ssl-users
> wrote:
>
> From: James <mailto:openssl-us...@natsuki.co.uk>
> To: mailto:openssl-users@openssl.org
> Subject: Re: Certificate verification with cross signed CAs
> Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk>
> Content-Type: t
From: James <mailto:openssl-us...@natsuki.co.uk>
To: mailto:openssl-users@openssl.org
Subject: Re: Certificate verification with cross signed CAs
Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk>
Content-Type: text/plain; charset="utf-8"
> The certif
The certificates are attached below.The use case is client A only has ta_primary_cert.pem and client B only has ta_secondary_cert.pemI’m trying to build a chain that the server can use (in the server hello) so that both client A and client B can successfully connect.Since openssl verify -trusted ta
On Mon, Jul 01, 2024 at 03:54:46PM +0100, James Chapman wrote:
> I’ve been using openssl verify to check some certificate chains:
>
> server -> ca -> roota
> server -> alt_ca-> rootb
>
> Certificates ca and alt_ca have the same subject and public key and different
> issuers.
>
> openssl veri
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the beha
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the same error,
> but
Hi,
can you please tell me more about
1) How to verify a self signed (.crt) key in OpenSSL 1.1.1?
2) Is key generated by OpenSSL 1.0.2 can be used to connect with OpenSSL
1.1.1 and vice versa?
Thanks and regards
Shivakumar
On Mon, Mar 2, 2020 at 2:36 PM Dmitry Belyavsky wrote:
> First, I recomm
First, I recommend you not to hurry up :)
Second, the validation procedures have changed between 1.0.2 and 1.1.1,
1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
CA cert in 1.0.2 but not valid in 1.1.1
On Mon, Mar 2, 2020 at 12:01 PM shiva
Hi,
Please help me, is this an expected behavior?
On Mon, Mar 2, 2020 at 1:48 PM shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the beha
On 10/31/2014 03:24 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
>> Sent: Thursday, October 30, 2014 14:50
>
>> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
>> I would expect the two to form a valid chain. And indeed,
> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
> Sent: Thursday, October 30, 2014 14:50
> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
> I would expect the two to form a valid chain. And indeed,
> verification succeeds:
> ... openssl verify -CAf
> I'm currently trying to integrate wpa_supplicant and OpenSSL 0.9.8k to
> authenticate to a wireless network using EAP-TLS. It seems
> like I'm failing
> on verifying the server certificate. Can anybody interpret
> the error for me
>
> error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unkno
To close out this issue in the hopes that this will be of use to someone
in the future, Dr. Henson greatly helped in tracking the problem down to
a PHP extension that was calling EVP_cleanup().
"When you have a shared library using OpenSSL and multiple applications
things like algorithm tables
Further information:
I have disabled the ssl session cache and keepalives and am now able to
trigger this issue within a few page calls. I have also set the apache
log to debug and this is what is recorded from the server side.
At this point, considering I am seeing this across multiple type
On Fri, Jan 23, 2009 at 08:26:12AM +0100, gabrix wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi list !
> I run debian lenny/sid and postfix is my MTA .
> My relayhost uses a selfsigned CA certificate which i have imported as
> /etc/ssl/certs/myisp.crt and linked as
> /usr/share
Till Elsner wrote:
> I tried to track down the problem, but it still seems that , when it
> comes to certificate verification, on the OpenWRT fails what works on
> a standard linux desktop PC. I wrote a short program that validates
> certificates, that I'll append to this mail. If someone has some
I tried to track down the problem, but it still seems that , when it
comes to certificate verification, on the OpenWRT fails what works on
a standard linux desktop PC. I wrote a short program that validates
certificates, that I'll append to this mail. If someone has some
MIPSEL platform ava
Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
Till Elsner wrote:
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom
BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
I
Till Elsner wrote:
>
> Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
>
>> Till Elsner wrote:
>>> Ok, after verifying what platform I'm actually compiling for, it's
>>> definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
>>> So what else could be the problem here?
>>>
>>> Am 24.05
Till Elsner wrote:
> Ok, after verifying what platform I'm actually compiling for, it's
> definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
> So what else could be the problem here?
>
> Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
>> I am not aware of any specific problems of O
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
Till Elsner schrieb:
Hi,
I'm running a program using some OpenSSL
Till Elsner schrieb:
Hi,
I'm running a program using some OpenSSL features for certificate
handling on an MIPS architecture (Linksys WRT router with OpenWRT
firmware). On an x86 Linux everything works fine, but on the router
the certficate verification using X509_verify_cert fails. The
certi
On Fri May 23 2008 16:24, Till Elsner wrote:
> Am 23.05.2008 um 05:44 schrieb Michael S. Zick:
>
> > On Thu May 22 2008 16:59, Till Elsner wrote:
> >> Hi,
> >>
> >> I'm running a program using some OpenSSL features for certificate
> >> handling on an MIPS architecture (Linksys WRT router with Open
Am 23.05.2008 um 05:44 schrieb Michael S. Zick:
On Thu May 22 2008 16:59, Till Elsner wrote:
Hi,
I'm running a program using some OpenSSL features for certificate
handling on an MIPS architecture (Linksys WRT router with OpenWRT
firmware). On an x86 Linux everything works fine, but on the rout
On Thu May 22 2008 16:59, Till Elsner wrote:
> Hi,
>
> I'm running a program using some OpenSSL features for certificate
> handling on an MIPS architecture (Linksys WRT router with OpenWRT
> firmware). On an x86 Linux everything works fine, but on the router
> the certficate verification usi
Hi!
>Now I would like to write a C program doing the same. For this, I used
>Viega and Messier's Secure Programming Cookbook, recipe 10.5 (BTW, I
>am not sure the workaround they propose there is still necessary with
>latest versions of openssl any hint welcome).
I used the exampl
On Fri, Jan 18, 2008, ediemens wrote:
>
> The problem is that, when verifying the same certificate as before, I now
> get a "certificate signature failure" error message, and cannot figure out
> what the problem is.
>
You are missing a call to OpenSSL_add_all_algorithms(). See the FAQ and manua
Hello,
> I'm working on an application that recieves an x509 certificate along
> with a request. I want to confirm that the certificate has not been
> altered (perhaps to change the "not_after" time).
>
> Does the following command give this confirmation:
>
> $ openssl verify -CAfile trusted.cer
name of
cacert.pem but it still couldn’t find it.
From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Vincenzo Sciarra
Sent: Thursday, October 12, 2006
4:29 AM
To: openssl-users@openssl.org
Subject: Re: Certificate
Verification
Try to
Try to add the CA certificate to cacert.pem default openssl CA certificate
Simply:
cat MScaCERT.pem >> cacert.pem
2006/10/12, Dr. Stephen Henson <[EMAIL PROTECTED]>:
On Wed, Oct 11, 2006, Aaron Smith wrote:> Ok. This is hopefully a simple question, and one that I see
> quite a b
On Wed, Oct 11, 2006, Aaron Smith wrote:
> Ok. This is hopefully a simple question, and one that I see
> quite a bit in the archives. However, everything I've tried and gleaned
> from searching the archives have come up nothing. I have server
> certificate from a Microsoft Domain C
Of all the gin joints in all the towns in all the world, "Shaw, George"
had to walk into mine and say:
>
> It sounds to me like he does trust the root CA, he just wants to deny access
> to certain Sub CAs.
Correct. Specifically, "everyone else" :-)
> I think you would need to program this into
> This problem arises because of the structure behind the PKI. If your
> root CA cannot be trusted, you should also not trust the certificates
> issued by its sub-CAs.
It's not that I don't trust the Root CA; I don't trust other sub-CAs of
the Root CA, A minor but important point. The Root CA mig
On Thu, Mar 21, 2002 at 03:43:00PM -0500, Harald Koch wrote:
> So I'm attempting to verify a certificate with OpenSSL 0.9.7 snapshot
> (various versions). I trust my own CA, who's certificate is issued by a
> Root (self-signed) CA that I do not wish to trust, because it has also
> issued a CA cert
On 10 Jan, Oleg Amiton wrote:
> however server asks for client certificate at _every_ connection -
> browser displays corresponding dialog.
That is what you wanted when you set "VerifyMode = SSL_VERIFY_PEER". :-)
If you don't want verification at every connect you have to use
SSL_VERIFY_NONE, con
On Wed, Jan 10, 2001 at 01:09:09PM +0300, Oleg Amiton wrote:
> Hi, all!
>
> Can you clear me one question about certificate verification?
> My SSL-enabled server, written with OpenSSL-0.9.6, accepting client
> (browser) connections with SSL_CTX ctx, previously initialized as:
>
> int VerifyMode
On Wed, 11 Oct 2000, Adam Wiggins wrote:
>
> Greetings,
>
>I am writing a client/server app in which the client needs to validate
> that the server it is connecting to is actually who it claims to be.
> The server is using a self-signed certificate. The logic would
> (hopefully) be along t
37 matches
Mail list logo
