adding extensions to certificates
hi, i've been looking at the archives list trying to search how to add additional extensions to certificates. i found the thread Adding Application Attributes to X509 Certificates? that is about what i'm asking but using openssl commands and openssl configuration file. eventhoug, i don't know if Brian Skrab who was asking on how to do it, finally solved it. my questions are: 1) I'd like to add an additional (attribute,value) pair to a certificate, can i use any OID? RFC 2459 suggests to follow IANA or ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do i need to follow the same conventions? if so, where can i find them? 2) I'd also like to add an extended key usage, the oid is defined in openssl as follows: #define OBJ_ext_key_usage OBJ_id_ce,37 can i use for my extended key usage? whould this follow the conventions on question 1? #define OBJ_MY_ext_key_usageOBJ_id_ce,37,1 2) Once i have and OID, should i use this functions to add an extension to a certificate? X509_EXTENSION_create_by_OBJ X509_EXTENSION_set_object X509_EXTENSION_set_critical X509_EXTENSION_set_data and X509_add_ext any help would be appreciated, thanks in advance. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: adding extensions to certificates
On Fri, Mar 14, 2003, Aleix Conchillo Flaque wrote: hi, i've been looking at the archives list trying to search how to add additional extensions to certificates. i found the thread Adding Application Attributes to X509 Certificates? that is about what i'm asking but using openssl commands and openssl configuration file. eventhoug, i don't know if Brian Skrab who was asking on how to do it, finally solved it. my questions are: 1) I'd like to add an additional (attribute,value) pair to a certificate, can i use any OID? RFC 2459 suggests to follow IANA or ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do i need to follow the same conventions? if so, where can i find them? Using any OID is not recommended because the OID may already be used for another purpose. If you want a custom OID for your organization you should get an OID tree allocated, for example: http://www.isi.edu/cgi-bin/iana/enterprise.pl 2) I'd also like to add an extended key usage, the oid is defined in openssl as follows: #define OBJ_ext_key_usage OBJ_id_ce,37 can i use for my extended key usage? whould this follow the conventions on question 1? #define OBJ_MY_ext_key_usageOBJ_id_ce,37,1 See my answer to question 1. If you want your own usage you can add an OID from your own tree. 2) Once i have and OID, should i use this functions to add an extension to a certificate? X509_EXTENSION_create_by_OBJ X509_EXTENSION_set_object X509_EXTENSION_set_critical X509_EXTENSION_set_data and X509_add_ext any help would be appreciated, thanks in advance. If the OID is your own then you can add whatever you want to a certificate. However you should add a DER ASN1 structure and not just raw data. If you are using the standard OpenSSL tools to create the certificate (ca, req etc) then you can use the DER option to add custom extension data provided you've worked out a valid encoding. In OpenSSL 0.9.8-dev you can also use its mini-ASN1 compiler and do things like: my_extension=ASN1:UTF8:My custom extension value See doc/openssl.txt for more info. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Strange Problem using RSA PublicEncryption with RSA_NO_PADDING
Hello, I have a problem, I cannot really cover. I'm using public key encryption together with RSA_NO_PADDING. The Key-/Modulus-Size is 128Byte and the message to be encrypted are also 128Byte sized. Now my problem: Using the same (!) binary code (running in a debugging environment or not) it sometimes work properly, sometimes it failes with the following message: error:04068084:rsa routines:RSA_EAY_PUBLIC_ENCRYPT:data too large for modulus To be precise: It never failed so far, if I'm debugging step by step through the problematic code region. Does anyone outside has any good idea what my problem is? Regards, Christoph __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
scatter/gather buffers and SSL_write
Are there any plans to offer a scatter/gather version of the SSL_{read,write} interface? Sometimes openSSL is used as a component in a stream and it gets to the openSSL bit and finds a bottleneck where a scatter-gather buffer has to be put into one contigous block so it can call SSL_write. I wonder if there are any plans to extend this. Regards, Andrew M. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling on Solaris8 x86
I'm trying to get ssh onto my Solaris 8 x86 system. I've installed gcc, binutils, make and some other packages but can not find where the math library is located. Can someone tell me where to get it? gcc -I.. -I../.. -I../../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o set_key.o set_key.c In file included from des_locl.h:80, from set_key.c:66: /usr/local/lib/gcc-lib/i386-pc-solaris2.8/2.95.3/include/math.h:5: math.h: No such file or directory make[2]: *** [set_key.o] Error 1 make[2]: Leaving directory `/export/home/cfowler/openssl-0.9.6i/crypto/des' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/export/home/cfowler/openssl-0.9.6i/crypto' make: *** [sub_all] Error 1 Thanks, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Strange Problem using RSA PublicEncryption with RSA_NO_PADDING
Hello Christoph, Christoph Hansen wrote: I have a problem, I cannot really cover. I'm using public key encryption together with RSA_NO_PADDING. The Key-/Modulus-Size is 128Byte and the message to be encrypted are also 128Byte sized. There exist choosen plain text attacks against RSA... Now my problem: Using the same (!) binary code (running in a debugging environment or not) it sometimes work properly, sometimes it failes with the following message: error:04068084:rsa routines:RSA_EAY_PUBLIC_ENCRYPT:data too large for modulus The RSA key and the data are handled as two big numbers. RSA requires that the key must be numerically bigger as the data. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 smime.p7s Description: S/MIME Cryptographic Signature
Re: scatter/gather buffers and SSL_write
the openSSL bit and finds a bottleneck where a scatter-gather buffer has to be put into one contigous block so it can call SSL_write. You don't have to do that -- just loop calling SSL_write multiple times. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem changing key/iv on a CIPHER bio
This isn't something I've had to do personally however... It's not something I've wanted to do... Popping and pushing the BIO should work provided you get it right. For this to work properly of course you need change keys and IVs only after a multiple of the block length has been sent, otherwise data will be lost and possibly internal buffering could spoil you whole day due to synchronisation errors. Yes, everything up to that point was sent in full block increments. In fact synchronisation may well be a problem because when using padding the EVP routines need to buffer a whole block on decrypt so that the block padding check works. So when you read data from the end BIO in the chain it will typically have internally buffered the next block using the current key/IV. I've done my best to be sure that there's nothing sent or left over to be buffered. And if I remove and destroy that bio, I'd hope that it takes any buffered data with it. In OpenSSL 0.9.7X you can disable padding using the EVP API, that is the preferred method because the internal buffering no longer occurs. You need to retrieve the EVP_CIPHER_CTX structure from the BIO to do that, see the 0.9.7 manual pages for precise details. Hmmn. Not a bad plan - I'll check into that. -- Brian Hatch You don't frighten easily. Systems and I work for Ambassador Security Engineer Mollari. After a while http://www.ifokr.org/bri/ nothing bothers you. Every message PGP signed pgp0.pgp Description: PGP signature
Proper way to encrypt and decrypt to/from socket BIO
(Note: this question is completely unrelated to the previous re-keying one, since I've taken out the re-key code for now.) I have a socket bio to which I'd like to attach an decrypting bio for reading and encrypting bio for writing. When I attempt this I get the following error roughly 22% of the time on the first BIO_read: BIO_read(bio, buf, 8) BIO_read returns -1 BIO_should_retry is false error:0606506D:digital envelope routines:EVP_DecryptFinal: wrong final block length:evp_enc.c:423: This is using blowfish with a blocksize of 8 chars, there are actually at least 24 bytes in the stream, so there's plenty of data for mac checks. I ran ethereal to watch the data being sent from the client, and it's identical, yet 1/5 the time the 'final block length' problem pops up. One of my concerns initially was that I was going to goof up my prev_bio and next_bio links by attempting to attach a socket bio to both a decrypt and encrypt cipher bio. (I always used BIO_push, I never created the chain manually...) When I wrote a dinky routine to show the bio chains both forward (using BIO_next) and backward (reading the prev_bio member directly) I found that everything looked fine in the 'forward' direction (cipher = socket) but that the reverse direction (socket backward via prev_bio) showed that prev only pointed to one of the ciphers. (This was expected and makes total sense, of course, since prev_bio can only point one place.) I don't know the underlying workings of the BIOs, so I don't know if this is a problem or not. So, trying to outsmart things entirely, instead of creating the socket bio and then attaching it to two different ciphers separately, I first cloned the socket bio with BIO_dup_chain and used BIO_push to stick uniq copies of it onto my two cipher bios. Thus my BIO chains looked consistant both in -next_bio and -prev_bio order. I didn't really think this necessary, but thought I'd try to see if it'd get rid of the 22% failure rate. Unfortunately, it acted the same - 22% of the time I got a wrong final block length error, even though the other end of the socket is sending the exact same data every time. Any ideas? Any good debugging method to see the data coming through the socket bio before it hits the next bio (cipher) in the chain to be sure that the data on the wire is the same data coming in my bio chains? Am I adding an encrypt and decrypt bio onto my socket in a totally brain dead manner? -- Brian Hatch Stupidity is Systems andnot a handicap. Security Engineer Park elsewhere! http://www.ifokr.org/bri/ Every message PGP signed pgp0.pgp Description: PGP signature
RE: introduction
On Thu, 13 Mar 2003, Boyle Owen wrote: SSL and mail? Usually, SSL is used to secure the communications between a webserver and its clients. I guess you could encrypt SMTP traffic but I've never done it (no doubt someone else will comment on this). The SMTP verb is STARTTLS. See RFC 3207. Something like this is also defined for POP, IMAP, ACAP, and some others. I've been toying with the idea of inventing a new UUCP protocol to provide authentication and secure transport using TLS (but there's no code yet). There are lots of uses for something like TLS, beyond web stuff, and probably many more yet to be discovered. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Proper way to encrypt and decrypt to/from socket BIO
On Fri, Mar 14, 2003, Brian Hatch wrote: (Note: this question is completely unrelated to the previous re-keying one, since I've taken out the re-key code for now.) I have a socket bio to which I'd like to attach an decrypting bio for reading and encrypting bio for writing. When I attempt this I get the following error roughly 22% of the time on the first BIO_read: BIO_read(bio, buf, 8) BIO_read returns -1 BIO_should_retry is false error:0606506D:digital envelope routines:EVP_DecryptFinal: wrong final block length:evp_enc.c:423: This is using blowfish with a blocksize of 8 chars, there are actually at least 24 bytes in the stream, so there's plenty of data for mac checks. I ran ethereal to watch the data being sent from the client, and it's identical, yet 1/5 the time the 'final block length' problem pops up. BIO_f_cipher() BIOs have a bug in them which makes them mess up when used in conjunction with non blocking I/O or any circumstance where a read/write might not process the same number of bytes as requested. This is largely because BIO_f_cipher() BIOs have been largely unchanged since the dawn of time [*] and never tested in this way. I found this out recently when I was messing around with the non blocking I/O test BIO and the they failed rather badly. Base64 BIOs have similar problems but digest BIOs seem to be OK AFAICs. I've checked in a fix for cipher BIOs which should be in any current stable snapshot, its a trivial fix. The base64 fix was rather more drastic so its only in 0.9.8 in case it breaks something else. I suggest you get the latest stable snapshot and try that out. Steve. [*] Well SSLeay which feels like the dawn of time to some of us. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: introduction
The OpenSSL Developers have already done this. Look at the smime command for the openssl program at http://www.openssl.org/docs/apps/smime.html# Also look at http://www.openssl.org/docs/crypto/SMIME_write_PKCS7.html You can sign messages using your private key which allows recipients to verify the message came from you. To encrypt messages the recipient must have a public key. Just sign or encrypt the message then send it like regular mail. See the attached file for a simple example. - Original Message - From: Mark H. Wood [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 14, 2003 7:25 AM Subject: RE: introduction On Thu, 13 Mar 2003, Boyle Owen wrote: SSL and mail? Usually, SSL is used to secure the communications between a webserver and its clients. I guess you could encrypt SMTP traffic but I've never done it (no doubt someone else will comment on this). The SMTP verb is STARTTLS. See RFC 3207. Something like this is also defined for POP, IMAP, ACAP, and some others. I've been toying with the idea of inventing a new UUCP protocol to provide authentication and secure transport using TLS (but there's no code yet). There are lots of uses for something like TLS, beyond web stuff, and probably many more yet to be discovered. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Mail.cpp Description: Binary data
Re: ftp implicit ssl connection
It is very unclear to me what type of help you are looking for. There are many SSL/TLS FTP client and server implementations available as open source in addition to the specifications for the protocol which are available as an Internet-Draft. What do you need? well, in the previous 2 messages i tried to explain it... I'm writing an ftp client and i would like to add support for implicit ssl connection... the problem is that after the handshake i try to send the PBSZ 0 command but i receive no answer from the server... this is the behavoiur with all of the ftp protocol commands... so, i need some help... even some source code of an ftp client that implement implicit (not the explicit one with AUTH command etc...) ssl connection... can u give me some help ? thank's :-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Handshake Failure due to bad record mac
hi, I am using a sample client appli on an embedded platform trying to connect to s_server on the linux. client code has set cipher(ALL); there is no client certificate. client side SSL_connect() return -1; Its very strange, some times client sends Alert message with bad mac code and some times it does not. i have both the logs attached. # openssl s_server -cert server.pem -accept 1 -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_accept:failed in SSLv3 read client certificate A ERROR 1348:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:964:SSL alert number 20 shutting down SSL CONNECTION CLOSED ACCEPT - # openssl s_server -cert server.pem -accept 1 -state -debug -- SSL_accept:before/accept initialization read from 08162C88 [08168230] (11 bytes = 11 (0xB)) - 16 03 00 00 3d 01 00 00-39 03 =...9. 000b - SPACES/NULS read from 08162C88 [0816823B] (55 bytes = 55 (0x37)) - 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00 00 r. 0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08 00 d.b.`... 0030 - 05 00 04 00 03 01 .. 0037 - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 08162C88 [081722C8] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01 05 J...F..r;.. 0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12 c4 bU...md..O.rmx.. 0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba 9d g.. H7.. 0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c 6f =C..ZLLo 0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64 -;C..c...d 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 08162C88 [081722C8] (508 bytes = 508 (0x1FC)) - 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed 30 ...0 0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86 48 .0...*.H 0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a c5 0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78 1a A.Z...E...x. 0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd 1c l.ms..mD.X.. 01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6 7f .5lDbda..J.. 01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c 93 eq.k.9.2...giQ.. 01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b 90 .H_..B.U.~N..!k. 01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50 4a WA(..[PJ 01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3 8a ...6.jg. 01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1 )... SSL_accept:SSLv3 write certificate A write to 08162C88 [081722C8] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 08162C88 [08168230] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client certificate A ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftp implicit ssl connection
I think the question was this: why are you trying to invent another secure FTP protocol when there is already a draft IETF standard for bringing up SSL/TLS command and/or data channels in FTP, as well as several open source implementations of that draft protocol. Caveat: I am not an expert on this protocol, I just know of its existance. Andy Sherman Morgan Stanley gomess wrote: It is very unclear to me what type of help you are looking for. There are many SSL/TLS FTP client and server implementations available as open source in addition to the specifications for the protocol which are available as an Internet-Draft. What do you need? well, in the previous 2 messages i tried to explain it... I'm writing an ftp client and i would like to add support for implicit ssl connection... the problem is that after the handshake i try to send the PBSZ 0 command but i receive no answer from the server... this is the behavoiur with all of the ftp protocol commands... so, i need some help... even some source code of an ftp client that implement implicit (not the explicit one with AUTH command etc...) ssl connection... can u give me some help ? thank's :-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. begin:vcard n:Sherman;Andrew tel;pager:+1 888 781 1877 tel;cell:+1 917 945 0279 tel;fax:+1 212 507 2046 tel;work:+1 718 754 2276 x-mozilla-html:TRUE url:http://www.morganstanley.com org:img src=http://www.morganstanley.com/img/morgan.gif;;IT Security adr:;;1 Pierrepont Plaza;Brooklyn;NY;11201;US version:2.1 email;internet:[EMAIL PROTECTED] title:Vice President fn:Andrew Sherman end:vcard
Re: Handshake Failure due to bad record mac
Sorry!! SSL_connect is returning with SSL_ERROR_SYSCALL(5) not -1 as previously mentioned and i tried to look at errno it shows 0. Can anyone please point out where i am wrong? client() SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); CHK_NULL(ctx); SSL_CTX_set_cipher_list(ctx,ALL); socket().. connect().. ssl = SSL_new (ctx); CHK_NULL(ssl); SSL_set_fd (ssl, sd); err = SSL_connect (ssl);// CHK_SSL(err); if (err == -1) goto end; switch((err = SSL_get_error(ssl,r))){ case SSL_ERROR_NONE: printf(Read from server:); break; case SSL_ERROR_ZERO_RETURN: goto end; break; case SSL_ERROR_WANT_READ: break; default: printf(SSL read problem); goto end; } --- rajagopalan ramanujam [EMAIL PROTECTED] wrote: hi, I am using a sample client appli on an embedded platform trying to connect to s_server on the linux. client code has set cipher(ALL); there is no client certificate. client side SSL_connect() return -1; Its very strange, some times client sends Alert message with bad mac code and some times it does not. i have both the logs attached. # openssl s_server -cert server.pem -accept 1 -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad record mac SSL_accept:failed in SSLv3 read client certificate A ERROR 1348:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:964:SSL alert number 20 shutting down SSL CONNECTION CLOSED ACCEPT - # openssl s_server -cert server.pem -accept 1 -state -debug -- SSL_accept:before/accept initialization read from 08162C88 [08168230] (11 bytes = 11 (0xB)) - 16 03 00 00 3d 01 00 00-39 03 =...9. 000b - SPACES/NULS read from 08162C88 [0816823B] (55 bytes = 55 (0x37)) - 3e 72 3c 19 00 00 00 00-00 00 00 00 00 00 00 00 r. 0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0020 - 00 00 12 00 64 00 62 00-60 00 0a 00 09 00 08 00 d.b.`... 0030 - 05 00 04 00 03 01 .. 0037 - SPACES/NULS SSL_accept:SSLv3 read client hello A write to 08162C88 [081722C8] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 72 3b 01 05 J...F..r;.. 0010 - 62 55 98 f0 16 6d 64 a9-ab 4f 10 72 6d 78 12 c4 bU...md..O.rmx.. 0020 - 67 a5 aa 1d 8d d1 fc a4-13 c5 f3 20 48 37 ba 9d g.. H7.. 0030 - ea 81 05 1f 3d 43 1f a7-5a 07 c8 b9 ad 4c 4c 6f =C..ZLLo 0040 - 2d 3b d3 8d a4 1e 43 0b-b0 63 19 0c 00 64 -;C..c...d 004f - SPACES/NULS SSL_accept:SSLv3 write server hello A write to 08162C88 [081722C8] (508 bytes = 508 (0x1FC)) - 16 03 00 01 f7 0b 00 01-f3 00 01 f0 00 01 ed 30 ...0 0160 - fe fe b9 ed 02 03 01 00-01 30 0d 06 09 2a 86 48 .0...*.H 0170 - 86 f7 0d 01 01 04 05 00-03 81 81 00 93 d2 0a c5 0180 - 41 e6 5a a9 86 f9 11 87-e4 db 45 e2 c5 95 78 1a A.Z...E...x. 0190 - 6c 80 6d 73 1f b4 6d 44-a3 ba 86 88 c8 58 cd 1c l.ms..mD.X.. 01a0 - 06 35 6c 44 62 88 df e4-f6 64 61 95 ef 4a a6 7f .5lDbda..J.. 01b0 - 65 71 d7 6b 88 39 f6 32-bf ac 93 67 69 51 8c 93 eq.k.9.2...giQ.. 01c0 - ec 48 5f c9 b1 42 f9 55-d2 7e 4e f4 f2 21 6b 90 .H_..B.U.~N..!k. 01d0 - 57 e6 d7 99 9e 41 ca 80-bf 1a 28 a2 ca 5b 50 4a WA(..[PJ 01e0 - ed 84 e7 82 c7 d2 cf 36-9e 6a 67 b9 88 a7 f3 8a ...6.jg. 01f0 - d0 04 f8 e8 c6 17 e3 c5-29 bc 17 f1 )... SSL_accept:SSLv3 write certificate A write to 08162C88 [081722C8] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data read from 08162C88 [08168230] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client certificate A ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows does not have enough information to verify this certificate
When we view a certificate issued by some CA, windows may tell us this: Windows does not have enough information to verify this certificate. What does this mean? Does it mean that I have not installed the CA cert as a trusted root CA? __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]