Thanks Dave for explanation.
One doubt regarding sentence If a subjectAltName extension of type dNSName
is present, that MUST
be used as the identity(RFC 2818)
What does this line means ?
Does it says if a certificate have different CN in issuer subject field
but SubAltname: x.x.x.x which
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
Sent: Wednesday, 18 January, 2012 02:52
snip
root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003
WARNING: can't open config file: /usr/ssl/openssl.cnf
CONNECTED(0003)
depth=0 C = IN, ST = Karnataka, L =
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
Sent: Saturday, 03 December, 2011 02:56
My TLS client can validate both CN and SN i need to test both the
scenario.
I don't know how to create certificate with subjectAltName
extension using openssl commands.
In the RFC-2818
On 07/20/2011 12:45 PM, Gaglia wrote:
...
Feedbacks always appreciated, in case somebody has further investigated
the issue :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On 07/16/2011 07:13 PM, y...@inbox.lv wrote:
...
So everybody here seems to agree that steps 1)...7) I listed in the
first post are correct, and that the problem in EC management lies in
OpenVPN, right?
__
OpenSSL Project
On 07/16/2011 06:50 AM, y...@inbox.lv wrote:
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error setting context
My premise is that we are considering only OpenSSL v 1.0.0. Under this
condition, as I wrote in the first post, I
On Sat, Jul 16, 2011, y...@inbox.lv wrote:
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error setting context
5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
digest type:.c
ryptoecec_pmeth.c:229:
sha256 worked. (both for dgst and for req)
If i understand correctly, ECDSA algorithm only needs hash as a
defined length
bitstring, so adapting ripemd in place of sha1 should have been
easier than
sha256 (because ripemd has the same length as sha1, sha256 is
longer).
Citējot *Dr.
On Thu, Jul 14, 2011 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote:
Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand
that feeds it.
Jeff
Looking at the docket, it looks like they reached an
On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
...
Excuse me, I got lost somewhere... Does this mean that it is not
possible to use EC crypto with OpenSSL because the algorithms are
patented? If so, why OpenSSL does provide support to EC crypto?
Sorry, I don't want to start a religion war, but as
Version of ECDSA available in openssl 1.0.0d supports only SHA1.
(maybe there are patches, which adds other hash functions, but
default build on win32 supports only sha1).
ECDH and ECDSA are not guaranteed to use the same curve. At least
with s_server curve for ECDSA is specified in
On Fri, Jul 15, 2011, y...@inbox.lv wrote:
Version of ECDSA available in openssl 1.0.0d supports only SHA1.
(maybe there are patches, which adds other hash functions, but
default build on win32 supports only sha1).
What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in
On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote:
On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
...
Excuse me, I got lost somewhere... Does this mean that it is not
possible to use EC crypto with OpenSSL because the algorithms are
patented? If so, why OpenSSL does provide
On 07/15/2011 05:36 PM, Kyle Hamilton wrote:
...
EC is considered to be a patent minefield. Some people (RSA Data
Security) say that it's possible to implement EC cryptography using
different types of algorithms which are not covered by the patents.
Other people (Bruce Schneier, US NSA) say
On Fri, Jul 15, 2011 at 5:36 PM, Kyle Hamilton aerow...@gmail.com wrote:
On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote:
On 07/15/2011 08:23 AM, Kyle Hamilton wrote:
...
Excuse me, I got lost somewhere... Does this mean that it is not
possible to use EC crypto with
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Error setting context
5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid
digest type:.c
ryptoecec_pmeth.c:229:
Also, in documentation on pkeyutl program is
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the
Digital Signature Algorithm. DSA was developed by the US National Security
Agency as a means of creating prime-factorization-based signatures without
providing code paths which would permit the encryption of
On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote:
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the
Digital Signature Algorithm. DSA was developed by the US National Security
Agency as a means of creating prime-factorization-based signatures
On 07/11/2011 05:27 AM, y...@inbox.lv wrote:
When i searched on it, it seemed that ECDH requires specified named
curve
You need to specify the curve's name, like this:
openssl ecparam -name sect571k1
but this should only be done in the parameters generation stage, the
generated
On 07/05/2011 03:23 PM, Gaglia wrote:
I'm trying to make an OpenVPN setup with Elliptic Curves cryptography
and SHA-512 on Linux Debian.
No idea anybody, really? :(
__
OpenSSL Project
When i searched on it, it seemed that ECDH requires specified named
curve, and openVPN does not have a means of specifying it. Also, it
seems that ECDSA works only with SHA-1 (I also would like to know,
why it cannot take any 160 bit hash). I searched about it few weeks
ago and relevant
On Sun, Jul 03, 2011, Ritesh Rekhi wrote:
Hi ,
I need little help in implementing RFC 5746 on server, as per RFC it is not
very clear on how to tell clients that Server doesn't support renegotiation.
If anybody knows a way to tell clients that server doesn't support
renegotiation ,
Hi Bizhan,
The command BN_num_bytes(rsa_public_key-e) returns the size
of the exponent part of the public key, and it is 3 bytes. 10001.
Could this be a valid value?
Yes. Typical values are 3, 17, and 65535.
We have a system that requires public key exponent to be 4 bytes,
could I pad the
At 01:20 PM 6/16/2008, Michael Sierchio wrote:
RC4 is owned (and trademarked) by RSA Security Inc, but they are no
longer enforcing the patent,
RC4 was never protected by patent, but by trade secret. When the
details of the algorithm were published, Ron Rivest himself suggested
calling the
Hi,
Use the tool Dependency Walker (http://www.dependencywalker.com/) to look
at the exported functions of libeay32.dll. If it exports RC5, you will see
exported symbols starting with RC5. For MDC2, you'll find symbols starting
with MDC2 and etc...
Cheers,
--
Mounir IDRASSI
IDRIX
Hi,
Is there any binary distribution where I can find SSL dlls without
patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling
without them. I could exclude other algos but not RC4. Some linking
issues. So i need to know if there is any ssl release without the
patented algorithms.
On
On 6/16/08, bagavathy raj [EMAIL PROTECTED] wrote:
Hi,
Is there any binary distribution where I can find SSL dlls without
patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling
without them. I could exclude other algos but not RC4. Some linking
issues. So i need to know if there is
RC4 is owned (and trademarked) by RSA Security Inc, but they are no
longer enforcing the patent,
RC4 was never protected by patent, but by trade secret. When the
details of the algorithm were published, Ron Rivest himself suggested
calling the alleged RC4 ARCFOUR. It is indeed a trademark
Hi,
Tried the given function, it compiles but throws error Run-Time Check
Failure #3 - The variable 'rsa' is being used without being defined.. Any
clue?? And the char * buf contains the key right??
Thanks Regards
Shalmi
Marek Marcola wrote:
Hello,
ok i l try that.let me know u ..
Hello,
I have a RSA key information on buffer.i want to merge with buffer
content to SSLcontext object.
i am using
SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this
SSL API.
that API is failing . it gives following error message.
9755: error:0D0680A8:asn1
i tried that way, now its generating coredump files.is there any other way to
solve that issue...
Marek Marcola [EMAIL PROTECTED] wrote: Hello,
I have a RSA key information on buffer.i want to merge with buffer
content to SSLcontext object.
i am using
ok i l try that.let me know u ..
Marek Marcola [EMAIL PROTECTED] wrote: Hello,
i tried that way, now its generating coredump files.is there any other
way to solve that issue...
You should use something like that (buf and len has your key):
unsigned char *p;
RSA *rsa = NULL;
p = buf;
Hello,
i tried that way, now its generating coredump files.is there any other
way to solve that issue...
You should use something like that (buf and len has your key):
unsigned char *p;
RSA *rsa = NULL;
p = buf;
if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){
goto err;
}
if
i tried that way,buffer information is not DER format.
buffer header like this.
-BEGIN RSA PRIVATE KEY-
..
-END RSA PRIVATE KEY-
Is they anyother way to resolve that problem?
Marek Marcola [EMAIL
Hello,
ok i l try that.let me know u ..
You may try something like that (not tested):
int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;
if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}
*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
thank you, its working fine.
Marek Marcola [EMAIL PROTECTED] wrote: Hello,
ok i l try that.let me know u ..
You may try something like that (not tested):
int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;
if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}
Hi,
The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error.
To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile
Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract
yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check
Maybe your URL is wrong. I just tried this:
openssl ocsp -issuer VeriSignClientECA.pem -url
http://ocsp.verisign.com -cert eca_usr_cert.pem
-VAfile tgv.pem -no_nonce -text
and it works fine as follows:
D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer
VeriSignClientECA.pem -url http://ocs
It is the OCSP responder cert. I suppose you already
have that, right? Or you can use this one which will
expire on Sep 15, 2005 though.
-BEGIN CERTIFICATE-
MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB
lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
On Tue, Aug 16, 2005, varma d wrote:
But, In this command what is the purpose of OCSPServer.pem, i still dont
understand the purpose of OCSPServer.pem as we need to just send our request
and expect a response from OCSP responder irrespective of OCSPServer.pemfile.
This is an issue of
Hi,
did you link against the openssl-libs (eg. crypto / sll)? Did you use an (ANSI-)
c compiler or a c++ compiler?
Try
cc(?) prueba.c -I/usr/local/ssl/include -L/path/to/openssl/libs -lcrypto -lssl
Good luck,
Sebastian
Silvia Gisela Pavon Velasco wrote:
I have sent this before and got no
I will reply for you...but, I have never setup anything as you asking.
I'm sorry.
I'm sure somewhere there is a forum that can address this issue.
Maybe this is not that forum.
miles
-Original Message-
From: Silvia Gisela Pavon Velasco [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 17,
It's been a few years since I've worked on HP-UX and I don't have access
to a machine running that OS currently.
but here's what I remember. I hope it's accurate. I've plucked
a couple settings out of old Makefiles that I've saved - you'll have to
see where to add the settings in your
From what I can see, SSL is defined as typedef struct ssl_st SSL in
ssl.h. If you search for struct ssl_st in ssl.h you will find the
definition for that structure.
Hope that helps!
On Sat, 2004-10-02 at 19:00, lu lu wrote:
Hi, list members.
I really want help very much. I asked this
http://www.openssl.org/support/
On Fri, 20 Aug 2004, Buddy wrote:
Anyone out there, please help me! I am disabled and do not want to continue to see
your conversations, although I appreciate the reason and the cause of the
conversations.
I just want off the list.
Thanks,
Buddy
-
I *think* I understand it now, but any clarification etc. would still be
most appreciated.
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of steve thornton
Sent: 23 July 2003 10:09
To: [EMAIL PROTECTED]
Subject: Please help
Hi
I've been trying to
On Wed, Jul 23, 2003, steve thornton wrote:
Hi
I've been trying to edit and rebuild the ASN.1 database using objects.pl. I
am having problems understanding what is going on. As I understand it, the
file to edit is objects.txt, but if I change this file in any way, then
objects.pl no longer
]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: 23 July 2003 12:36
To: [EMAIL PROTECTED]
Subject: Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote:
Hi
I've been trying to edit and rebuild the ASN.1 database using objects.pl.
I
am having problems understanding what is going
On Wed, Jul 23, 2003, steve thornton wrote:
Yes I've noticed this. Basically I am making an embedded client, and am
looking for every way possible to reduce code size, and obj_dat is very big.
I've more or less concluded that it is not worth the trouble, but 24k is
24k.
It surely should be
To: [EMAIL PROTECTED]
Subject: Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote:
Yes I've noticed this. Basically I am making an embedded client, and am
looking for every way possible to reduce code size, and obj_dat is very
big.
I've more or less concluded that it is not worth
On Mon, Mar 17, 2003, luke wrote:
i have try many times.
i got the same error message.
==
perl Configure VC-WIN32
.\ms\do_nt.bat
nmake -f .\ms\nt.mak
ps .net vc++(vc++ v7)
.
ui_compat.c
cl /Fotmp32\krb5_asn.obj -Iinc32
Use compiler option like: cc +DD64
eg: ./configure hpux-cc +DD64
Bye,
Durai. ( [EMAIL PROTECTED])
Hi,
Is there any variable that is supposed to be set for compiling on a 64 bit machine
like
Compaq's Tru64?? I have used the openssl library for all the machines and it works
except
for Tru64. I
: Re: Please help: SSL_read() hang after read http 100 continue
header
On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote:
I have a client program using Openssl to send request to and receive
response from a web server. SSL_read hangs if the web server sends the
following headers
On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote:
I have a client program using Openssl to send request to and receive
response from a web server. SSL_read hangs if the web server sends the
following headers.
The following is the header dump without SSL. I think the problem is the
In message [EMAIL PROTECTED]
on Mon, 22 Apr 2002 19:16:13 -0700, Paul Mallary [EMAIL PROTECTED] said:
pmallary I have been trying to figure this out on my own for the past day or so and
am stumped. I have installed all of the necessary stuff for openssl to compile but I
keep getting these
In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700, Aleksey
Sanin [EMAIL PROTECTED] said:
aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very
aleksey bad expirience with it in the past. If it is possible, try
aleksey gcc 2.95.3.
Is that just on Solaris, or a
I've tried it on Solaris and Linux. IMHO, in both cases it is not polished
as well as it should be. Probably there exist projects there you have to
use 3.0 because of its new features. But it's not the case for me.
Aleksey.
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on
On Tue, Apr 23, 2002 at 10:06:41AM +0200, Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700,
Aleksey Sanin [EMAIL PROTECTED] said:
aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very
aleksey bad expirience with it in the
Aleksey Sanin wrote:
IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad
expirience
with it in the past. If it is possible, try gcc 2.95.3.
I've had recently the occasion to compiles openssl 0.9.6 out of the box
without problem with both 2.95.3 and 3.0.3 under Solaris.
But
IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad expirience
with it in the past. If it is possible, try gcc 2.95.3.
Aleksey Sanin
Paul Mallary wrote:
I have been trying to figure this out on my own for the past day or so and am
stumped. I have installed all of the necessary
Fixed it. Had to reinstall apache+modssl
after reinstalling openssl
- Original Message -
From:
Mike K
To: [EMAIL PROTECTED]
Sent: Thursday, December 20, 2001 2:00
PM
Subject: Please help - startssl fails due
to the following errors:
[Thu Dec 20 16:48:20
Salam,
Signing a request has no relation with signing requests.
To do so try what follows:
1/ Request Generation:
openssl req -new -out cert.req
2/ request Signature:
openssl req -ca -config path/openssl.cnf -in cert.req -out cert.pem
path: path to openssl.cnf configuration
-
From: Ryan Hurst [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 26, 2001 10:15 PM
Subject: RE: Please help me!
Valery --
This field in a certificate points to where the issuer will make its
certificate revocation list available. If you are using OpenSSL or OpenCA
(based off
Valery --
This field in a certificate points to where the issuer will make its
certificate revocation list available. If you are using OpenSSL or OpenCA
(based off of OpenSSL) to issue your certificates you will want to probably
put up a web server or LDAP capable directory where you can
Title: ??: Please Help: Crypto library with Visual C++
thousand thanks for your help :D
it
helps a lot and it works fine now...
Now,
pls. one more thing,
I
tried to decode a Base64 encoded string into
the
string is (for example)
件人: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]代表 Jordan C N
Chong发送时间: 2001年9月10日 18:04收件人:
[EMAIL PROTECTED]主题: RE: Please Help: Crypto library with
Visual C++
thousand thanks for your help
:D
it
helps a lot and it works fine now...
Now, pls. one
Title: ??: Please Help: Crypto library with Visual C++
Hi,
Thanks
for your reply. I have tried, still the memory leak problem happens
:)
and
the whole application crashes
my
code is like this:
BIO *bio, *b64;BIO
*bio_out;char inbuf[128];int
inlen;b64 = BIO_new(BIO_f_base64());bio =
your code...
End:
ERR_free_strings();EVP_cleanup();
see u later...:)
-原始邮件-发件人: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]代表 Jordan C N
Chong发送时间: 2001年9月10日 19:43收件人:
[EMAIL PROTECTED]主题: RE: Please Help:
BIO!!
Hi,
Thanks for your reply.
Dear Dirk,
Have a look at http://www.iconsinc.com/~agray/ossldev/nt and pick the
workspace for the version of OpenSSL you want to use (you'll still need to
download the src tarball of OpenSSLvx.y.z).
CU,
Dirk
Thanks for your reply. I don't understand here.
All I wish to do is to use the
My guess is LWP by default sends requests to port 80.
There must be a method to specify a different port...
The request string where you specified the url...
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
...just get's added the the http header inside the tcp
payload and
]'
Subject: RE: PLease help! Using LWP to check to see if Secure
Server is
ru nning
My guess is LWP by default sends requests to port 80.
There must be a method to specify a different port...
The request string where you specified the url...
my $req = new HTTP::Request('GET', 'https
associated with key exchanges and cert mgmt.
-Original Message-
From: Varga, Jack [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: PLease help! Using LWP to check to see if Secure
Server is
ru nning
My guess is LWP
¾ç½Â¸ð£¬ÄúºÃ£¡
Opensslreq -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem
Opensslreq -out reqU.pem -keyout keyU.pem -new
Opensslca -policy policy_anything -out certU.pem -infiles reqU.pem
Opensslpkcs12 -in certU.pem -inkey reqU.pem -certfile ./demoCA/cacert.pem -out
I dont know much about modssl, but
If you set SSLVerifyClient to 1 you are telling the server
to authenticate its clients (criptographically verify the
clients identity).
An entitity (lets say somebody connecting to your server)
needs a certificate in order to be athenticated, but hardly any
web
I've been building a small https client everything has gone quite well.
Now I've been told that I need to include support for client authentication
using a standard x.509 certificate I am stumped.
How do you manage client trust to your server? how do you know
that you are really
The certificate can be an ASN1 or PEM format file. To use a certificate,
you must also have a private key file (also in PEM or ASN1 format). The
certificate must be the public key for the private key file. Both of these
files can be created using the openssl utility.
Example:
Generate a 1024
[EMAIL PROTECTED] wrote:
Hi Randal,
I am trying to get OpenSSL to import private key files.
You can load a private key with
PEM_read_PrivateKey() (defined in openssl/pem.h)
-Original Message-
From: EXT Randall Ward [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000
Hi,
in short:
using SSL you have two parts of encryption:
first a public/secret key system (asymmetric cryptographie) is used to
establish a connection and to agree for a common secret key.
When both parties have agreed to that common secret key (which is, in
short, encrypted with the public
-Im new to all this. What the plan is for me and a friend to make a
-webpage with a few different sections. We would like to be able to
-update it from one page. A page that would let us choose what section
-it will be added to, write the new news or whatever and post it
-automatically and
John Castillo wrote:
built SSLeay0.8.1b
Why are you're using this old version. Upgrade to latest OpenSSL release
from http://www.openssl.org/ .
Jul 15 17:45:20 phoenix stunnel[12524]: Wrong permissions on
/usr/local/ssl/certs/stunnel.pem
Since the file stunnel.pem contains a private key
Try the following URL. It works for me with all versions of stunnel...
http://www.dtcc.edu/cs/admin/notes/ssl/
On Thu, 15 Jul 1999, John Castillo wrote:
Hello All,
Argghh.. where did my hair go!
I have been trying to configure SSL for use with my current imap server (Cyrus). I
found
82 matches
Mail list logo