on my desktop to wget in the VM.
-Ursprüngliche Nachricht-
Von: openssl-users Im Auftrag von Viktor
Dukhovni
Gesendet: Freitag, 16. September 2022 16:22
An: openssl-users@openssl.org
Betreff: Re: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared
to 1.0.2?.
On Fri, Sep 16, 20
On Fri, Sep 16, 2022 at 02:11:38PM +, Andrew Lynch via openssl-users wrote:
> http://sm-pkitest.atos.net/cert/Atos-Smart-Grid-Test.CA.2.crt
>
> I’ve also asked my colleagues why the download is http instead of https…
You should look to multiple independent sources to validate the
authenticit
-users Im Auftrag von Andrew
Lynch via openssl-users
Gesendet: Freitag, 16. September 2022 15:53
An: Corey Bonnell ; openssl-users@openssl.org
Betreff: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to
1.0.2?.
Hi Corey,
I believe Victor has explained the issue sufficiently
removed that everything was fine as the verify then used
the self-signed SN2 root directly.
Regards,
Andrew.
Von: Corey Bonnell
Gesendet: Freitag, 16. September 2022 14:23
An: Andrew Lynch ; openssl-users@openssl.org
Betreff: RE: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compar
On Fri, Sep 16, 2022 at 08:32:27AM +, Andrew Lynch via openssl-users wrote:
> So is this a possible bug or a feature of OpenSSL 1.1.1? (using
> 1.1.1n right now)
OpenSSL 1.1.1 is doing the right thing.
> If I set up the content of CAfile or CApath so that E <- D <- C <- A
> is the only path
diagnosing the issue.
Thanks,
Corey
From: openssl-users On Behalf Of Andrew
Lynch via openssl-users
Sent: Friday, September 16, 2022 4:32 AM
To: openssl-users@openssl.org
Subject: AW: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to
1.0.2?.
So is this a possible bug or a
rstag, 15. September 2022 19:51
An: Andrew Lynch
Cc: openssl-users@openssl.org
Betreff: Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to
1.0.2?.
Assuming that all self-signed certificates are trusted (here, A and B), then
providing a CAfile with D+C+B+A to validate E, the different
On Thu, Sep 15, 2022 at 05:34:07PM +, Andrew Lynch via openssl-users wrote:
> Why is OpenSSL 1.0.2 verifying successfully? Does it not check the
> path length constraint or is it actually picking the depth 2 chain
> instead of the depth 3?
There are two important differences between 1.0.2 an
Assuming that all self-signed certificates are trusted (here, A and B),
then providing a CAfile with D+C+B+A to validate E, the different possible
paths are:
- E <- D <- B: this path is valid
- E <- D <- C <- A: this path is valid
In the validation algorithm described in RFC5280 and X.509, the
p
Hi,
I would like to have my understanding of the following issue confirmed:
Given a two-level CA where the different generations of Root cross-sign each
other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 -
"path length constraint exceeded". With OpenSSL 1.0.2 the sam
10 matches
Mail list logo