Re: apps\ca Y2K bug
Nelson Alves da Silva Filho wrote: POSSIBLE bug regarding the ca application (OpenSSL-0.9.4). I think the function ASN1_UTCTIME_set_string (a_utctm.c) is not Y2K safe and, consequently, the "startdate" and "enddate" entries of openssl.cnf ca section as well. Nelson. I ave tested it without actually having real problems. Which code exactly you think it is not y2k ??? C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Other quetion..
Dr Stephen Henson wrote: Michael Ströder wrote: http://www.microsoft.com/security/tech/certificates/structuring.asp I wouldn't recommend that document: [..] Following the advice here caused me lots of trouble. Can you give some details about the troubles you had? Over a year after its date later I duly followed the advice about critical extensions only to find the version of Outlook at the time rejected them. I set my keyUsage and extendedKeyUsage attributes according to the document I mentioned above but did not mark any attribute critical. The descriptions of keyUsage and extended KeyUsage seemed to make sense to me. Will this cause trouble to cert users? Examples: CA certs: basicConstraints = CA:true keyUsage = cRLSign, keyCertSign extendedKeyUsage = 1.3.6.1.5.5.7.3.4 (I know that basicConstraints = CA:true should be marked critical but according to doc/openssl.txt this might cause trouble with older applications...) Certs only used for e-mail (encryption and signing): keyUsage = keyEncipherment, dataEncipherment, digitalSignature, nonRepudiation nsCertType = email Certs only used for client authentication: keyUsage = digitalSignature, nonRepudiation, keyAgreement extendedKeyUsage = 1.3.6.1.5.5.7.3.2 nsCertType = client Server certs: keyUsage = digitalSignature, nonRepudiation, keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1, msSGC,nsSGC nsCertType = server (msSGC,nsSGC only makes sense if the corresponding CA certs are tagged in a special way for enabling Server Gated Cryptography / Global Server ID) Object signing certs: keyUsage = keyEncipherment, dataEncipherment, digitalSignature, nonRepudiation, keyAgreement extendedKeyUsage = 1.3.6.1.5.5.7.3.3 nsCertType = objsign Will I have problems with these X.509v3 attributes? Any suggestions for improving it? Maybe it's worth discussing a good example configuration here. Ciao, Michael. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Maintaining an SSL server cache
James Darwin [EMAIL PROTECTED]: I'm having trouble makeing the server side cache hang on to SSL sessions when all connections from the client are lost. If the client maintains one open connection, and re-uses its ssl session, the cache on the server knows to use the same session - i.e. the SSL_get_session() gives me the same number. But if the client drops its last connection, and creates a new connection to the server, still using the same ssl session as before, the server sees this as a new ssl session. BTW, SSL_free() is called when a connection is dropped in order to clean up memory. Do you create all server SSLs from the same SSL_CTX? If so, sessions should survive automatically; but you should set a session ID context for the SSL_CTX (it is used only if you do client verification, i.e. when SSL_VERIFY_PEER is set). If this does not work, then use a debugger to see what is happening (ssl/ssl_sess.c is the most important OpenSSL source code file for this): Is ssl_clear_bad_session ever called when your program is run? What happens inside ssl_get_prev_session (i.e. what "if" conditions there are true)? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to timeout a SSL_connect?
Alexey Melnikov [EMAIL PROTECTED]: You should use select() with timeout, however this will require modifications to OpenSSL. Why? What modifications? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows NT Version
Hi, Is there a windows NT version of OpenSSL available? If so, where can I get it? Thanks Deva Get free email and a permanent address at http://www.amexmail.com/?A=1 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]