Thanks a lot Jeff,
The book is really very useful.
On Sun, Feb 24, 2013 at 12:36 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Feb 15, 2013 at 9:25 AM, Ashok C ash@gmail.com wrote:
On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton noloa...@gmail.com
wrote:
On Thu, Feb 14, 2013
Thanks Jeff,
My response inline.
On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Feb 14, 2013 at 5:58 AM, Ashok C ash@gmail.com wrote:
Hi,
As part of implementing certificate expiry related alarms for my SSL
application, I would kindly require few
Thanks Steve and Kent for the pointers.
Makes things clear for now.
On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson st...@openssl.orgwrote:
On Wed, Dec 05, 2012, Ashok C wrote:
Hi,
Our current SSL server loads plain-text private keys using the
SSL_CTX_use_PrivateKey_file()
method
Hi,
One more observation was made here in another test case.
*Configuration:*
One old root CA certificate oldca.pem with subject name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
*Test case 1:*
Using CAFile option in
of other readers:
I think Ashok was referring to AuthorityKeyIdentifier and
SubjectKeyIdentifier fieldsbeing absent from the root
CA certificates in his scenario.
On 9/24/2012 6:26 PM, Ashok C wrote:
Hi,
One more observation was made here in another test case.
_*Configuration:*_
One old root CA
PM, Ashok C wrote:
Only the private and public keys are different.. Rest of the fields are
same.. Basically I am simulating the trust anchor update related
scenarios..
And yes Jacob, thanks for indicating, I'll make sure I don't use such
abbreviations from here on..
Ashok
On Sep 24, 2012 11
Gentle reminder ..
Just want to know if this is a bug or intended behaviour.
--
Ashok
On Fri, Sep 14, 2012 at 3:12 PM, Ashok C ash@gmail.com wrote:
Hi Etkal,
s_client app or the OpenSSL cert store functionality that changed this.
The problem is with the openSSL store itself, as I had
certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.
** **
*Charles*
*From:* owner-openssl-us...@openssl.org [
mailto:owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org]
*On Behalf Of *Ashok C
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C ash@gmail.com wrote:
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion
klaus.mailingli...@pernau.at wrote:
Hi!
I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl
Hi,
Is there a way in which I can determine the correct issuer certificate of
an issued certificate(either intermediate CA or end entity) based on
comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that
the intended behavior? Is it possible to have the old
behavior also in new opensslversions?
Thanks
Klaus
Is this behaviour intended in openssl-1.0.0 ?
--
Ashok
On Fri, Aug 3, 2012 at 3:28 AM, Dr. Stephen Henson st...@openssl.orgwrote:
On Thu, Aug 02, 2012, Ashok C wrote:
Hi,
Is there a way
hear they are not. Would you have some
opinion/understanding regarding this?
--
Ashok
On Mon, Jul 30, 2012 at 8:17 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: Ashok C [mailto:ash@gmail.com]
Sent: Saturday, 28 July, 2012 01:21
Thanks Dave. But main use case for me is the trust
*have* AKI/SKI.
Good luck.
--
*From:* Ashok C [mailto:ash@gmail.com]
*Sent:* Thursday, 26 July, 2012 02:08
*To:* Dave Thompson
*Subject:* Fwd: Forming the correct chain for an end entity certificate
Reg.
Hi Dave,
Could you please help me
, 2012 at 2:09 PM, Ashok C ash@gmail.com wrote:
Hi,
I read from the RFC5280 that AKI is mandatory for all certificates
generated by a conforming CA.
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs
at following files from openssl source code.
1. ssl_cert.c (around line number 626)
2. x509_vfy.c (around line number 153)
3. v3_purp.c (around line number 700).
good luck!
On Mon, Jul 23, 2012 at 8:41 AM, Ashok C ash@gmail.com wrote:
Hi,
I have a requirement to form a correct
match.
Of course, at the end you need to verify the signature. But thats not the
part of the certificate chain formation.
On Mon, Jul 23, 2012 at 10:06 AM, Ashok C ash@gmail.com wrote:
Thanks Sukalp,
But I would like confirmation for the algorithm also.
Whether SKI/AKI related checks
Hi,
What would be the unique names with which I can store CA certificates in
file system?
I understand that issuer-id and serial number are the unique identifiers
for a certificate. But using this name for a certificate file name makes it
very long and also introduces some characters like @,=
Hi,
I had almost the same requirement and eventually achieved it by patching my
openssl package's x509_verify code to do the check_cert_time() method
optionally depending on some conditions. Ideally I feel openSSL should
provide a validation flag like
*X509_V_FLAG_IGNORE_LIFETIME **which would
are solved for now. If you guys have any comments on
this, please let me know. Otherwise you can ignore the previous email.
Regds,
Ashok
On Wed, Mar 28, 2012 at 10:08 PM, Ashok C ash@gmail.com wrote:
Hi,
I am implementing CRL feature for my application and was doing a proof of
concept using
Hi,
I am implementing CRL feature for my application and was doing a proof of
concept using openSSL.
Here is what I did:
1. I used openssl commands to generate a v3 root CA certificate and also
the corresponding server certificate.
2. Now i revoked the server certificate using openssl
Hi,
What would be the most efficient and easiest way to distinguish a CA
certificate from an actual server/client(end entity) certificate?
We were thinking of identifying the CA with the CA:TRUE constraint from
the text display, but again this check does not cover x509 v1 certificates
where this
/2012 10:49 AM, Ashok C wrote:
Hi,
What would be the most efficient and easiest way to distinguish a CA
certificate from an actual server/client(end entity) certificate?
We were thinking of identifying the CA with the CA:TRUE constraint from
the text display, but again this check does not cover
Hi,
I understand that X509 is the preferred ITU-T standard for PKI.
But what would be the other certificate standards which are available and
those which a PKI solution needs to support?
First question would be whether there are any certificates which do not
belong to the X509 standard?
Also,
Hi,
I see that the openSSL certificate verify utility uses the
X509_verify_cert() in x509_vfy.c for certificate validation.
Based on the manual pages for verify, I understand that the order for
verification is as follows:
1. Firstly a certificate chain is built up starting from the supplied
Hi,
In addition to the online material, are there any good books which we can
refer to understand openSSL better? Both conceptually as well as from the
API/code perspective.
We hear of the Network Security with OpenSSL by John Viega as one good
reference. But it was published in 2002. Any good
...@ts.fujitsu.com
Am 09.01.2012 13:10, schrieb Ashok C:
Hi,
In addition to the online material, are there any good books which we
can refer to understand openSSL better? Both conceptually as well as
from the API/code perspective.
We hear of the Network Security with OpenSSL by John Viega
,
Ashok
On Tue, Dec 27, 2011 at 4:50 PM, Ashok C ash@gmail.com wrote:
Thanks Dave.
But regarding this:
Important note: make sure the old and new root certs have different
names. (Same for intermediate CAs, which your example doesn't have.)
OpenSSL looks-up using Issuer name only
:
From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
Sent: Thursday, 22 December, 2011 10:55
Another doubt I have is about the SSL_CTX_set_client_ca_list
and the SSL_get_client_ca_list.
I understand that the set method is called by the server to
set the list of CA
, Dec 21, 2011 at 8:46 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
Sent: Tuesday, 20 December, 2011 04:16
What will be the recommendation from the open source community for
supporting the following scenario
Hi,
What will be the recommendation from the open source community for
supporting the following scenario in a openSSL based client/server
application:
*The certificates involved:*
old CA certificate of the CA authority(root)
new CA certificate of the CA authority(root)
Server's end entity
with
the multi-level configuration. Thanks a lot for your patient help in this
regard.
Regds,
Ashok
On Sat, Dec 3, 2011 at 4:17 AM, Dave Thompson dthomp...@prinpay.com wrote:
From: Ashok C [mailto:ash@gmail.com]
Sent: Friday, 02 December, 2011 00:11
Keeping the things
locations in client side? Meaning, do we need to
build the chain from client side explicitly by ourselves?
Regds,
Ashok
On Fri, Dec 2, 2011 at 5:33 AM, Dave Thompson dthomp...@prinpay.com wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
Sent: Wednesday, 30
/patches, and built how?
We are running openssl-0.9.8g and 1.0.0d in normal x86/x86_64 environment
with few CVE patches.
On Tue, Nov 29, 2011 at 9:51 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of Ashok C
Sent: Monday, 28 November
to the client?
P.S. My previous query also is unanswered. It would be great if I get some
responses to that also ;)
Regds,
Ashok
-- Forwarded message --
From: Ashok C ash@gmail.com
Date: Wed, Nov 23, 2011 at 12:55 PM
Subject: Usage of CAPath/CAFile options in int
Hi,
We are implementing multi-layer support for our openssl-based PKI solution
and had the following query:
Currently our PKI solution supports only single layer CA support and we use
SSL_CTX_load_verify_locations API with the CAFile option, meaning that the
service loads the CA certificate from
Hi,
I am a newbie user of openssl, and am using openssl C apis to verify
certificates.
Is there any way by which I can ignore the date verificationa and the
signature verification?
Thanks in advance.
Regds,
Ashok
Hi,
Does the openssl X509_verify certificate validation API support an argument
that supports skipping of signature and date validation?
Or is there any other way that I can achieve this optional verification.
Please help me out in this regard.
Regds,
Ashok.
Hi,
I was trying to find the correct API for extracting the subject/issuer name
from an x509 certificate using openssl library, but was unable to find the
exact one.
It would be great if someone guides me regarding this.
Thanks in Advance!
Regds,
Ashok
39 matches
Mail list logo