From: Dave Thompson
Yes, the server has a custom root cert that isn't installed on this
machine. I am happy that the server cert is correct.
For testing that's okay, but I hope in real use you are verifying.
Otherwise an active attacker may be able to MITM your connections.
Production
From: owner-openssl-users On Behalf Of Ben Arnold
Sent: Friday, November 08, 2013 10:45
snip
I have tried using s_client and it fails with the same handshake failure.
Please
see below.
Attaching a PCAP file of the traffic is much more useful than hex packet
dumps.
You're right of
From: Viktor Dukhovni
You can test with s_client(1) and compare results. Is your client
certificate an
RSA certificate? How many bits of public key? Is its signature SHA1 or
SHA256?
It's a 2048 bit RSA SHA1 certificate, but I think Dave Thompson's right and
it's not getting that far.
On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
I am using SSL_CTX_set_client_cert_cb to provide the client
certificate when needed. I have a problem in that OpenSSL 1.0.1e
does not trigger this callback for all websites that I expect it
to, only some. Instead on the failing
From: owner-openssl-users On Behalf Of Viktor Dukhovni
Sent: Thursday, November 07, 2013 11:02
On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
I am using SSL_CTX_set_client_cert_cb to provide the client
certificate when needed. I have a problem in that OpenSSL 1.0.1e
does
Do you still see an error if you specify one cipher? f.e. AES256-SHA?
On 2013-11-07 22:26, Dave Thompson wrote:
From: owner-openssl-users On Behalf Of Viktor Dukhovni
Sent: Thursday, November 07, 2013 11:02
On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
I am using
On Sun, Nov 14, 2010, Timur Elzhov wrote:
Hi, openssl experts!
It's required to transfer data to Apple Push service that is located at
gateway.sandbox.push.apple.com:2195. I'm given the certificate and private
key both included in Certificate_and_key.pem. Trying to connect:
$ openssl
I don't have the specific code, but it's not that much. I take it that
you're issuing your own certs with the acceptable client ip in the
subjectAltName - you might want to allow a range.
I have similar code but not for this purpose, so let's see if I can put
them together. My code looks at the
Andy Schneider wrote:
Does anyone have any canned code I could steal that does IP address
validation. I.e. grabs the IP address from the alt subject name and
compares it against the IP of the incoming socket?
No I don't. But in outline you need to extract and decode the subject
alt name
