSL_OP_NETSCAPE_CA_DN_BUG.
But I don't understand why?
Hua
-Original Message-
From: Peter Kim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 15, 2000 2:16 PM
To: [EMAIL PROTECTED]
Subject: Re: client authentication
Hi, friends,
I try to add the client authentication into a client application.
Two
Hi, friends,
I try to add the client authentication into a client application.
Two problems block me.
1. It is not allowed to use DER type files in SSL_CTX_use_PrivateKey_file.
It only accepts PEM files.
2. During handshaking, the client application fails in
ssl3_get_certificate_request
Hi, friends,
I try to add the client authentication into a client application.
Two problems block me.
1. It is not allowed to use DER type files in SSL_CTX_use_PrivateKey_file.
It only accepts PEM files.
SSL_CTX_use_PrivateKey_ASN1(..) should accept a DER-encoded private key
file.
2
I've been building a small https client everything has gone quite well.
Now I've been told that I need to include support for client authentication
using a standard x.509 certificate I am stumped.
How do you manage client trust to your server? how do you know
that you are really
of this is wrong,
sorry!
Jon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Randall Ward
Sent: Wednesday, August 09, 2000 1:28 PM
To: '[EMAIL PROTECTED]'
Subject: please help with understanding client authentication
I've been building a small https
I know know lots and lots about client authentication and certificates.
Thanks everyone for your help!
Now: there's one big thing that I don't understand. If I am going to be
building an https client that will authenticate itself with a certificate of
some kind, does that client need to have
:28 PM
To: '[EMAIL PROTECTED]'
Subject: please help with understanding client authentication
I've been building a small https client everything has gone quite well.
Now I've been told that I need to include support for client authentication
using a standard x.509 certificate I am stumped
I've been building a small https client everything has gone quite well.
Now I've been told that I need to include support for client authentication
using a standard x.509 certificate I am stumped.
Is the certificate just going to be a file? Do I just have to set a path to
it, or is there some
Hi Albert,
On Mon, 31 Jul 2000, Albert Serra wrote:
a) The functions with "verify" in them is there to tell the server or
client where the public keys and the CA's public keys are for verifying
the other's keys. Those keys and the symbolic links associated with them
is pretty important.
Hi,
I don't understand your verify callback, I have used it and when my
program worked, with your verify_callback not. Can you explain to me how
works or why you use it?
thanks
Shrikrishna Karandikar wrote:
Hi,
I have been following the email exchanges regarding client certificate
verification
Does it work?
Because what exact commands do you have to add if you want client authentication
on serv.cpp and cli.cpp?
I have tried it following the code I have found on sslcli.cpp and sslsrv.cpp
and it doen't work. If somenone wants to help me, (I work on a Sun WS)
, what is the mean
ient where the public keys and the CA's public keys are for verifying
the other's keys. Those keys and the symbolic links associated with them
is pretty important.
Robert Sandilands
Albert Serra wrote:
Does it work?
Because what exact commands do you have to add if you want client
auth
and serv.cpp to get client authentication. I have done that
in the same way than server authentication, that it seems the logic way
to do that, but it doesn't work. I have spent all the week trying to solve
it but I haven't got it yet. So if somebody is so kind to read it and try
to detect an error
have written in my previous mail, I have modified
the cli.cpp and serv.cpp to get client authentication. I have done that
in the same way than server authentication, that it seems the logic way
to do that, but it doesn't work. I have spent all the week trying to
solve it but I haven't got it yet
I'm modifying cli.cpp and serv.cpp to get client authentication. So I do
it in the same way like server authentication but it doesn't work. Does
somebody know how to get it? Ideas? Is there any espacial and important
function that I can have forgiven?
thanks
--
Albert SERRA
sorry for my english
Albert Serra wrote:
I'm modifying cli.cpp and serv.cpp to get client
authentication. So I do it in the same way like server authentication but
it doesn't work. Does somebody know how to get it? Ideas? Is there any
espacial and important function that I can have forgotten
I was having problems with client authentication that I solved only moments ago.
Try calling SSL_new (m_pCtx) only after you load the certificates and keys, makes sense when you think of it.
Also, use SSL_CTX_set_verify(m_pCtx, SSL_VERIFY_PEER, verify); with only SSL_VERIFY_PEER
.
[EMAIL PROTECTED]
- Original Message -
From: "Al Shaver" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, April 28, 2000 10:01 AM
Subject: Re: Client Authentication??
Michael -
It's true that a cert won't function unless the cert
holder also has the corresponding p
Michael -
It's true that a cert won't function unless the cert
holder also has the corresponding private key,
but the ongoing discussion about these
certs was assuming that the owner of the
private/public
key pair would distribute everything (cert, BOTH keys,
etc) to other parties.
Several
: Monday, April 24, 2000 10:59 PM
To: [EMAIL PROTECTED]
Subject: Re: Client Authentication??
Brian,
You're correct in that the certificate is just a file
- however, it's a file with certain information
encrypted into it that identifies the common name of
the server that will be using
On Tue, Apr 25, 2000 at 10:25:01AM -0400, Brian Snyder wrote:
Al and others,
Hi. Thanx for your response. I realize that gives an extra level of
security from the **SERVER** side.
What I am specifically referring to is the **client** authorization allowed
with SSL3.0 If you look at the
knowledge to do so...
Cheers, Thomas
Brian Snyder wrote:
I have a quick question about client authentication.
How exactly is authenticity gauranteed? If verisign (or whoever) gives one
a digital ID, this is just a file on the computer.
Whats to stop said person from sharing this
[mailto:[EMAIL PROTECTED]]
Sent: Monday, April 24, 2000 10:59 PM
To: [EMAIL PROTECTED]
Subject: Re: Client Authentication??
[snip, snip]
Regards,
Al Shaver
[EMAIL PROTECTED]
--- Brian Snyder [EMAIL PROTECTED] wrote:
I have a quick question about client
I have a quick question about client authentication.
How exactly is authenticity gauranteed? If verisign (or whoever) gives one
a digital ID, this is just a file on the computer.
Whats to stop said person from sharing this signature and giving it to all
his friends. The way I understand
of the server the browser is
connecting to (i.e., www.acme.com does not match
www.generalwidgets.com).
Hope this helps.
Regards,
Al Shaver
[EMAIL PROTECTED]
--- Brian Snyder [EMAIL PROTECTED] wrote:
I have a quick question about client
authentication.
How exactly is authenticity gauranteed
Hi
I am porting an application from SSLRef to OpenSSL, and I am trying to
connect up with a SSL server, performing Client Authentication, but I',
having troubles doing so. I have DER certs that are read into a API above
OpenSSL. I can dump these certs to stdout, and they look fine. During
Hi!
I am really new with the use of OpenSSL, so sorry if
this is an obvious question.
I have generated certificates using openssl, and I
could install them without any problem in NS and in
MSIE, but when I try to use them for client
authentication they just won`t be shown in the
listbox. Could
On Tue, Nov 16, 1999 at 08:08:21PM -0800, Claus Assmann wrote:
Thanks for the notification. A related question:
If the callback always returns 1, does
SSL_get_verify_result()
nevertheless return the correct value?
i.e., X509_V_OK iff the certificate could be verified?
Yes, if the
- Original Message -
From: Bodo Moeller [EMAIL PROTECTED]
To: Claus Assmann [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, November 17, 1999 9:37 AM
Subject: Re: client authentication (SSL_CTX_set_verify)
On Tue, Nov 16, 1999 at 08:08:21PM -0800, Claus Assmann wrote
On Sun, Aug 08, 1999 at 03:05:26PM +, Bodo Moeller wrote:
Claus Assmann [EMAIL PROTECTED]:
[...]
how do I correctly set the verify_mode? Reading the code,
SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_PEER seem to be useful for
my purpose (try to verify the client, but don't fail).
[...]
On Tue, Nov 16, 1999, Bodo Moeller wrote:
On Sun, Aug 08, 1999 at 03:05:26PM +, Bodo Moeller wrote:
Claus Assmann [EMAIL PROTECTED]:
how do I correctly set the verify_mode? Reading the code,
SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_PEER seem to be useful for
my purpose (try to verify
-Original Message-
From: Herve Regad-Pellagru
[mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 19, 1999 1:29 PM
To: [EMAIL PROTECTED]
Subject: server/client authentication with stunnel
Hi all !
After trying many hours to get client/server authentication via
certificate
Do you have a copy of CAcert.pem someplace on the client, and have you told
the client-side stunnel where it is?
-Original Message-
From: Herve Regad-Pellagru
[mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 19, 1999 1:29 PM
To: [EMAIL PROTECTED]
Subject: server/client
Hi all !
After trying many hours to get client/server authentication via
certificate to work with stunnell-3.4a (openssl-0.9.4), I require
some help from enlightened people.
Here's what I did:
- create a certificate authority (openssl req -new -x509
-nodes -keyout keyCAcert.pem
On Sun, Aug 08, 1999 at 06:24:04PM -0700, Claus Assmann wrote:
I use some slightly different code
than your example which worked for my tests:
init:
SSL_CTX_set_verify(ctx, SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER, verify_cb);
static int verify_cb(int ok,
Claus Assmann [EMAIL PROTECTED]:
Question: is there some simple way to find out whether the client
has been authenticated? I registered a callback with SSL_CTX_set_verify,
but I don't completely understand it...
Do you have to use a callback? You can use SSL_get_verify_result
and
On Thu, Aug 05, 1999 at 01:28:56PM -0700, Claus Assmann wrote:
Question: is there some simple way to find out whether the client
has been authenticated? I registered a callback with SSL_CTX_set_verify,
but I don't completely understand it...
Do you have to use a callback? You can use
I'm trying to secure HTTP POSTs to an extranet (in Java, at this point).
I've found a few Java-based SSL libraries, one or more of which I expect
I'll try eventually.
However, I'm still not clear about the general logic on the client-side for
handling an SSL request for client authentication
expect
I'll try eventually.
However, I'm still not clear about the general logic on the client-side for
handling an SSL request for client authentication (a client certificate
request, I believe it's called).
Can anyone help me with this? -- even just a few quick lines of top-level
logic
Question: is there some simple way to find out whether the client
has been authenticated? I registered a callback with SSL_CTX_set_verify,
but I don't completely understand it...
I need this information in my application which makes certain
decisions based on it (e.g. allow different
On Tue, 9 Mar 1999, Wade L. Scholine wrote:
Erwann ABALEA writes:
On Thu, 4 Mar 1999, Wade L. Scholine wrote:
What does NS mean by 'Personal Certificate' in this
context? I would have
thought that the Entrust and Verisign samples would qualify.
Your server has a list of
This is sort of about 2/3 off-topic, but I am going to ask about it anyway.
I am trying to use s_server -Verify to learn some stuff about client
authentication. I'm using Netscape 4.5 as a client, and I have a couple of
free certs from Entrust and Verisign. When I try to connect to s_server I
101 - 166 of 166 matches
Mail list logo