On 07/05/2014 12:00 PM, Ben Laurie wrote:
I've been experimenting with more type correctness and less casting.
Some of the big casting culprits are the various _ctrl() functions,
e.g. SSL_ctrl().
Does anyone have any clue why these exist?
I think the model is to have only one function to modif
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
Currently, openssl s_client supports the -servername parameter to pass
an SNI hostname.
However, wouldn't it be useful to have s_client automatically use the
host name specified for -connect as the SNI service name as well?
So instead of
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one of the subjectAltNames)
Without such verification any
On 06/26/2011 08:05 PM, Peter Sylvester wrote:
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one of the
On 08/18/2011 09:06 AM, Andreas Gruener wrote:
Hello,
I write an engine which shifts private key operations to a hardware security
module.
I face a problem concerning the key generation process. The keys are stored in
the hsm but
there exists an external reference file, like an keystore, which
It is not an input parameter for an engine. ???
Your engine should just enumerate the keys in its internal storage, or
use a hash, or.. you can communicate via engine commands in
a configuration file. (cf the doc of config).
*Peter Sylvester *
Gesendet von: owner-openssl-...@openssl.org
18.
::= "," | "=" | | "+" | "<" |">"
| "#" | ";"
::= "\" ( | "\" | '"')
::= any character except or "\" or '"'
rfc 4514 has ' ', '"', '#', '+', ',', ';', '<', '=','>', or '\'
The textual representations
CN=" jAmes bonD"
CN="James Bond"
designate different encodings that match, i.e.
only one could be in a directory.
have fun
Peter Sylvester
Hello,
enclosed please find a patch to documentand recognize
the unknown_psk_identity alert:
- In the s_cb.c callback
- in the documentation of SSL_alert_type_string
In addition, it removes a pre-RFC 5054 string from ssl_stat.c
regards
Peter
diff -r -p -c openssl-SNAP-20111031/apps/s_cb.c op
Hello,
I am actually makeing corrections to the SRP/TLS code. One of them
removes an unnecessary callback. There is a pointer in a SRP_CTX that
is no longer necessary.
I wonder what is the current policy concerning a stable branch and
the head? It seems that one simply would leave the useless po
On 12/08/2011 03:34 PM, Dr. Stephen Henson wrote:
On Thu, Dec 08, 2011, Peter Sylvester wrote:
Hello,
I am actually makeing corrections to the SRP/TLS code. One of them
removes an unnecessary callback. There is a pointer in a SRP_CTX that
is no longer necessary.
I wonder what is the current
hi,
since a few days the current snapshots seem to provoke a
tar: A lone zero block at
has there been any change in producing the tar.gz?
/P
__
OpenSSL Project http://www.openssl.org
De
On 12/14/2011 11:18 PM, Stephen Henson via RT wrote:
[peter.sylves...@edelweb.fr - Sun Dec 11 17:51:10 2011]:
Enclosed two patches for head and stable to remove unnecessary code
for srp and to add some comments to s_client.
Applied.
Steve.
Thanks for the feedback.
___
On 04/02/2012 03:28 PM, Tamir Khason via RT wrote:
Hello, Erwann
This is not related to .NET. Integer is not only value, but also size.
Both exponents and its coefficients should be the same length
(according RSA definition, both integers) so those numbers should be
serialized into ASN1_INTEGER.
On 04/02/2012 06:34 PM, Tamir Khason via RT wrote:
maybe i am failed to explain myself.
DER encoding says how to encode numbers, RSA key elements define what
are those number. So integers from RSA key, should be encoded
according ANS1 DER encoding, which means should be have either length
octets
On 04/03/2012 11:34 AM, Tamir Khason via RT wrote:
It seemed that we are speaking about different things.
In certificate i pasted, integers used for exponent1, exponent2 and
coefficient encoded with different lengths. In chapter 8.3 of ISO 8825
there is clear statement of how integer values shoul
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote:
Team,
Had a query in the certs that we load,
The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL
structure during initialization.
On converting to .pem, it is in the following format, "Private Key
On 07/12/2012 10:00 PM, David Woodhouse wrote:
If it has the same name, then it's the same CA. Has it been rekeyed?
It has a different X509v3 Subject Key Identifier.
The Subject Key Identifier of the second cert in the list does not match
the Authority Key Identifier of the first cert. It's a
On 08/27/2012 04:17 PM, Michel wrote:
Hi,
Shouldn't there be a SRP_VBASE_free() call somewhere in s_server.c ?
Yes, there is a small leak in s_server.c.
At least for freeing the data allocated by the SRP_VBASE_new() call :
An implementation remark
The VBASE stuff is a quick and dirty callba
>
> i'm refering to this post i think it's better to write here
> there might be a memory leak in ./crypto/pkcs7/pk7_smime.c
> at the beginning i thought i was a fool, but i've seen that the same error was
> elsewhere in the code (thanks to Changes between 0.9.6h and 0.9.7).
>
> Geoff says :
> **
Hi,
is there a particular reason why in crypto/aes/aes.h the
symbols AES8DESCRYPT and AES_ENCRYPT are defined as
static const int AES_DECRYPT = 0;
static const int AES_ENCRYPT = 1;
and not simply as in des as
#define DES_ENCRYPT 1
#define DES_DECRYPT 0
regards
it seems that in the current snapshots the shared
option for solaris does not work correctly.
Compilation in crypto/des of
gcc -c -o asm/des_enc-sparc.o asm/des_enc-sparc.S
should probably be
gcc -fPIC -c -o asm/des_enc-sparc.o asm/des_enc-sparc.S
in order not to provoke a linker err
Well, sorry for the message below. The
result is the destest crashes.
So, on solaris, trying the "no-asm shared", somehow now
I get problems conpiling engines, ok trying no-engine
since I don't have any.
Why does engines insist to compile the engines with no-engine.
evp/c_all_c.c does not c
hi Ben,
> >
> > Why does engines insist to compile the engines with no-engine.
>
> We generally do this because we don't have a mechanism for conditionals
> in Makefiles.
>
hm, pushing a model makefile through a C preprocessor?
> > evp/c_all_c.c does not compile, the program
> > seems us
>
> Uhmm, which OpenSSL version are you talking about? I can't find
> des_enc-sparc.S anywhere in my copy of the 0.9.7 branch...
>
> [EMAIL PROTECTED] - Tue Jul 29 17:06:13 2003]:
>
It is in the latest branch in crypto/des/asm (at least after make).
It seems that my problem went away with an i
>
> I've come across an issue with extensions. I have a S/MIME signed
> message, where the signing cert has signing + encrypting Key Usage flags,
> and SSL server Extended Key Usage flags.
>
> Because there is a Ext. Key Usage flags set, but not the S/MIME one then
> the cert validation procedu
>
> in X509 and RFC3280 "Critical" means that if you don't know how to handle an
> entension, you can ignore it. if you know how to handle it, you treat it
X
> independantly of critical or not.
I was mildly shaked to wake up :
Obviously, I missed the half sent
>
> in X509 and RFC3280 "Critical" means that if you don't know how to handle an
> entension, you can ignore it. if you know how to handle it, you treat it
X
> independantly of critical or not.
I was mildly shaked to wake up :
Obviously, I missed the half senten
hello,
it seems to me that the file progs.h in current versions (0.9.7d
and snapshot) had not been generated by progs.pl
The progs.h has an ifndef for OPENSSL_NO_ENGINE
which doesn't seem necessary to me if the two lines
elsif ( ($_ =~ /^ocsp$/))
{ print "#ifndef OPENSSL
Hi, ho:
I just made available the second beta release of our patch for
OpenSSL 0.9.7d implemeting the SRP6 TLS protocol.
In addition, a first beta release of a patch for mod_ssl
allowing to use the new protocol in an Apache Web Server
is provided.
More info and downloads are available here:
--
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 56
>
> I thought SRP6 was patented. Isn't SRP6 patented?
Yes, here an excerpt from http://srp.stanford.edu/licence.txt
SRP is royalty-free worldwide for commercial
>
> one problem seems to be a vague patent claim from Phoenix Technologies
> see http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt
> (or the same discussion on openssh-unix-dev
> http://marc.theaimsgroup.com/?t=10914494173&r=1&w=2 )
>
Right.
There are two different issues:
- what does St
The following point is unclear to me:
>>a) CRL is valid (regarding issuance time)
>> if thisUpdate >= checkTime and thisUpdate <= now.
As far as I understand;
The X509 and 3280 validation algorithm only have ONE
point in time, which is consider either as 'now'
or 'time to check' according you
Did you 'perform' ...\Bin/Vcvars32.bat ?
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
There are several ones, I have tested TSA implementations from
my client and I have my own one based on OPENSSL and on the
lastest draft of TSP.
Look at http://www.edelweb.fr/tsa.html for details.
> Hi,
> is somebody have an implementation of the TimeStamping ?
> _
>
> sprintf(szBuf,
> "POST %s HTTP/1.0\r\nContent-Type: %sContent-Length: %d\r\n",
> m_szURL, "text/html\r\n\r\n", nBytesToWrite);
Due to the "text/html\r\n\r\n" the Content-length is already outside the header
> sprintf(szBuf,
> "POST %s HTTP/1.0\r\nContent-Length:
nother, at least to
minimise the migration effort a bit.
Peter Sylvester
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL P
For example:
http://www.edelweb.fr/tsa.html
>
> Hello,
>
> I'm writing a simple timestamping client program to implement the new
> timestamping draft (15). I'd like to know if there's any timestamping server
> available for public to test.
>
> Would anyone please help?
>
__
would it be possible to add something like the following
to evp/evp_test.c It is not a replacement for strsep but
a function that seems to work with the few calls in evp_test.c
static char * strsep(char **p,const char *sep) {
char * p1 = *p ;
while (**p != *sep) {
Below please find a small mod of two files to allow the usage of a
Subject Information Access extension.
Since the actual trament is almost identical with the
Authority Information Access, the routines use the same v2i and i2v
routines.
It may be better taste to remove the 'AUTHORITY_' part
here a resume some points last april that I found while trying to compile
the library.
- The basic approach is to compile the whole stuff with the /Gz option
in order not to modify the 3000 exported function prototypes.
- All main routines need a __cdecl main
The #define for MAIN, all th
It seems to me that the ASN1 decoder of integers is
not signaling encoding errors and tries to silently
repair parts of them.
There are three cases:
A integer with length 0 is silently converted to
a 0.
If the encoded value has a leading 0 octet, this
is simply removed without validation th
Sorry, my last message had a wrong subject:
It seems to me that the ASN1 decoder of integers is
not signaling encoding errors and tries to silently
repair parts of them.
There are three cases:
A integer with length 0 is silently converted to
a 0.
If the encoded value has a leading 0 octet,
It seems that in the latest snapshots in crypto/x509v3/ext_dat.h,
the table standard_exts ist not sorted correctly.
crl_hold should be after sinfo.
&v3_crl_hold :
#define NID_hold_instruction_code430
&v3_sinfo :
#define NID_sinfo_access 398
I haven't checked oth
>
> Another problem with my code: the buffer I allocated wasn't freed...
> Thanks to Peter Sylvester for pointing this out. I also moved the
> allocation of the buffer to where it's actually used.
>
Well, to be complete, the code should also test for the results
of
OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.0 Beta 1
Please download and test them as soon as possible. This new OpenSSL
version incorporates 107 documented changes and bugfixes to the
toolkit (for a complete list se
validation,
i.e. require explicit policy, inhibitmapping, no mapping for
anypolicy and the initial policy set.
As a side effect this would allow to have different settings for different
trustanchors.
Any thoughts?
Peter Sylvester
/PS
:§I"Ï®ÞrØm¶ÿÃ
(¥éì²Z+7¯zZ)éí1¨¥xËh¥éì²W^¾^Ë%¢¸ ºÚ&
Hi;
- verifying a self signed cert is strange. How would you trust it.
the standard way is to have your own CA, and then issuev a cert
for your server, and then use the CA cert as trust anchor in your
client.
Anyway your code for is false for at
least three reasons:
- The get by nid return
Zhongxing Xu wrote:
openssl-1.0.0-stable-SNAP-20091026/ssl/t1_lib.c:657
case TLSEXT_NAMETYPE_host_name:
if (s->session->tlsext_hostname == NULL)
{
if (len >
TL
Creating a CRL using openssl does nothing else than reading
the certificate"database" and creating an entry for all serialnumbers
that have a R.
You can create such a file by hand.
__
OpenSSL Project
The encoding is invalid BER.
The openssl is tolerant but also destructive in copy.
whenever you use openssl x509 -in -out ... you remove one leading 0 octet.
IMHO openssl should reject the cert because of invalid encoding.
On 08/29/2010 04:17 AM, Mounir IDRASSI wrote:
Hi,
The problem you a
On 08/29/2010 01:20 PM, Mounir IDRASSI wrote:
Hi Peter,
Although the certificate's encoding of the serial number field breaks the
BER specification about the minimal bytes representation, it is known that
many CA's and libraries treat this field as a blob and usually encode it
on a fixed length
On 08/29/2010 07:38 PM, Mounir IDRASSI wrote:
Hi Peter,
Thank you for your comments.
As I said, this kind of debates can be very heated and going down this
road don't lead usually to any results.
The debate may be whether and how something should be
done in openssl, I admit I had started that
>
> Karl,
>
> I written following code for HTTP POST with SSL, but it is not working can
> you tell me why?
> I am not getting any response from web server.
>
> POST /cgi-bin/cs_intf/validate.exe HTTP/1.1
> Content-type: text/html
> Content-length: 31
> agentname=tiw&pin=9443243
>
> where vali
server, as well as a line mode client will be made
available as public domain contribution to openssl.
Peter Sylvester
http://clepsydre.edelweb.fr/attestation.html
__
OpenSSL Project ht
>
> [EMAIL PROTECTED] wrote:
> >
> > Has anyone added a "-dn" flag to the req command? This would make it much
> > easier to write scripts that generate lots of requests. (Okay, maybe
> > not a lot easier, since I could set up a config file that pointed to the
> > environment, and then set env
>
> In 1, if i2d_ASN1_OBJECT's second argument is 0 (or NULL), ASN1_object_size
> returns the complete length of the object identifier including:
>
> identifier octets
> length octets
> content octets
>
> This is good.
>
> If i2d_ASN1_OBJECT's second argument is not 0, only the length of the
>
>
> It is my understanding that an i2d function should return the length of the
> identifier, length and content octets, and that in the case described below
> i2d_ASN1_OBJECT did not. That's all.
>
> Based on Steve's message (which I read after sending my message), this has
> been fixed.
>
Rig
> Yes thats something I'm considering for the ASN1 revision. Something
> like saving the lengths when the length is calculated and then using
> them when the stuff is written out.
Maybe one could cache the length in the ASN1 object. As long as any object
is only used once, this might work.
>
>
> I'm thinking more in terms of a CTX parameter passed to a different API.
> The problem with many caching ideas and the current ASN1 library is that
> things could be modified and the cache have no way of determining that
> it is now invalid. Some parts are modified using a structured API
> w
I would like to suggest a change in the handling
of pkcs7 content types in asn1/p7_lib.c and in pkcs7/pk7_lib.c
There are a few occurences of lines:
case NID_pkcs7_data:
It would be nice to have added here the smime content-type Nids, too,
or, to just change the default case to
Sorry for my last message,
I haven't looked in the latest snapshot.
The code in asn1/p7_lib.c seems fine to me.
It seems that a similar code in pkcs7/pk7_lib.c in the
pkcs7_set_content is not absolutely necessary, one can
always start with data, and set it later, although this
is somewhat a ha
> Are there any OpenSSL function to convert an ASN1_UTCTIME to a time_t (or a
> string for that matter)?
Somewhere in the following you'll find what you want :
time_t TSPX_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm,int gmt) {
unsigned char strtime[30] ;
time_t test
> > time_t TSPX_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm,int gmt) {
> ...
> > if (strncmp(tm->data,strtime,15) < 0)
> > test -= (time_t)(1 << i) ;
>
> This is curious code. It is trying to treat the TIME datatype as
> opaque, but then it loo
Hello,
Would it be possible to add the following modification to x509v3.
it adds two definitions of stacks used in some areas of pkix modules
and it caches three extended key usages.
Thanks in advance to the friendly maintainers.
Peter Sylvester
diff -c openssl-SNAP-2829/crypto/x509v3
For those who wonder why ENUMERATED are not encoded correctly
since a week or so: The put_object should use len as a parameter.
diff -c openssl-SNAP-2829/crypto/asn1/a_enum.c openssl/crypto/asn1/a_enum.c
*** openssl-SNAP-2829/crypto/asn1/a_enum.c Tue Aug 22 19:00:14 2000
--- openssl/cr
In crypto/bio/b_print.c
there is
MS_STATIC char hugebuf[1024*2]; /* 10k in one chunk is the limit */
2024*2 is not exactly close to 10k.
Some months ago I reported some bug in the BIO_write vs BIO_puts
processing.
Most implementions of BIO_puts just call the internal _write routi
It seems to me that
SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
is not supported since d2i_ASN1_TYPE doesn't support context tags.
Thanks, the current problem was not to set that attribute, but not
to break in the pkcs7 or smime routines when you get a message
having this attribute.
>
> If you are interested maybe you can use the IBM Jonah Implementation?
>
> This is an excerpt of a PKCS7 structure implemented in the Jon
For those who haven't see the following.
Date: Thu, 21 Sep 2000 01:11:27 -0700
To: OSI Directory List <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED]
From: "Hoyt L. Kesterson II" <[EMAIL PROTECTED]>
Subject: sixth revision of the draft 4th edition of X.509 is on the server
hel
One of the reasons that I see that some "USERS", i.e. relying parties
want that, is that it is a bit difficult to get the subject altname
email in a CGI under apache, whilst the DN attribute is simply
in an environment variable.
What happens when you add multiple emails, is
either as subject altn
It seems to me that the behaviour of the s_server has changed in 0.9.8
concerning the interpretation of the nocert parameter.
When nocert is specified or when no appropriate alga was
compiled with, the variables for the key/cert file names were set to
NULL loading the files before any attempt w
In s23_srvr.c there is a length test
if ((csl+sil+cl+11) != s->packet_length)
{
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH)
in case that the record contains a SSLV3 or TLSv1 header.
IMO the != should be a > since tls allows additional
data in extensions.
Dear core developpers,
In ssl/ssl_lib.c there is a lot of functionality of get/set implemented
through a SSL_ctrl or SSL_CTX_ctrl, but some are implemented
directly as functions.
There may be some logic behind that but I am not sure which one.
One thing seems to be that the get function which ne
Dear OpenSSL developpers,
I have put a version of openssl that supports the TLS servername extension
into our web server. It is based on a openssl development snapshot of
last week.
We have split of and simplified the code that was done together with SRP
last year, an,d corrected known bugs.
S
Bodo Moeller wrote:
On Fri, Oct 07, 2005 at 11:17:47AM +0200, Peter Sylvester wrote:
In s23_srvr.c there is a length test
if ((csl+sil+cl+11) != s->packet_length)
{
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH)
in case that the record contains a SS
Bodo Moeller wrote:
On Mon, Oct 24, 2005 at 04:08:19PM +0200, Peter Sylvester wrote:
[...] I.e., a client that connects to a
server can *either* support SSL 2.0 servers *or* use TLS extensions,
but not both.
The SSL 3.0 and TLS 1.0 specifications have the
I saw in the lastest snapshots that in the ssl library the fundction
time has been casted to an unsigned long.
This seems to be some hack to cover the 2038 problem on 32 bit machines.
I am not sure
whether the attempted solution is good:
As far as I see the only usage is to determine whether
in util/mkerr.pl there is a loop that replaces __attribute__. in
crypto/bio/bio.h a recent change
created an infinite loop there. replacing the __attribute_ by
__bio_h_attr__ in mkerr.pl fixes it.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certif
Some openssl does not necessarily display DNs in the same textual order
as other tools
or as other tools like it as input.
try
openssl x509 -in yourcert -text -noout -nameopt RFC2253
for example and another without the -nameopt parameter
It has happened several times that people create cert
The reverse may not be true in real life. One way this comparison might
bite you is when the issue issues certificate with encoding violating
the DER requirements. For example, the ASN1_INTEGERs with octet
encodings "02" and "00 02" contain the same value 2, but these encodings
will in fact b
Hello,
Since I was pretty active in providing the current code, here are some
of our thoughts which may or may not be compatible with the core team.
In 2004, we had developped some extensions for the 0.9.7d version concerning
servername and srp. We initially also had the idea and a logic where o
Kyle Hamilton wrote:
I'd like to see a generic callback mechanism in that I want to be able
to write my own dispatcher for TLS extensions.
You already have this, you can intercept all messages.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certific
Hello,
I just have put together the small patch for apache 2.2.0 which allows
to use the sernername extension
logic in the development snapshot in order to select a different ssl
context, and also to
renegotiate if the vhost indicated by Host: has a different SSL_ctx
(e.g. certificate).
The
about the API.
Oden Eriksson wrote:
måndagen den 6 februari 2006 18.13 skrev Peter Sylvester:
Hello,
I just have put together the small patch for apache 2.2.0 which allows
to use the sernername extension
logic in the development snapshot in order to select a different ssl
context, and also to
William A. Rowe, Jr. wrote:
If you want to submit and have considered by the httpd project,
perhaps you
ment to submit it there?
Not yet. Since the corresponding openssl code is still in the
development branch,
and not in a stable one.
The apache2 patch was done to see whether the api is good
You ask for two things:
- creation of a file: Just put all the certs together in pem format
starting with the entity cert, and use this as -in parameter.
- parsing: There can be multiple chains. You have to find one yourself
in the
CA list that goes up to a desired trust anchor and through
A little bit of nit picking, but since a comment is supposed to be
correct. :-)
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
--- openssl-SNAP-20060312/ssl/ssl
if openssl has OPENSSL_NO_EC there is a small problem in t1_lib.c
Besides that I have the feeling that part of the point list code could
be simplified.
The lists supported are constant, so making an malloc etc and filling
this with
constant data looks a bit heavy.
regards
--
To verify the s
I looked a bit in detail into the ecpoint format extension stuff.
- Currently, as I said yesterday, one cannot compile openssl
with OPENSSL_NO_EC.
- I am not sure but it seems to me that the tlsext_ecpointformat_list in
the SSL is not freed together with an SSL object, so you have
a mem leak
The opensslx509 and ca commands
may create v3 certificates even if no extensions are present.
The code in apps/x509.c and apps/ca.c that sets the version of a
certificate
is not quite correct. It is basically set when the code thinks that some
extensions are going to be added and not after it;
The problem is that a backslash may be followed by a \r
I have send a patch to openssl-users which I attach. Of course, instead
of \s* one
can use an optional \r.
Andy Polyakov via RT wrote:
my previous messaqge about mkdef.pl is wrong. Although the indicated code
can still loop, the read e
The openssl ca command has a switch -create_serial. This switch allows the
creation of a serialnumber file for certificates. I think it is useful also
for the creation of a crl number file.
Furthemore, if crlnumbers are used then similar to certificates, it
seems useful
to me to have all crls in
isn't ssl_test.c a sufficient starting point?
smime.p7s
Description: S/MIME Cryptographic Signature
[EMAIL PROTECTED] wrote:
I found this in the OpenCA-Users mailinglist.
Any ideas or suggestions?
use the 'openssl ca' command with an empty index.txt file for each new
certificate.
and then manages the files differently, i.e. copy the content into a
database.
Or don't use the ca at all and
Hi,
A call to SSL_new increments the reference count of the SSL_CTX object.
In some application contexts one would like to pass around an SSL_CTX object
and share it.
If sharing occurs before an SSL_new is called and another
instance does SSL_new and SSL_CTX_free, the SSL_CTX is freed.
In orde
One can omit the SSL_CTX_free but in oder to be clean, someone must call
it, and this may unfortunately not necessarily be the same instance who
created
it.
I think you are kind of right, but there's another possibility.
Does the other instance call SSL_free as well? Note that SSL_free also
hi
When creating asn1 structure using the configuration file, it actually
necessary to encode conplicated sequences/sets using the configuration
syntax.
asn1_gen allows on the other hand to 'retag' any object using the IMP
directive. Even universal type can be changed,
but with universal 16/17 t
enclosed pleas find a patch that adds support for the freshestCRL extension.
Have fun.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
diff -rpc openssl-SNAP-200
Hi,
when a single -nameopt utf8 or others is used in openss x509 or others, the
separator mask is 0. This preempts the command as soon as the Issuer
is formatted.
It seems that the case 0 should be treated lin the same
ways as XN_FLAG_SEP_CPLUS_SPC
Best
Peter Sylvester
There is at least one real life HSM engine, that encodes numerical identifiers
as "pseudo prime
numbers", you end up with a
RSA private key that has 1 and 2 prime numbers?
No new ASN.1
Best
On 11/23/2016 11:47 AM, Richard Levitte wrote:
> In message <1479894913.8937.58.ca...@infradead.org> on
1 - 100 of 142 matches
Mail list logo