509 which
> contains in the Subject Alternative Names the hostname of that server.
>
> As this is probably the dumbest type of attack someone could do (using a
> valid certificate with another domain name), I am thinking I'm doing
> something wrong. But from the documentation, I saw
.
As this is probably the dumbest type of attack someone could do (using a
valid certificate with another domain name), I am thinking I'm doing
something wrong. But from the documentation, I saw that using "verify_peer"
should perform all the verifications...
Now if not even this simple check is
I apologize for bringing this old subject back up, but I'm running into
something I wanted to poll the list on.
Based on Victor's email below, I am doing the following in my application to
set up my server to send a certificate chain *excluding* the root certificate
during a handshake.
status
achievable for you ?
Thanks a lot
Lionel
From: Sergio NNX [mailto:sfhac...@hotmail.com]
Sent: 18 March 2020 23:13
To: Lionel Monchecourt; openssl-users@openssl.org
Subject: Re: Issue generating certificate for a Samba AD - index.txt
We have been creating certificates (Root CA
familiar are you with OpenSSL?
Regards.
From: openssl-users on behalf of Lionel
Monchecourt
Sent: Thursday, 19 March 2020 8:27 AM
To: openssl-users@openssl.org
Subject: Issue generating certificate for a Samba AD - index.txt
Hi , trying to generate a certify
Hi , trying to generate a certify using
openssl copenssl ca -config /etc/ssl/user-openssl.cnf -in dc-req.pem -out
dc-cert.pem
I get the following :
Using configuration from /etc/ssl/user-openssl.cnf
Enter pass phrase for ./private/cakey.pem:
139946396877888:error:02001002:system
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback() is called with an error, for which
X509_STORE_CTX_get_error
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the s
, I recommend you not to hurry up :)
>
> Second, the validation procedures have changed between 1.0.2 and 1.1.1,
> 1.1.1 checks more strictly.
> E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
> CA cert in 1.0.2 but not valid in 1.1.1
>
>
>
&g
First, I recommend you not to hurry up :)
Second, the validation procedures have changed between 1.0.2 and 1.1.1,
1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
CA cert in 1.0.2 but not valid in 1.1.1
On Mon, Mar 2, 2020 at 12:0
Hi,
Please help me, is this an expected behavior?
On Mon, Mar 2, 2020 at 1:48 PM shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slig
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the behavior it also gives the same error,
but instead of OK it gives different error as "*ca.crt: verific
Wojcik
Sent: Friday, February 7, 2020 3:37 PM
To: openssl-users@openssl.org
Subject: RE: TLS 1.2 handshake issue (Server Certificate request)
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Bashin, Vladimir
> Sent: Friday, February 07, 2020 11:25
>
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Bashin, Vladimir
> Sent: Friday, February 07, 2020 11:25
> ... during that handshake the TLS server requests the client Certificate
> but our TLS client responds with the Certificates Length 0 that c
If you have the server's key and certificate, the command will be smth like
openssl s_server -key key -cert cert -CAfile
file_with_ca -verify_return_error
file_with_ca should contain a concatenation of the certs of the CAs that
should issue the client's certificate.
if you don't have the server
t;
> We are experiencing issue during the initial TLS handshake :
>
> We have the customer-issued TLS certificate that we deploy on our TLS
> client system
>
> The certs have been generated with a CSR that was generated on customer’s
> FIPS compliant server
>
> The CSR
Hello, OpenSSL experts !
We need your help in better understanding a below behavior -
We are experiencing issue during the initial TLS handshake :
We have the customer-issued TLS certificate that we deploy on our TLS client
system
The certs have been generated with a CSR that was generated
No, it's not possible,to use a webserver certificate to issue other
certificates of any kind. (Oh, it is technically possible with openssl to
create certificates which might seem valid on the surface -- just use the
webserver key to generate a self-signed CA certificate with the same
Subject
Hello
I have a wildcard certificate to implement https on our websites via sub
domains.
is it possible to generate a nominative certificate from this certificate with
openssl? (with an attribute of the type uid, name and function ...).
I would like to be able to distribute certificates
: Default certificate path taken by openssl
On Thu, Jan 09, 2020 at 06:42:36AM +, Chethan Kumar wrote:
> In Linux, if any application which uses openssl does not specify the
> path from which certificates should be read by openssl, does openssl
> try to read from default path or
tore path, but it is up to applications to
request use of the default paths for certificate validation. Many do,
some don't.
> Need help in this as there is one
> ca-bundle.crt(\usr\lib\ssl\certs\ca-bundle.crt)" file in machine and
> we use our own ca-bundle.crt in another path.
Hi all,
Need your help in quesry related to certificate used by openssl.
In Linux, if any application which uses openssl does not specify the path from
which certificates should be read by openssl, does openssl try to read from
default path or something?
Need help in this as there is one
ca
> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser wrote:
>
> the short answer is no, it does not; the openssl library will let you load
> expired/invalid certificates if you do not do any explicit checks. Use a
> verify_callback and call X509_verify_cert() to check the validity.
The verify
On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote:
Hi
We are using SSL_CTX_use_certificate and
SSL_CTX_use_certificate_chain_file APIs to load the certificates.
My query is when we are loading the certificate in the Context does
openssl verify the certificates for e.g. whether
Hi
We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file
APIs to load the certificates.
My query is when we are loading the certificate in the Context does openssl
verify the certificates for e.g. whether the certificate is expired already etc.
Thanks and Regards
Hi, all,
I recently created a certificate chain, on which some certificates
happen to have “empty” issuers/subjects. Clearly, these certificates
violate Section 4.1.2.4, RFC5280: “The issuer field MUST contain
a non-empty distinguished name (DN)”. Meanwhile, the chain can
still pass
On Fri, Oct 04, 2019 at 07:28:20PM +0530, Kalyan Kumar wrote:
> We are trying to qualify a feature which can consume ca signed certificate
> . Part of this we verified X509 v3 and v1 but unable to get the actual
> attributes for v2 creation.
>
> Is this feasible in openssl a
Hi,
We are trying to qualify a feature which can consume ca signed certificate
. Part of this we verified X509 v3 and v1 but unable to get the actual
attributes for v2 creation.
Is this feasible in openssl and also whether standard supports ?
Thanks
Hi All,
I am facinmg issue while upgrading my OpenSSL version from 1.0.2p to 1.1.1c.
I am facing the issue where "ENGINE_by_id("capi")" is not returning proper
pointer. I want to access windows certificate store with certificate and keys.
Snippet of my working code in 1.0
On Mon, Sep 02, 2019 at 06:49:40PM +0200, Alexandre Schaff wrote:
> serverside : 'openssl s_server' using certfile which has 2 root-CA+cert
> (certA and certB) and keyfile which has both secrets.
The s_server application loads just one certificate chain from its
certFile, and just one ke
Hello,
Sorry if question has already been asked, I saw
https://github.com/openssl/openssl/issues/3029 .
Issue#3029 is a mixed discussion on both tls-1.2 extension "trusted CA
indication" (rfc6066#section-6) and TLS-1.3 "Certificate Authorities", thus
conclusion is unclear.
On Mon, Aug 26, 2019 at 02:39:40PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> > To ignore expiration of only the leaf certificate, you
> > need a verification callback that checks the error
> > reason at depth 0 and if it is expiration, returns
> > "ok = 1"
Is there a potential problem - if a certificate has multiple issues, such as
bad signature and certificate expired? Would all of these conditions be
reported, or only the first one detected?
Regards,
Uri
Sent from my iPhone
On Aug 26, 2019, at 10:11, Viktor Dukhovni wrote:
>> On
> On Aug 26, 2019, at 5:24 AM, forston_...@trendmicro.com wrote:
>
> We check a sub-certificate with a lot of root certificates.
> We don’t want to check sub-certificate’s expire time, but we want to get an
> error when root certificate expired.
>
> I try to verify i
Hi Openssl team,
I have a question about certificate verify.
We check a sub-certificate with a lot of root certificates.
We don't want to check sub-certificate's expire time, but we want to get an
error when root certificate expired.
I try to verify it by following option,
X509_VERIFY_PARAM
This use case is that I have an HSM that internally forms an X509
certificate and returns the signature. I have to reconstruct the X509
structure externally.
I have everything but the signature and its algorithm.
How can I programmatically set these values?
What I do now
... Presumably a check for proper KU on the client
certificate would be bypassed if the client cert is v1 - but then using a v1
certificate is another violation of RFC 5246 (7.4.2) that OpenSSL probably
should not enforce.
Yes, v1 certs would get a free ride. The reason to enforce KU
in client certs would
will reject.
802.1AR seems to discourage KU in IDevID because at most KU bits make
the certificate less useable, and IDevID certificates are expected to live
for decades.
> RSA client certs without digital signature in KU are increasingly
> not interoperable as more server implementa
heck for proper KU on the
> client certificate would be bypassed if the client cert is v1 - but then
> using a v1 certificate is another violation of RFC 5246 (7.4.2) that OpenSSL
> probably should not enforce.
Yes, v1 certs would get a free ride. The reason to enforce KU
in client certs
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Viktor Dukhovni
> Sent: Tuesday, June 11, 2019 10:39
> A client certificate that cannot do digital signatures is not much use.
There may be existing applications which use TLS entirely within an
organiz
> On Jun 11, 2019, at 12:15 PM, Michael Wojcik
> wrote:
>
>> There's an overarching OpenSSL policy that certificate checks are
>> done exclusively by the relying end (for client certs, that's the
>> server), except when certified end is trying to choose fr
e's an overarching OpenSSL policy that certificate checks are
> done exclusively by the relying end (for client certs, that's the
> server), except when certified end is trying to choose from
> multiple certificates.
>
> Thus with only one certificate available, the OpenSSL sends the
> (untrusted
On 11/06/2019 12:50, Hareesh D wrote:
TLSv12 client is sending RSA certificate even when it dont have
digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6
says its MUST condition for client to send RSA certificate with
digitalSignature bit set in keyUsage extension.
1
TLSv12 client is sending RSA certificate even when it dont have
digitalSignature bit in keyUsage extension. But RFC5246 sectiin-7.4.6 says
its MUST condition for client to send RSA certificate with digitalSignature
bit set in keyUsage extension.
1. Though server is rejecting such certificates
:
>
> Hi ,
> Have query regarding generation of X255519 and X448 certificate chain
>
> Below is the script which i used to generate certificate chain of Ecdsa type.
> https://github.com/raja-ashok/sample_certificates/blob/master/ECC_Prime256_Certs/gen_ecc_cert.sh
>
> Now for gene
Hi ,
Have query regarding generation of X255519 and X448 certificate chain
Below is the script which i used to generate certificate chain of Ecdsa
type.
https://github.com/raja-ashok/sample_certificates/blob/master/ECC_Prime256_Certs/gen_ecc_cert.sh
Now for generating EdDSA certificate chain I
rote:
>
> > There's a part of the code where we're doing a sha256 hash of the public
> > key of our certificate. On the older OpenSSL, we were able to get the
> > public key by doing cert->cert_info->key->public_key->data. On the newer
> > version, we no l
On Mon, Jun 03, 2019 at 10:40:02AM -0500, Daniel Pedraza wrote:
> There's a part of the code where we're doing a sha256 hash of the public
> key of our certificate. On the older OpenSSL, we were able to get the
> public key by doing cert->cert_info->key->public_key->data. O
of the public key
> of
> our certificate. On the older OpenSSL, we were able to get the public key by
> doing cert->cert_info->key->public_key->data. On the newer version, we no
> longer
> have access to the cert_info struct.
>
> I tried doing:
>
> EVP_PKEY
Hi guys!
I'm trying to upgrade an old C project from OpenSSL 1.0.2 to the newest
1.1.1 version. Everything's going smoothly, except for one little detail:
There's a part of the code where we're doing a sha256 hash of the public
key of our certificate. On the older OpenSSL, we were able to get
> On May 31, 2019, at 3:20 PM, Jason Schultz wrote:
>
> My questions deal with #2: Why does OpenSSL include the root cert in the
> certificate chain?
The OpenSSL SSL_CTX_build_cert_chain(3) function constructs a complete
chain of trust for your certificate chain, based on the conf
mportantly, can I force OpenSSL to not send the root cert?
Thanks,
Jason
From: Sam Roberts
Sent: Friday, May 31, 2019 7:32 PM
To: Jason Schultz
Cc: openssl-users@openssl.org
Subject: Re: OpenSSL server sending certificate chain(inc. root cert) during
handshake
The root cert is not used for validation, so it doesn't have to be
sent. However, sending it does no harm, and it is useful for humans
who are attempting to diagnose problems, it allows them to see what
what root cert they are expected to have locally for sucessful cert
chain validation.
I believe this behavior is common among all supported versions of OpenSSL, but
most of my testing has been with OpenSSL 1.0.2, the latest LTS release.
My application using OpenSSL is acting as a server. I have a server certificate
configured that has been signed by a self-signed/root
On 14/05/2019 18:39, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Karl Denninger
Sent: Tuesday, May 14, 2019 09:22
On 5/14/2019 09:48, Michael Wojcik wrote:
I can't think of what remnant of the old certificate would be there,
except
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Karl Denninger
> Sent: Tuesday, May 14, 2019 09:22
> On 5/14/2019 09:48, Michael Wojcik wrote:
> > I can't think of what remnant of the old certificate would be there,
> > except the certifi
{resending, because it did not seem to make it into the archives}
https://www.openssl.org/docs/man1.1.0/man3/CMS_sign.html says:
If signcert and pkey are NULL then a certificates only CMS structure is
output.
I am trying to create one to return in an RFC7030 (EST) /cacerts request.
It
On 5/14/2019 09:48, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
>> Karl Denninger
>> Sent: Monday, May 13, 2019 16:32
>> On 5/13/2019 16:44, Christopher R wrote:
>>> All I want is whatever remnants of t
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Karl Denninger
> Sent: Monday, May 13, 2019 16:32
> On 5/13/2019 16:44, Christopher R wrote:
> > All I want is whatever remnants of that incorrect certificate removed,
> > where ever
https://www.openssl.org/docs/man1.1.0/man3/CMS_sign.html says:
If signcert and pkey are NULL then a certificates only CMS structure is
output.
I am trying to create one to return in an RFC7030 (EST) /cacerts request.
It appears that it needs to be a NID_pkcs7_signed.
a) Do I need to set any
Christopher,
On Mon, 2019-05-13 at 16:44 -0500, Christopher R wrote:
> Cool. Take 3. Generates the key and the request. Try generating
> the
> certificate... it asks for a password and then does...
> nothing. Kicks
> directly to command prompt. No error. No lines of text.
On 5/13/2019 16:44, Christopher R wrote:
> So I'm trying to create a certificate for a new user on my domain.
> Created the certificate... got everything set up... went to use it and
> the email is completely wrong. Oops. Missed it when I updated the
> configuration file, and,unfort
So I'm trying to create a certificate for a new user on my domain.
Created the certificate... got everything set up... went to use it and
the email is completely wrong. Oops. Missed it when I updated the
configuration file, and,unfortunately, its necessary, because login
depends on the email
I need to implement a SOAP API that will utilize Two-Way Certificate
Authentication and encryption/decryption.
I do not know what parts of the handshaking and processing of authentication
and encryption/decryption is managed by the Windows Server Operating System
(and/or IIS) Environment
On Tue, 2019-03-05 at 11:28 -0800, Wim Lewis wrote:
> On 5. mar. 2019, at 10:14 f.h., Paul Smith
> wrote:
> > E.g., I'm adding my certificate with SSL_CTX_use_certificate(); is
> > there a way to get it back out?
>
> Does SSL_CTX_get0_certificate() do what you need?
On 5. mar. 2019, at 10:14 f.h., Paul Smith wrote:
> E.g., I'm adding my certificate with SSL_CTX_use_certificate(); is there a
> way to get it back out?
Does SSL_CTX_get0_certificate() do what you need?
(The "get0" (vs "get") indicates its reference-counting semantics.)
I'm trying to write a simple function to dump the expiration date of
the certificates in my SSL_CTX cert store.
I've managed to retrieve and show the CA certificates from the
certificate store, and the certificate chain, but I can't find a method
that retrieves the certificate itself from SSL_CTX
On Thu, Jan 17, 2019 at 05:39:39PM +, Steven Winfield wrote:
> TL;DR: After a failed handshake, caused by our peer’s certificate failing
> verification, what is the correct way to get hold of the peer’s certificate?
You can't get it after, but you can get it *during* the han
Hi all,
First time posting here so please be gentle ;-)
TL;DR: After a failed handshake, caused by our peer’s certificate failing
verification, what is the correct way to get hold of the peer’s certificate?
A little more detail:
I’d like my server applications to be able to log some details
Hi all,
First time posting here so please be gentle ;-)
TL;DR: After a failed handshake, caused by our peer's certificate failing
verification, what is the correct way to get hold of the peer's certificate?
A little more detail:
I'd like my server applications to be able to log some details
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Corey Minyard
> Sent: Friday, January 11, 2019 17:09
>
> I don't really like my options, but I'm kind of boxed in. I'm not sure
> why ssh doesn't run on top of ssl; that seems so sensible. I assume
> that's for
On 1/11/19 12:42 PM, Sam Roberts wrote:
On Wed, Jan 9, 2019 at 6:54 PM Corey Minyard wrote:
My first inclination for a secure connection was to use ssh. However,
ssh is not as well suited for this as I would have liked, and all the
ssh libraries are tied to a file descriptor in ways that are
On 1/11/19 12:14 PM, Jordan Brown wrote:
On 1/10/2019 10:55 AM, Corey Minyard wrote:
It is unusual, perhaps, but I'm trying to implement something like
ssh does. I can't expect users of ser2net to obtain certificates
from a real certificate authority, that's too high a barrier for
entry. I
On Wed, Jan 9, 2019 at 6:54 PM Corey Minyard wrote:
> My first inclination for a secure connection was to use ssh. However,
> ssh is not as well suited for this as I would have liked, and all the
> ssh libraries are tied to a file descriptor in ways that are not easily
> fixable, and thus can't
On 1/10/2019 10:55 AM, Corey Minyard wrote:
> It is unusual, perhaps, but I'm trying to implement something like ssh
> does. I can't expect users of ser2net to obtain certificates from a
> real certificate authority, that's too high a barrier for entry. I
> want them to be able to ge
On 10/01/2019 19:55, Corey Minyard wrote:
On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf Of Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate
On 1/10/19 11:17 AM, Viktor Dukhovni wrote:
On Wed, Jan 09, 2019 at 08:54:30PM -0600, Corey Minyard wrote:
What I would like to do is pull out some information from the
certificate that is being verified, set/modify the verify store based
upon that information (basically chose the CA based
On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication
On 10/01/2019 18:00, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Jordan Brown
> Sent: Thursday, January 10, 2019 11:15
> On 1/9/2019 6:54 PM, Corey Minyard wrote:
>> 2. Set the userid in the certificate and use client authentication to
>> authenticate t
On Wed, Jan 09, 2019 at 08:54:30PM -0600, Corey Minyard wrote:
> What I would like to do is pull out some information from the
> certificate that is being verified, set/modify the verify store based
> upon that information (basically chose the CA based upon something in
> the
On 1/9/2019 6:54 PM, Corey Minyard wrote:
> 2. Set the userid in the certificate and use client authentication to
> authenticate the user logging in. Set the username in the CN field
> of the certificate so it can't be changed, extract that and set the
> CA before
I'm working on an application using openssl, and I would like to set
some things up for verification based upon information in the
certificate. Unfortunately, from what I can tell, there is no way to do
this. (Maybe it's not a good idea. Not sure.)
What I would like to do is pull out some
Hi Viktor,
>Do you then add chain certificates one by one?
Yes, and SSL_CTX_use_certificate() also works in multiple certificate types on
1.0.2. Many thanks, Jane
在 2018-11-22 01:24:06,"Viktor Dukhovni" 写道:
>> On Nov 21, 2018, at 3:11 AM, 毛 wrote:
>>
>> We ar
> On Nov 21, 2018, at 3:11 AM, 毛 wrote:
>
> We are using SSL_CTX_use_certificate() instead of
> SSL_CTX_use_certificate_chain_file().
Do you then add chain certificates one by one?
> Does it also support multiple certificate chains?
I believe it will work correctly in 1.1
Hi Viktor, Many thanks for your response.
We are using SSL_CTX_use_certificate() instead of
SSL_CTX_use_certificate_chain_file(). Does it also support multiple certificate
chains?
And as I know, OpenSSL 1.0.2 and later have a separate chain store for each
type of certificate (RSA, ECC or DSA
> On Nov 20, 2018, at 9:48 AM, maoly527 wrote:
>
> Does anyone know how to use RSA and ECC certificate simultaneously in one
> server?
You just configure two private keys and two certificate chains by calling:
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
Hi,
Dose anyone know how to use RSA and ECC certificate simultaneously in one
server?
The idea is to install both RSA and ECC certificates, to use which certificate,
I think it depends on the cipher requested by client.
And I know the cipher list is included in client hello message
> trust anchor -> self-issued root CA cert (i = 1) -> ... -> EE (i = n)
Yes that seems to be aligned with how the intended the path validation
algorithm should be applied, i.e. first certificate processed is the
cert of the trust anchor. But it could be clearer, and wording
viour as far as I can understand.
>
> RFC5280 Certification Path Validation algorithm process from root to
> leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4
> Preparation for Certificate i+1 is expected to occur upon Root
> certificate, i.e. the following s
> On Oct 8, 2018, at 8:47 AM, Peter Magnusson
> wrote:
>
> RFC5280 Certification Path Validation algorithm process from root to
> leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4
> Preparation for Certificate i+1 is expected to occur upon Root
Tested mbedtls to see how other code bases handle thus.
mbedtls rejects the EvilCA certificate when connecting to openssl
s_server (as opposed to openssl c_client -verify that accepts the
connection).
Verify requested for (Depth 1):
cert. version : 3
serial number : 10:00
issuer name
t;
> RFC5280 Certification Path Validation algorithm process from root to
> leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4
> Preparation for Certificate i+1 is expected to occur upon Root
> certificate, i.e. the following should be expected behaviour:
> * max_pa
That is not correct behaviour as far as I can understand.
RFC5280 Certification Path Validation algorithm process from root to
leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4
Preparation for Certificate i+1 is expected to occur upon Root
certificate, i.e. the following
.em...@gmail.com> wrote:
> One more logic confusion in the OpenSSL Path Length Constraint check.
> Any Path Length Constraint set by Root (or any other Self-Issued
> Certificate) is ignored.
> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly
> applied to t
One more logic confusion in the OpenSSL Path Length Constraint check.
Any Path Length Constraint set by Root (or any other Self-Issued
Certificate) is ignored.
Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly
applied to the checker (i.e. the checker and the calculation log
Scott Neugroschl wrote in :
|Steffen Nurpmeso, Tuesday, September 25, 2018 11:57 AM
|> The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
|>base64 characters" makes me wonder.
|
|The relevant clause is a few sentences up: "Data before the encapsulation \
|boundaries are
> -Ursprüngliche Nachricht-
> In the meantime:
>
>$ perl -ne 'print if (/^-BEGIN/../^-END/);' foo.pem |
>openssl asn1parse
>
> > On Sep 25, 2018, at 1:15 PM, Hubert Kario wrote:
> >
> > then it looks like the parser used in asn1parse -inform pem is non-
> >
Steffen Nurpmeso, Tuesday, September 25, 2018 11:57 AM
> The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
>base64 characters" makes me wonder.
The relevant clause is a few sentences up: "Data before the encapsulation
boundaries are
permitted, and parsers MUST NOT
201 - 300 of 5730 matches
Mail list logo
