Hi,
I want to enable HTTPD to support multi-layer certificates (ca chain).
I had 2 options
Option 1:
We can configure SSLCertificateFile (EE file) and
SSLCertificateChainFile (CA Chain)
Option 2:
We can configure SSLCertificateFile (EE+CA Chain)
When we tested we found that Option 2 worked and
Hi,
We are using openssl1.0.0g for windows. But when we tried to use same
for linux, we are running into issue while compiling SSL module. And we
found that the issue in Apache2.0.63 and openssl1.0.0g integration
Hi All,
Please let me know if there is an API that will resume the session without
going through the handshake process again ( the session might have broken
down due to unplugging of LAN cable etc)
Thanks,
Gayathri
Mohamed Riyazudeen Kandrath Mohamed Ibrahim would like to recall the
message, OpenSSL for Linux.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hi,
We are using openssl1.0.0g for windows. But when we tried to use same
for Linux, we are running into issue while compiling SSL module. And we
found that the issue in Apache2.0.63 and openssl1.0.0g integration
http://serverfault.com/questions/159883/installing-apache-with-openssl
Hello,
I searched the archives but did not find the answer to this question.
What is the reason OpenSSL FIPS Object Module v1.2 is no longer listed as
FIPS validated? It seems only v1.2.3 is now listed:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm#1051
Thanks in
Thanks for the response, I'm trying to allow end-users to use commercially
purchased certificates so I'd rather not make the assumption that the key is
exportable.
Using the capi engine sounds like a viable alternative, but I've had trouble
tracking down details on how to use it.
On 03/08/2012 01:43 PM, Ashit Vora wrote:
Hello,
I searched the archives but did not find the answer to this question.
What is the reason OpenSSL FIPS Object Module v1.2 is no longer listed
as FIPS validated? It seems only v1.2.3 is now listed:
That's because the original validation #1051
Thanks Steve. This makes sense (i.e. newer versions subsuming older
versions).
However given that 1.2 is no longer listed on the NIST website, that
version can no longer be considered FIPS validated. This is an issue for
deployed products that have depended on v1.2 for FIPS compliance.
-Ashit
On Thu, Mar 08, 2012, Nou Dadoun wrote:
Thanks for the response, I'm trying to allow end-users to use commercially
purchased certificates so I'd rather not make the assumption that the key is
exportable.
Using the capi engine sounds like a viable alternative, but I've had trouble
Hi Sander,
Thank you for your elaborate response. It has helped me a great deal.
A follow-up question-
fookey
fookey_certreq
fookey_selfcert
The first one looks a lot like a private key, but it is a dummy key. This is
the key file you pass to the OpenSSL library. It looks so much
None of the above ;-)
If you have the CHIL ENGINE you load a private key using
ENGINE_load_private_key() and pass the appropriate ENGINE pointer and the name
of the key which will presumably be rsa-test.
That will get you an EVP_PKEY pointer which you can pass to
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
./openssl s_server -key src/data/server.key -cert src/data/server.crt
On 03/08/2012 04:05 PM, Ashit Vora wrote:
Thanks Steve. This makes sense (i.e. newer versions subsuming older
versions).
However given that 1.2 is no longer listed on the NIST website, that
version can no longer be considered FIPS validated. This is an issue for
deployed products that have
On 03/08/2012 05:12 PM, Steve Marquess wrote:
On 03/08/2012 04:05 PM, Ashit Vora wrote:
Thanks Steve. This makes sense (i.e. newer versions subsuming older
versions).
However given that 1.2 is no longer listed on the NIST website, that
version can no longer be considered FIPS validated. This
Regarding the certificate, it will never be updated. Whenever the CMVP
updates a listing because of a change letter process (IG G.5 scenario 1)
they only update the website listing. They never update the certificate.
The understanding is that the website listing supersedes the certificate.
Please
On 03/08/2012 11:05 PM, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
127.0.0.1 is not a valid
On Thu, Mar 08, 2012, David Holmes wrote:
I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli).
s_server is complaining of an unknown extension (see debug output below).
Openssl 0.9.8h works just fine though.
Is this a known issue?
There was an issue relating
On 03/08/2012 06:09 PM, Ashit Vora wrote:
Regarding the certificate, it will never be updated. Whenever the CMVP
updates a listing because of a change letter process (IG G.5 scenario 1)
they only update the website listing. They never update the certificate.
The understanding is that the
Steve,
First let me clarify that it isn't my intent to challenge OpenSSL
validation. In fact the reason I started down this path is because I have a
product that uses v1.2 and needs to claim FIPS compliance. I cannot
legitimately make that claim if v1.2 is not listed.
However I have sent a query
I just put together a mini workstation intended to run a VPN
gateway/firewall that uses a Via Nano X2 CPU. From what I've read,
Padlock (Via's hardware encryption) support should be working out of
the box. So, I set out to benchmark the engine on 32-bit Ubuntu 10.04
using their default OpenSSL
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
Sent: Wednesday, 07 March, 2012 05:33
While setting up the TLS session i am facing below error.
TLS Alert Level: Fatal, Description: Unable to verify leaf
signature (21)
I created the Chained certfificate like below :
22 matches
Mail list logo
