On 8/16/2019 9:34 AM, Erwann Abalea via openssl-users wrote:
> Remove the 2 Netscape extensions, they're way obsolete (don't know why
> OpenSSL keeps them by default).
>
Is there a preferred alternative to the "Netscape Comment"? That seems
like a useful attribute, and I don't find anything
On 8/16/19 12:34 PM, Erwann Abalea wrote:
Bonjour,
Having a critical extension adds 3 octets (the BOOLEAN tag, length=1,
value=0xff). It may, as a side effect, enlarge the number of octets necessary
to encode some structure size.
Remove the 2 Netscape extensions, they're way obsolete
Bonjour,
Having a critical extension adds 3 octets (the BOOLEAN tag, length=1,
value=0xff). It may, as a side effect, enlarge the number of octets necessary
to encode some structure size.
Remove the 2 Netscape extensions, they're way obsolete (don't know why OpenSSL
keeps them by default).
Viktor,
On 8/16/19 8:41 AM, Viktor Dukhovni wrote:
On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the
> On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
> wrote:
>
> subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD
> mark subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAltName should be
marked as critical. IIRC
On 8/16/19 7:58 AM, Salz, Rich wrote:
In the same paragraph, the sentence before the one you're quoting says "If the
subject field contains an empty sequence, then the issuing CA MUST include a
subjectAltName extension that is marked as critical."
I will run another test today
>In the same paragraph, the sentence before the one you're quoting says "If
> the subject field contains an empty sequence, then the issuing CA MUST
> include a subjectAltName extension that is marked as critical."
>It's not possible to have a missing subject name in a certificate,
Bonjour,
In the same paragraph, the sentence before the one you're quoting says "If the
subject field contains an empty sequence, then the issuing CA MUST include a
subjectAltName extension that is marked as critical."
It's not possible to have a missing subject name in a certificate, the
On 8/15/19 4:13 PM, Salz, Rich wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
Fine with me.
I can believe that OpenSSL doesn't support empty subjectName's. An empty one,
with no relative disintuished name
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD
mark subjectAltName as non-critical"
I can believe that OpenSSL doesn't support empty subjectName's. An empty one,
with no relative disintuished name components, is not the same as not present.
On Sat, Nov 15, 2003 at 06:40:26PM -0500, David wrote:
What kind of voodoo is required to get a client to send a cert?
Both client and server are calling SSL_CTX_use_certificate_file() and
SSL_CTX_use_PrivateKey_file(), and the server is calling
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL).
Check these pages:
http://www.mysql.com/doc/en/Secure_basics.html
http://www.mysql.com/doc/en/Secure_Create_Certs.html
http://www.mysql.com/doc/en/Secure_GRANT.html
You need to have a certificate for the server and the client signed by
the same CA.
Hope this helps
Bart...
-Original
12 matches
Mail list logo