On 11/10/2019 10:10, Jeremy Harris wrote:
> On 11/10/2019 09:57, Matt Caswell wrote:
>> OpenSSL does not currently support that. You can only place a status response
>> after the first certificate.
>>
>> Matt
>
>
> That's why I asked:
>
>>> Are both layouts of the TLS1.3 Certificates record
On 11/10/2019 09:57, Matt Caswell wrote:
> OpenSSL does not currently support that. You can only place a status response
> after the first certificate.
>
> Matt
That's why I asked:
>> Are both layouts of the TLS1.3 Certificates record valid?
--
Cheers,
Jeremy
On 10/10/2019 22:53, Jeremy Harris wrote:
> On 01/10/2019 12:21, Jeremy Harris wrote:
>> I'm using the indexfile variant. It seems that the -CA argument
>> needs to be the signer of the cert, not the CA for the chain; and
>> you cannot give -CA multiple times. So you don't get good OCSP
On 01/10/2019 12:21, Jeremy Harris wrote:
> I'm using the indexfile variant. It seems that the -CA argument
> needs to be the signer of the cert, not the CA for the chain; and
> you cannot give -CA multiple times. So you don't get good OCSP status
> for all elements in the chain:
> $ openssl
On 01/10/2019 12:21, Jeremy Harris wrote:
> On 30/09/2019 17:02, Matt Caswell wrote:
>>> Alternatively^2, is there some way to get such a blob from a tool
>>> (openssl ocsp, or similar) ready built? For this purpose, I am
>>> the CA.
>>>
>>
>> Yes, you can do this. For example see the
On 30/09/2019 17:02, Matt Caswell wrote:
>> Alternatively^2, is there some way to get such a blob from a tool
>> (openssl ocsp, or similar) ready built? For this purpose, I am
>> the CA.
>>
>
> Yes, you can do this. For example see the "respout" option in the
> ocsp command.
>
> From the
On 30/09/2019 17:02, Matt Caswell wrote:
> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
> -url http://ocsp.myhost.com/ -resp_text -respout resp.der
Ah, I hadn't realised that -cert could be given multiple times.
--
Thanks,
Jeremy
On 30/09/2019 14:49, Jeremy Harris wrote:
> Looking at implementing the above, under TLSv1.3 and (at least
> initially) server-side. I'm currently using
>
> SSL_CTX_set_tlsext_status_cb()
> SSL_set_tlsext_status_ocsp_resp( a DER blob )
>
> and the problem is: will this accept a
>
Looking at implementing the above, under TLSv1.3 and (at least
initially) server-side. I'm currently using
SSL_CTX_set_tlsext_status_cb()
SSL_set_tlsext_status_ocsp_resp( a DER blob )
and the problem is: will this accept a
(DER-wrapped, basicresp-wrapped) stack of singleresp
where the
Hi,
The manpage for SSL_CTX_set_tlsext_status_cb() describes
the calls in terms of the client requesting stapling from the
server, Is the reverse possible - the server requesting stapling
by the client? Should the same calls be used, by the alternate
ends, or if not, what?
This arose in the
.com>> wrote:
>>
>> It's a mix of C and Go, so it's really not minimal, but I'll try to
>> modify s_server to see if I can reproduce it.
>>
>> --
>> Julien Vermillard
>>
>> On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@op
t; >
> > --
> > Julien Vermillard
> >
> > On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@openssl.org
> > <mailto:m...@openssl.org>> wrote:
> >
> >
> >
> > On 29/08/16 17:08, Julien Vermillard wrote:
> >
.@openssl.org>> wrote:
>
>
>
> On 29/08/16 17:08, Julien Vermillard wrote:
> > I have a DTLS 1.2 server based on last master (commit
> > d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
> > I try to add ocsp stapling support (based on code in s
can reproduce it.
>
> --
> Julien Vermillard
>
> On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@openssl.org
> <mailto:m...@openssl.org>> wrote:
>
>
>
> On 29/08/16 17:08, Julien Vermillard wrote:
> > I have a
n reproduce it.
>
> --
> Julien Vermillard
>
> On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <m...@openssl.org> wrote:
>
>>
>>
>> On 29/08/16 17:08, Julien Vermillard wrote:
>> > I have a DTLS 1.2 server based on last master (commit
>> > d1963
DTLS 1.2 server based on last master (commit
> > d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
> > I try to add ocsp stapling support (based on code in s_server.c).
> >
> > Basicaly in my callback I set the OCSP response by:
> >
> >
> > if (SSL_set_tlsext
On 29/08/16 17:08, Julien Vermillard wrote:
> I have a DTLS 1.2 server based on last master (commit
> d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
> I try to add ocsp stapling support (based on code in s_server.c).
>
> Basicaly in my callback I set th
I have a DTLS 1.2 server based on last master (commit
d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
I try to add ocsp stapling support (based on code in s_server.c).
Basicaly in my callback I set the OCSP response by:
if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == 0) {
return
On 02/19/2013 02:33 PM, Dr. Stephen Henson wrote:
On Tue, Feb 19, 2013, Jeremy Harris wrote:
On 18/02/2013 22:32, Dr. Stephen Henson wrote:
That's fine except that we're using SSL_CTX_set_verify() callback already
and the docs say it and SSL_CTX_set_cert_verify_callback() should not
be mixed.
On 18/02/2013 22:32, Dr. Stephen Henson wrote:
That's fine except that we're using SSL_CTX_set_verify() callback already
and the docs say it and SSL_CTX_set_cert_verify_callback() should not
be mixed.
That explanation could be clearer. In this case it's fine to mix the two.
OK, thankyou.
On Tue, Feb 19, 2013, Jeremy Harris wrote:
On 18/02/2013 22:32, Dr. Stephen Henson wrote:
That's fine except that we're using SSL_CTX_set_verify() callback already
and the docs say it and SSL_CTX_set_cert_verify_callback() should not
be mixed.
That explanation could be clearer. In this
On Sun, Feb 17, 2013, Jeremy Harris wrote:
On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
So you could supply an application defined callback that just calls
X509_verify_cert too which keeps the current behaviour. If that call is
successful you can then note the chain for future use using
On 02/16/2013 10:51 PM, Dr. Stephen Henson wrote:
So you could supply an application defined callback that just calls
X509_verify_cert too which keeps the current behaviour. If that call is
successful you can then note the chain for future use using
X509_STORE_CTX_get1_chain().
That's fine
On 02/09/2013 12:12 PM, Jeremy Harris wrote:
I'm working on an implementation of the client side of OCSP stapling.
To verify the stapled information I'm using the chain leading to the
server certificate, as presented in the (repeated) verify callbacks for
the server cert.
Despite
On Sat, Feb 16, 2013, Jeremy Harris wrote:
On 02/09/2013 12:12 PM, Jeremy Harris wrote:
I'm working on an implementation of the client side of OCSP stapling.
To verify the stapled information I'm using the chain leading to the
server certificate, as presented in the (repeated) verify
I'm working on an implementation of the client side of OCSP stapling.
To verify the stapled information I'm using the chain leading to the
server certificate, as presented in the (repeated) verify callbacks for
the server cert.
As far as I can see I need to do this because the client is only
On Thu, Feb 17, 2011, Frantz, Stacey M CIV NIOC PCOLA wrote:
How can I tell if openssl on my server is acting as a server and calling
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX? This includes Apache
httpd = 2.3.3, if configured with SSLUseStapling On.
Well it's pretty clear from
How can I tell if openssl on my server is acting as a server and calling
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX?
This includes Apache httpd = 2.3.3, if configured with SSLUseStapling On.
smime.p7s
Description: S/MIME cryptographic signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [8 February 2011]
OCSP stapling vulnerability in OpenSSL
==
Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.
This issue
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [8 February 2011]
OCSP stapling vulnerability in OpenSSL
==
Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.
This issue
What, if any, support is there in openssl to support OCSP stapling?
I have code that does an OCSP check for received certs, but obviously
want to play nice and make use of any stapled OCSP response first,
On Mon, Apr 13, 2009, Rene Hollan wrote:
What, if any, support is there in openssl to support OCSP stapling?
I have code that does an OCSP check for received certs, but obviously
want to play nice and make use of any stapled OCSP response first,
It is supported in the latest versions
32 matches
Mail list logo