Lutz Jaenicke wrote:
On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote:
`x509 -noout -text` prints inconsistent output.
... openssl x509 -noout -text -in old.pem | grep Issuer:
Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
... openssl x509
Benzy Gabay wrote:
Dr S N Henson,
First I want to thank you for the answer.
Secondly, you mentioned in your answer that I should use version 0.9.7.
I can't seem to find the 0.9.7 on openssl.org.
where can I get d/l it from?
It hasn't been released yet but you can get development
thomas poindessous wrote:
Hi,
in manpage (version 0.9.6b et version 0.9.7-stable-SNAP-20020317),
there is :
--
int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl);
and
EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0
Jeffrey Altman wrote:
From: Jeffrey Altman [EMAIL PROTECTED]
jaltman I prefer that des_old.h be compatible with libdes since that apps that
jaltman are built using it assume that the api they were using was constant
jaltman and unchanging.
The way things work now, there is at
Rodney Thayer wrote:
At 09:29 PM 3/21/2002 +, S.Henson wrote:
Is there some particular reason why such applications couldn't use the
EVP layer? An attempt has been made to keep this consistent and to make
any enhancements backwards compatible. In fact some of the more recent
changes
Masanori Satake wrote:
I tried parsing the PFX file attached(passphrase:test) using PKCS12_parse()
function.
However I cannot get the right value of DSA private key parameter x.
And I tried executing open-ssl command following
openssl -in target.pfx -out target.key -nocerts -nodes.
I
Masanori Satake wrote:
I tried parsing the PFX file attached(passphrase:test) using PKCS12_parse()
function.
However I cannot get the right value of DSA private key parameter x.
And I tried executing open-ssl command following
openssl -in target.pfx -out target.key -nocerts -nodes.
I
Michael Bell wrote:
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User
If I issue a certificate for a user then
Benzy Gabay wrote:
Hi,
I'm trying programmatically to code / decode ASN1 streams.
- Could someone tell me what are the set of API functions that I can
use to code / decode ASN1 streams.
Applications use the i2d/d2i functions to encode or decode data between
memory and C structures
Jeffrey Altman wrote:
To make it very clear, the locations that I'm seeing warnings are:
ssl\kssl.c:
In print_krb5_data() kdata-length is unsigned
In print_krb5_keyblock() keyblk-length is unsigned
In print_krb5_princ() princ-realm.length and
princ-realm.data[i].length are
Michael Bell wrote:
Dr S N Henson schrieb:
Michael Bell wrote:
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub
Kiyoshi Watanabe wrote:
Dear All,
I am writing a code to add my private extension. For the extesion id,
where I should look at and add it? Each standard extension has the id
like NID_basic_constraints.
If I want to write this,
ex = X509V3_EXT_conf_nid(NULL,
Robert Joop wrote:
the user cert has the user CA's DN in the issuer DN (CN=User CA) and
the root CA's DN in the authority key identifier DirName (CN=Test-CA
(G4)), see the attached example.
but the user cert's authority key identifier keyid is the user CA
cert's subject key identifier
Jeffrey Altman wrote:
Update on this. I've now got hold of MIT 1.2.4 sources from:
http://non-us.debian.org/debian-non-US/pool/non-US/main/k/krb5
I tested compiling OpenSSL with KRB options under Linux (RHL 6.2) and it
showed no warnings at all (my options are to use the -Wall
Jeffrey Altman wrote:
Steve:
Which flavor of Kerberos 5 are you using?
Which release?
I have a feeling the reasons that you are I are seeing different
warnings is because the types of the fields in different flavors or
versions are different.
I'm compiling against MIT 1.2.4 which
James Yonan wrote:
I have an application which creates and destroys many SSL objects using
SSL_new and SSL_free. The SSL objects are bound to memory BIOs rather
than sockets. Here is a brief annotation of the relevent sections of code
(with error checks removed):
ks-ssl = SSL_new
Jeffrey Altman wrote:
Just wondering. What are you compiling with that you are seeing
warnings?
VC++ 6.0 SP1, Kerberos 1.2.3 headers. I couldn't get the Kerberos 1.2.3
distribution to compile under Windows though. Can 1.2.4 sources/binaries
be downloaded from anywhere outside the US?
The
Richard Levitte - VMS Whacker wrote:
From: Jeffrey Altman [EMAIL PROTECTED]
jaltman Just wondering. What are you compiling with that you are seeing
jaltman warnings?
jaltman
jaltman I compile this code without any warnings without these modifications.
On Linux, with the target
[EMAIL PROTECTED] wrote:
Hello,
After generating CSR with openssl 0.9.8-dev, 0.9.7-dev or 0.9.6
'asn1dump' says that:
261 023: INTEGER 65537
: }
: }
: }
266 A00: [0]
:
Jeffrey Altman wrote:
When compiling an application with OPENSSL_LOAD_CONF defined, the
macro maps to OPENSSL_add_all_algorithms_conf(), which additionally
calls OPENSSL_config(NULL). This will automatically load the
openssl.cnf file for engine configuration. The idea behind all this
Jeffrey Altman wrote:
Where is the openssl.cnf file expected to be found on Windows?
The actual location is now determined by the function
CONF_get1_default_config_file() and the openssl utility will be modified
so everything goes through it.
Currently this follows the same
Markus Friedl wrote:
This patch is needed for EVP+AES
--- crypto/evp/e_aes.c Sat Feb 16 13:39:53 2002
+++ crypto/evp/e_aes.c Sun Feb 24 16:54:59 2002
@@ -88,6 +88,8 @@
static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv,
alexandru matei wrote:
Hello,
I complied latest snaps (all snaps from 2002) on a Redhat 7.2 system.
Make test finished succesfully. But on trying openssl smime -sign
-encrypt command, it segfaults. The rest of commands (as far as I
tested) are OK.
Can you give me some advice?
I'll
Imran Badr wrote:
Hi,
The keyfile, representing an ecrypted private key, generated by openssl is
ASN.1 type RSAPrivateKey (PKCS#1), ecrypted using DES-EDE3-CBC and then PEM
encoded. Is that right ?
It doesn't have to be triple DES encrypted.
The traditional format involves adding some
Bodo Moeller wrote:
On Sat, Feb 16, 2002 at 11:16:23AM +0100, Richard Levitte - VMS Whacker wrote:
I see no problem adding this patch. Queued.
The problem is that the application callback prototype is incompatibly
changed. Otherwise I would have added the argument instead of simply
Stephen Sprunk wrote:
Thus spake Dr S N Henson:
Maybe. It would be good to the the CFB and OFB modes working properly in
general for other numbers of bits.
The code for this is trivial; define me an API and I'll write the code
underneath.
Well I was thinking of something almost
D. K. Smetters wrote:
This is a patch to actually hand the user-supplied argument
into calls to app_verify_callback. It affects the following 5
files:
I've no objections to this patch. As long as there's an argument there
we might as well use it.
There is a way to pass application
[EMAIL PROTECTED] wrote:
levitte 16-Feb-2002 13:17:14
Modified:crypto/objects Tag: OpenSSL_0_9_7-stable obj_dat.h obj_mac.h
obj_mac.num objects.txt
Log:
Adjust the NID names for the AES modes OFB and CFB to contain the number
of feedback bits
Harald Koch wrote:
Are you in the US BTW if so can you resend you patch with a CC: to
[EMAIL PROTECTED]
I'm in Canada...
OK, I've checked in a fix which should do what you want. Let me know of
any problems.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Bodo Moeller wrote:
On Fri, Feb 15, 2002 at 10:55:13AM +, Ben Laurie wrote:
This fix for err.c is correct.
But evp_test.c should never have called OPENSSL_config() because
OPENSSL_config() uses the configuration file found in an OpenSSL
*installation*. If we want to use a
Ben Laurie wrote:
Hmm. You did this with a different name from me (idx instead of index_)
- isn't that going to be irritating?
I hadn't realised someone else had come across this. It should be
consistent I suppose. Personally I always find variable names with
appended underscores a little
Stephen Sprunk wrote:
Thus spake Richard Levitte - VMS Whacker:
The current state is EAY legacy. His idea was that one should be able
to pick out any of the algorithm directories and create a separate
library for them (the old libdes is actually exactly the same as
crypto/des/).
John Viega wrote:
Additionally, with respect to counter mode, it might be best to
implement external to the EVP proper interface, just like HMAC. There
are a few issues I see that make counter mode a bit different from
other modes:
1) You should be able to insert your own function for
Any reason for this:
/* Override the default new methods */
static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
{
if(operation == ASN1_OP_NEW_PRE) {
ECDSA_SIG *sig;
sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
if
Harald Koch wrote:
Please test the 0.9.7-dev snapshots and report any problems that you
found, even if they have been reported before (it's a good reminder
for us), or even better, send us patches!
It used to be possible to call X509_STORE_CTX_init() with a NULL
X509_STORE pointer, in
Markus Friedl wrote:
There could be more problems with other XXX_Init() or similar
functions, so all semantic changes to functions from the 0.9.6 API
should be reconsidered. All such changes could be a threat to existing
applications and break them in subtle ways -- and this must be
Stephen Sprunk wrote:
Can someone help me implement the EVP macros for AES 128-bit CFB and
OFB modes? It's too messy for me to figure out.
I've got non-EVP versions written, but it appears the EVP macros do
their own implementation of the various modes and only call the base
ECB
Markus Friedl wrote:
I think this change is needed if you want EVP_CipherInit() to have a
similar semantic as in OpenSSL 0.9.6.
Index: evp/evp_enc.c
===
RCS file: /cvs/openssl/crypto/evp/evp_enc.c,v
retrieving revision 1.28
Charles McCabe wrote:
I'm a complete Linux newbie here, submitting this report for the common
good. I'm trying to get sshd working on my RedHat 7.2 box and this
openssl install was the last in a series of frustrations. Hope it helps
someone somewhere.
[snip]
gcc -I.. -I../../include
Ben Laurie wrote:
Dr S N Henson wrote:
The self signed cert was only an example. There are other cases which
could apply as well. An example would be explicit trust of an EE
certificate. That isn't supported in OpenSSL yet but it will be at some
point. It would however have
Richard Levitte - VMS Whacker wrote:
I assume this must be a bit confusing, because we all seem to have
different ideas on what the different layers are supposed to do.
My idea is that we have three layers:
0. The application
1. The DB framework (which may or may not be part of the
Oscar Jacobsson wrote:
Dr S N Henson wrote:
I'd be reluctant to have multiple APIs handling each case. What we could
have is flags or profiles saying what a certain kind of database should
support.
OpenSSL currently has separate APIs, as opposed to flags or profiles,
for handling
Richard Levitte - VMS Whacker wrote:
The only thing that troubles me then is that the plug-in (dynamically
loadable, right?) would have to share certain structures with OpenSSL,
which means that we'd better define those structures in a way that
they won't need change after they are set in
Richard Levitte - VMS Whacker wrote:
From: Bear Giles [EMAIL PROTECTED]
bear The primary key is an opaque string henceforce known as the alias.
bear The plugin may treat this as a primary key, but must not attempt to
bear interpret it as a hash, email address, keyid, serial number, etc.
Oscar Jacobsson wrote:
Bear Giles wrote:
But a plug-in that transparently updated a smart card would be extremely
handy. :-) That's what makes the design so hard - it needs to be able
to handle everything from 8k smart cards holding a single veiled key and
cert to RDBMS databases with
Bear Giles wrote:
If it only did an I+SN match then an attacker could readily generate a
self-signed certificate using its own key with matching I+SN.
But a self-signed cert is easily identified and could be flagged
for special handling. By removing them from the standard population
Bear Giles wrote:
Nothing. The trust settings aren't part of the certificate encoding. The
current trust handling stores these after the main encoding only if the
*TRUST() functions are used.
As an aside my postgresql stuff currently uses the standard X509 routines
when converting
Bear Giles wrote:
What would you classify as bad data in this case?
A fake root cert and HTTPS certs. Then you do a DNS attack, the victims
get the blackhat HTTPS site but when they check the public cert respository
it comes back with a full cert chain.
Ditto bad object signing
Bear Giles wrote:
To avoid duplication of code I'd say such concerns should be addressed
either at the application level or on top of whatever OpenSSL plugin API
is adopted.
I think that would be a serious mistake. I'm specifically thinking
of something like the CA cert
Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
stephen.henson Is there some specific reason why the API should
stephen.henson return a key at all and not just the certificate (or
stephen.henson whatever) it corresponds to?
You might want to store keys alone
Bear Giles wrote:
Of course, this opens the whole can-o-worms of what constitutes
a duplicate cert? Is it an exact match, or matching I+SN, or
some other criteria?
There are some cases where only an exact match is acceptable. An example
is how OpenSSL performs a verify operation on a
Bear Giles wrote:
Issuer and subject number should also be unique, and it's a common
search pattern. I don't think anyone searches on the hash of the
entire certificate.
It should be unique but it might not be, either by accident or malicious
intent.
This indirectly raises a
Bear Giles wrote:
One classic approach is to have all lookup functions return a
list of unique keys. The caller then requests each object individually
via a lookup that guarantees uniqueness. Uniqueness is easy to guarantee
on any hashed or relational store - make it the primary
Bear Giles wrote:
I'll dig out the code. It was largely based around the PKCS#11
functionality but with an OpenSSL flavour. That is you have a load of
objects each of which is a set of attributes. You can then lookup based
on exact matches of each attribute.
This is query by example.
Discussion moved from openssl-users...
Bear Giles wrote:
I can think of multiple
common storage formats: text files, DBM files, LDAP, RDBMS.
why not use an existing database abstraction layer such as libdbi or ODBC?
Too abstract - queries are done with SQL statements. That's not
H, this doesn't seem to have made it to the list. No doubt there
will be two copies now :-)
Bear Giles wrote:
I can think of multiple
common storage formats: text files, DBM files, LDAP, RDBMS.
why not use an existing database abstraction layer such as libdbi or ODBC?
Too
Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
stephen.henson I've done some work on this but its only partly
stephen.henson complete and sitting in a dark corner of my hard
stephen.henson drive...
I'm curious to see what you've come up with so far.
I'll
francoise lacambre wrote:
hello,
I have a little question about check_purpose_ssl_server
and check_purpose_ssl_client.
check_chain_purpose function calls X509_check_purpose
for all untrusted certificats in the chain.
This function calls a check_purpose function.
In SSL_SERVER (or
Eric Laroche wrote:
Dr S N Henson wrote:
Eric Laroche wrote:
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions
Stefan Kotes wrote:
All,
The ASN.1 DER encoding rules for SET OF collection say that the values of
the occurrences in this collection should be lexicographically ordered. I
have noticed that i2d_X509_NAME function omits this sorting for the
RelativeDistinguishedName member of the
Cristina Nita-Rotaru wrote:
Hello.
There might be a problem with EVP_DecryptUpdate.
My understanding was that EVP_EncryptUpdate can be called
multiple times and then conclude the encryption by calling
EVP_EncryptFinal. A similar mechanism applies for
EVP_DecryptUpdate and
²Ü¸Ú ([EMAIL PROTECTED]) wrote:
Hello,
openssl-0.9.6, openssl-0.9.6a, openssl-0.9.6-stable-snap-20020103,
openssl-engine-0.9.6c, openssl-0.9.6c, openssl-snap-20020103, these versions
can not be compiled under windows2000 + VC6.0.
Whenever I use perl Configure VC-WIN32 or
Eric Laroche wrote:
Hi,
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions affect the whole engine setting, whereas our
Eric Laroche wrote:
Hi,
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions affect the whole engine setting, whereas our
Oscar Jacobsson wrote:
Having them in obj_mac.h should mean they are recognized by default,
shouldn't it? I'm not sure exactly what a_strnid.c does, but it looks
like a collection of convenience functions. I'm sure DC could be added,
as long as some kind soul could point out what its
Filipe Custódio wrote:
Hi!
I've been having some problems trying to load a PEM formated public
key into an RSA structure. The key I want to load is:
-BEGIN PUBLIC KEY-
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7514kyrphs8TdJIh9KqUpgWSZ
I was trying to compile test scripts (openssl-0.9.6b)
~/openssl-0.9.6b/demos/Maurice/*.c
When I try to make the file, I get the following error:
Too few arguments to function PEM_ASN1_read
Yes you will get that. The stuff in demos/Maurice/*.c is way out of
date. Applications shouldn't even call
Rich Salz wrote:
When are you going to drop Win16 support?
How about 0.9.7 being the last 16bit platform release?
I'm not sure if OpenSSL still compiles under Win16 anyway. There's some
legacy Win16 code and build options but it hasn't been tested for some
time.
Steve.
--
Dr Stephen N.
Doug Kaufman wrote:
On Tue, 4 Dec 2001, Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
drh I'm not sure if OpenSSL still compiles under Win16 anyway. There's some
drh legacy Win16 code and build options but it hasn't been tested for some
drh time
Richard Levitte - VMS Whacker wrote:
I've looked at util/mk1mf.pl and wondered for a long time why it does
it's own configuration stuff (from all the util/pl/*.pl files) instead
of relying on data created by Configure. When one looks in Configure,
one can find entries for the Windows
blue wrote:
Dear all
I try many times in BMPString which I think it can show my
character(not english) but It show
So please suggest me the way to show other character.
This depends on what you are trying to display the characters with. If
your terminal supports UTF8 then you
Oscar Jacobsson wrote:
Hi!
From the SSL_CTX_load_verify_locations manpage:
If CApath is not NULL, it points to a directory containing CA certificates in
PEM format. The files each contain one CA certificate. The files are looked up
by the CA subject name hash value, which must hence be
Ben Laurie wrote:
Ben Laurie wrote:
francoise lacambre wrote:
Don't you think, in the X509_STORE_get_by_subject function, that the following
line
vs-current_method=j;
would be replaced by :
J. Johnson wrote:
The archives show a lot of queries posted to 'openssl-users'--with no
responses. Anyone know of any particular reasons?
I thought OpenSSL looked pretty viable, but it won't be if no one will
help support possible users.
The OpenSSL mailing lists have been down for
Massimiliano Pala wrote:
Hi all,
I am ri-posting this message as I have received no replies to it.
If no one is interested in the proposals then simply ignore this
message.
-----
[ openssl ca command improve ]
Some work could be initially done by
introducing
Massimiliano Pala wrote:
Hi,
I found 2 bugs in the previous patch, so here them are the fixes against
latest SNAP (20011026).
Poblems:
1. the dn_subject structure was not freed at the end of
the do_body function;
2. the dn_subject was not set (empty) if
Douglas E. Engert wrote:
Dr S N Henson wrote:
Douglas E. Engert wrote:
It does not appear there is any code in OpenSSL to make sure all critical
extensions are checked during a verify. This could be considered a bug.
The default behavior should be to reject any critical
Tom Biggs wrote:
Our crypto accelerator uses Montgomery's Method. Just as in OpenSSL's
eay RSA functions, the chip has pre-calculation initialization steps.
I can tell the chip to just do them each time, but of course it is faster
to only do it once for each modulus (n, or p and q) and
Gunther Schadow wrote:
Hi,
regarding my yesterday's post to enable the apps x509 and req to work
with empty subject DNs (as permitted, even suggested by PKIX for certs
with non-human subjects), I found another problem that I'm going to do
something about now. The ca tool depends on the
Rich Salz wrote:
Suggestions? Is there any interest in such changes at all?
I think the CA program is proof of concept and not up to the quality
of the rest of openssl. Any improvement here would be good.
Yes ca.c is an example of how to write a CA and not a very good one at
that. It
Blue wrote:
Question??
1 How can I pass argument (ex. country,Email,...) in one
instruction
2 I try find Example but few.Please suggest url fot Ex.
You need to create a file with the field information in it and pass that
using the -config command line option. Check out the
Michael Sierchio wrote:
Ajay Nerurkar wrote:
According to the doc the fields p, q, dmp1, dmq1 and iqmp
in the RSA structure may be NULL in private keys but the
function i2d_RSAPrivateKey() calls BN_num_bits() with each
field of the argument RSA* a. And BN_num_bits() cannot handle
a
Harald Koch wrote:
[pkix quote deleted]
Any thoughts on how to go about adding support for separate CA
certificates for certs and CRLs to the existing OpenSSL certificate
verifier?
I've been meaning to look through the pkix CRL stuff to see how this lot
works in practice. The last time
francoise lacambre wrote:
In the file pem.h, you define :
#define PEM_STRING_X509_TRUSTED TRUSTED CERTIFICATE
#define PEM_STRING_X509_REQ CERTIFICATE REQUEST
In what refence document (RFC or ...) are defined these strings ?
The first is an OpenSSL
Wang, Kate wrote:
Hi all,
In my application, I called PKCS7_encrypt() to encrypt a document. When I
call
PEM_write_bio_PKCS7(out, p7) to write the encrypted document out to a file,
the encrypted content always
has
--- BEGIN PKCS7 ---
--- END PKCS7 ---
wrapped arround it. And when I
Richard Levitte - VMS Whacker wrote:
From: Richard Chan [EMAIL PROTECTED]
cshihpin Snapshot 20011002 has fixed the openssl enc -d problem
cshihpin reported earlier. However with the aes algorithms
cshihpin like aes-128-cbc etc it dumps core on exit (file is
cshihpin decrypted correctly).
Richard Shih-Ping Chan wrote:
openssl enc -d is failing with 20011001 snapshot.
Thanks for the report. I noticed that a couple of days ago. Its being
looked into.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto
Dr S N Henson wrote:
Richard Shih-Ping Chan wrote:
openssl enc -d is failing with 20011001 snapshot.
Thanks for the report. I noticed that a couple of days ago. Its being
looked into.
This should be fixed in the next snapshot.
Steve.
--
Dr Stephen N. Henson. http://www.drh
Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 11:00:25AM -0700, Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 06:21:26PM +0100, Dr S N Henson wrote:
Read the bit in the FAQ about adding an ERR_print_errors_fp() call then
see what it says is the cause.
I tried using
Phil Stracchino wrote:
On Thu, Sep 27, 2001 at 02:26:14PM -0700, Phil Stracchino wrote:
I've just compiled and installed openssh-2.9.9p2 (compiled against
openssl-0.9.6b using gcc-3.0.0) on a Slackware 7-based Linux machine
(kernel 2.4.6ac2). The previously installed version was 2.9p2,
Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 11:21:43PM +0100, Dr S N Henson wrote:
Strange, it should produce an error of some sort. See what happens if
you remove the pass phrase on the private key (using the rsa utility)
and also see if you get an error when you supply an incorrect
[EMAIL PROTECTED] wrote:
And are also mentioned the DER encoding rules of X.690 for the same case.
Therefore we need to a little patch for
the function ASN1_GENERALIZEDTIME_check in order to be able
to accept time as indicated in the above example
I've just checked in a fix to the
Diego R. Lopez wrote:
Hi,
We have found what seems an error in the X509_check_issued() function
inside crypto/x509v3/v3_purp.c
At the end of the checks the routine makes for deciding whether a certain
certificate issued a second one, there is a comparison between
the name found inside
Diego R. Lopez wrote:
[EMAIL PROTECTED] said:
A standard property of certificates is that the issuer name and serial
number must be unique.
The Authority Key Identifier extension is used as a means of uniquely
identifying the issuing authority. One way it does this is to use the
Diego R. Lopez wrote:
Please, would you have a look on the files and cert paths I attached to
my previous message and tell me why (without the patch I propose) the
verification fails?
At least one problem is:
euroPKIBYeuroPKI.pem:
subject= /O=EuroPKI/CN=EuroPKI Root Certification
[EMAIL PROTECTED] wrote:
Hello, I was checking the implementation of Generalized Time in OpenSSL
and seems to me that isn't not compliant with the X.680 specification.
Indeed according to the specification it's possible to
have fractional seconds. The function ASN1_GENERALIZEDTIME_check
[EMAIL PROTECTED] wrote:
Thank you for your answer.
Yes of course you're right for RFC 2459, but in the RFC 3161 that defines
the
Time Stamp Protocol:
The ASN.1 GeneralizedTime syntax can include fraction-of-second
details. Such syntax, without the restrictions from [RFC 2459]
[EMAIL PROTECTED] wrote:
Hi,
After I created a RSA key, I want to create a SSL Certificate with the following
command:
openssl.exe req -new -key pcniws1.key -out pcniws1.csr
I get the following error message:
Using configuration from /usr/local/ssl/openssl.cnf
Unable to load
Michael Sierchio wrote:
Dr S N Henson wrote:
Then we'd obviously need an alternative parameter generation algorithm.
The X9.42 version (also in RFC2631) would be usable (though better ones
exist) except no test vectors exist which aren't obviously broken. I've
never found anyone
Michael Sierchio wrote:
Dr S N Henson wrote:
Michael Sierchio wrote:
Dr S N Henson wrote:
DH certificates aren't currently supported: hardly anything uses them.
The DH algorithm itself is used by (among other things) SSL and TLS.
Mobile IP does. I suggest again
1 - 100 of 291 matches
Mail list logo
