From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Friday, June 12, 2015 02:47
1) 1.0.1l
./apps/openssl s_server -ssl3 -cert certdb/ssl_server.pem -WWW -CAfile
certdb/cafile.pem
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
With SSL 3.0, no
From: openssl-users On Behalf Of Aaron
Sent: Wednesday, June 10, 2015 03:47
We are using executable 'apps/openssl' in our test cases. We upgraded from
OpenSSL 1.0.1l to OpenSSL 1.0.2a recently. Since then one of our test
cases
started to fail. After checking, I noticed that the default
From: openssl-dev On Behalf Of Nayna Jain
Sent: Wednesday, June 10, 2015 20:31
If I have a pem file with private key in that, how do I check if that is
RSA/DSA ?
If it uses a legacy format, the BEGIN line specifies the algorithm
-BEGIN RSA PRIVATE KEY-
-BEGIN DSA PRIVATE KEY-
From: openssl-users On Behalf Of Marcus Vinicius do Nascimento
Sent: Tuesday, May 12, 2015 16:50
I did some quick research and found this:
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
If my understanding is correct, the public key is (p, q, g, y).
You might want to look at the
From: openssl-users On Behalf Of Nayna Jain
Sent: Friday, May 01, 2015 22:37
I have a privatekey file written using the call
PEM_write_bio_RSAPrivateKey(...)
The file write operation has been successful.
Do you mean the PEM_write_ returned 1, or do you mean the file contains
correct (or at
From: openssl-users On Behalf Of jonetsu
Sent: Wednesday, April 29, 2015 10:07
snip
The man page (the one online from OpenSSL project - SHA256.html)
gives a description using SHA1() which computes a message digest.
Note this is the same page for
From: openssl-users On Behalf Of m.de.groot
Sent: Thursday, April 30, 2015 14:46
I converted the pfx file to a pem file using the following command
openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes
After this I trying to sign a file using this key with the following
From: openssl-users On Behalf Of jonetsu
Sent: Tuesday, April 28, 2015 13:53
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD
From: openssl-users On Behalf Of Viktor Dukhovni
Sent: Monday, March 09, 2015 12:47
On Mon, Mar 09, 2015 at 02:23:53PM +0530, Deepak wrote:
kEDH:ALL:!ADH:!DES:!LOW:!EXPORT:+SSLv2:@STRENGTH
with SSL_CTX_set_cipher_list() be good enough to disable EXPORT40, 56
and 1024?
You only need
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Friday, February 20, 2015 17:24
On Fri, Feb 20, 2015, Nathaniel McCallum wrote:
I'd like to use ASN1_item_d2i_bio() (or something similar) to parse an
incoming message. However, given that types like ASN1_OCTET_STRING
have
From: openssl-users On Behalf Of open...@lists.killian.com
Sent: Wednesday, February 18, 2015 13:26
I noticed that openssl(1) says that various things have been superseded by
genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
man page is not very helpful on EC.
From: openssl-users On Behalf Of Rajeswari K
Sent: Monday, February 16, 2015 03:05
Our current signature and verification logics are working just fine
with TLS1.0 and TLS1.1 for ECDHE_ECDSA cipher suite.
But, when tested the same cipher suite with TLS1.2, SSL handshake
always failing
From: openssl-users On Behalf Of Rajeswari K
Sent: Friday, February 13, 2015 23:50
Hello Dave,
Based on your input, have stopped calling i2d_ECDSA_SIG()
and used BN_bn2bin() to overcome the der headers.
And now, my verification is working fine.
ECDSA_verify in ecs_vrf.c only uses i2d to
From: openssl-users On Behalf Of Rajeswari K
Sent: Friday, February 13, 2015 09:48
snip
As part of [ECDSA] signature verification, we first take lenght_of_signature
received
and compare with double the size of number_of_bytes from curve parameter.
Have converted the ECDSA_SIG to unsigned
From: openssl-users On Behalf Of Rajeswari K
Sent: Thursday, February 12, 2015 00:40
I have a query on d2i_PUBKEY() and i2d_PUBKEY().
i have a EC public key in form of character buffer.
Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY format
EC key.
To be exact, a
From: openssl-users On Behalf Of Jörg Eyring
Sent: Wednesday, February 11, 2015 03:44
I'm generating a certificate request and the necessary entries are added
with:
...
if(!X509_NAME_add_entry_by_txt(subj,C, MBSTRING_ASC, (unsigned
char *) CountryName,-1,-1,0)) snip
From: openssl-users On Behalf Of Jerry OELoo
Sent: Wednesday, February 04, 2015 21:54
I am using openssl 1.0.2 on windows 7 OS.
I have put some root certificate files into a folder certs. when I
using X509_STORE_load_locations() to load this folder into store, it
returns 1 means success,
From: openssl-users On Behalf Of Rajeswari K
Sent: Monday, February 02, 2015 22:17
Thanks for responding. Following is the output printed by openssl
./openssl req -in csr.csr -noout -text
snip
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
From: openssl-users On Behalf Of Rajeswari K
Sent: Sunday, February 01, 2015 21:18
Am facing an issue of no shared cipher error during SSL Handshake,
when tried to negotiate ECDHE cipher suite.
snip
*Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C
*Feb 2 01:00:47.894:
From: openssl-users On Behalf Of Kurt Roeckx
Sent: Tuesday, January 27, 2015 17:14
On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
snip
What browsers do is cache the intermediate certificates. snip
That's one possibility. Another is that it uses AuthorityInfoAccess
to fetch the cert
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Wednesday, January 21, 2015 09:28
On Wed, Jan 21, 2015, John Laundree wrote:
Ok, so I will naively ask the question How does one do TLS 1.0/1.1 in
FIPS
mode? Or is this no longer allowed, i.e. TLS 1.2 only?
The use of MD5 for
From: openssl-users On Behalf Of Dr. Stephen Henson
Sent: Wednesday, January 21, 2015 09:28
On Wed, Jan 21, 2015, John Laundree wrote:
Ok, so I will naively ask the question How does one do TLS 1.0/1.1 in
FIPS
mode? Or is this no longer allowed, i.e. TLS 1.2 only?
The use of MD5 for
From: openssl-users On Behalf Of Jerry OELoo
Sent: Tuesday, January 20, 2015 00:34
I am reading cer file into X509 object,
http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
cert = d2i_X509_fp(fp, NULL);
it will return fail, as below
Error: error:0D07207B:asn1 encoding
From: openssl-users On Behalf Of Purushotham Nayak
Sent: Wednesday, December 31, 2014 12:22
I have some data that was encrypted using the openssl (`AES_*`) functions.
I want update this code to use the newer (EVP_*) functions which are
FIPS compliant. But I should be able to decrypt data
From: openssl-users On Behalf Of Jaya Nageswar
Sent: Tuesday, December 30, 2014 02:36
... the output [is] different between openssl 0.9.8 and 1.0.1x versions as
the following methods
are being used in the code flow for the method PEM_write_bio_PrivateKey.
1.0.1x -
From: openssl-users On Behalf Of Bear Giles
Sent: Tuesday, December 30, 2014 16:53
I've been able to read and write most objects using both the PEM bio
and i2d/d2i functions. I know I can write an encrypted PKCS8 file with
PEM_write_bio_PKCS8PrivateKey().
How do I read encrypted PKCS8
From: openssl-users On Behalf Of Jaya Nageswar
Sent: Monday, December 22, 2014 05:51
In our application, we have been using openssl 0.9.8 and trying to move to
openssl 1.0.1x as 0.9.8 is going to be EOS by December 2015. We have a
sample application where we try to read a sample pem key
From: openssl-users On Behalf Of Michael Wojcik
Sent: Thursday, December 18, 2014 21:27
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf
Of Kurt Roeckx
Sent: Thursday, December 18, 2014 16:36
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL
From: openssl-users On Behalf Of Kurt Roeckx
Sent: Thursday, December 18, 2014 16:36
On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
***
This is for *Client - Agent*
***
[...]
Version
From: openssl-users On Behalf Of Hooman Fazaeli
Sent: Monday, December 08, 2014 09:36
1. The SSL_read in my http server app always reads the first byte of
http request, instead of the whole. To read the rest, I should do
further SSL_reads: snip
I have seen this pattern with firefox,
From: owner-openssl-us...@openssl.org On Behalf Of Prabhat Puroshottam
Sent: Tuesday, December 02, 2014 07:04
We have a product which uses OpenSSL to connect and transfer
application level data. There are two ways to connect, and get the
application level data from *Agent* to *Client*
1.
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
Sent: Monday, December 01, 2014 16:18
(reordered)
On Mon, Dec 1, 2014 at 3:47 PM, Tanel Lebedev tanel.lebe...@gmail.com wrote:
I'm building and packaging OpenSSL as a third party library in my app. I
also include a
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
Sent: Friday, November 21, 2014 12:30
Thanks. I guess I may have to open a problem with IBM. The IBM
documentation
clearly lists a number of cipher suites (at they call them) that use
SHA1
(including the one we (IBM+OpenSSL)
From: owner-openssl-us...@openssl.org On Behalf Of Malatesh Ankasapur
Sent: Tuesday, November 18, 2014 23:17
Note: you should post a new topic as a new message, not a reply. subject fixed
citrix reciever using the symbolic link .pem certificate so i did c_rehash
for my ceritficate
1.
From: owner-openssl-us...@openssl.org On Behalf Of Joerg Schmitz
Sent: Saturday, November 15, 2014 12:16
I hope you can help me. I'm about to sign jar-files with a self created
certificate
using OpenSSL. The jar-File contains an old Java-Applet which Java is
blocking
(as long as it is
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
Sent: Wednesday, November 19, 2014 14:08
10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:.\ssl\s3_pkt.c:1275:SSL alert number 51
http://tools.ietf.org/html/rfc5246.html#section-7.2
decrypt_error
From: owner-openssl-us...@openssl.org On Behalf Of Dan Si Atat
Sent: Wednesday, November 19, 2014 14:32
I am trying to emulate in OpenSSL java encryption algorithm.
When using RSA_public_encrypt are there parameters to emulate any of
these
combinations of parameters in Java?
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
Sent: Friday, November 14, 2014 22:03
SSL_OP_* are bitmasks.
SSL_CTX_set_options(conn-ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
On 11/14/2014 12:37 AM, Vaghasiya, Nimesh wrote:
conn-ssl_ctx =
Your questions are confused and I don’t have time to read through a lot of
code, but:
In OpenSSL, type RSA (typedef struct rsa_st) is used for both/all RSA keys.
When you generate a new keypair, the RSA structure is filled with fields for
both private key and public key. If you use the
From: owner-openssl-us...@openssl.org On Behalf Of Marcus Meissner
Sent: Wednesday, November 05, 2014 04:10
On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan)
wrote:
Hi,
Does Openssl support IPv6 officially?.
AFAIK the libssl and libcrypto libraries do not use sockets
From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
Sent: Wednesday, November 05, 2014 03:11
But when I go to www.google.com website, I find the leaf certificate
and intermediate certificate is ok, but root CA certificate (GeoTrust
Global CA) is not.
snip
Public Key SHA1:
From: owner-openssl-us...@openssl.org On Behalf Of Amir Reda
Sent: Wednesday, November 05, 2014 02:42
1- i generate rsa key pairs and try to print it in a pem file but when i open
the file it was empty
You never close or even flush the file. openssl uses C I/O and C I/O by default
is
From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
Sent: Thursday, October 30, 2014 14:50
I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
I would expect the two to form a valid chain. And indeed,
verification succeeds:
... openssl verify -CAfile
From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
Sent: Tuesday, October 28, 2014 04:20
snip
Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which
will show same as [Chrome]
One more thing, I find use i2d_RSAPublicKey() will be get same public
between openssl API
From: owner-openssl-us...@openssl.org On Behalf Of Lewis Rosenthal
Sent: Wednesday, October 08, 2014 10:57
Actually, Jakob, I think it's the second one (the first one after the
pipe) which can come out, i.e.:
Yes.
openssl s_client -showcerts -connect google.com:443 \
/dev/null | openssl
verify status 18 (not strictly an openssl error) means that you (usually as a
client)
received a cert chain (usually from the server) with a root cert that is not in
your
truststore. Yes, this is a slightly confusing error description for this case.
If the root cert used should be
From: owner-openssl-us...@openssl.org On Behalf Of salih ahi
Sent: Thursday, October 02, 2014 04:03
I wrote an openssl server, which uses an on-the-fly created certificate
and signs it with the private key of another already created self-signed
certificate file. I am adding them both to
(Sorry, got stuck in my outbox and I didn't notice for a while)
From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
Sent: Monday, September 22, 2014 02:44
Thanks a lot for the explanation, so instead of generating new parameters
on
the fly I could just create them once and then
From: owner-openssl-us...@openssl.org On Behalf Of Andy Schmidt
Sent: Wednesday, September 17, 2014 18:28
I just tracked down an obscure bug in our certificate authentication
code to a change in in the global mask for ASN.1 strings in
crypto/asn1/a_strnid.c.
From: owner-openssl-us...@openssl.org On Behalf Of Marco Bambini
Sent: Friday, September 19, 2014 12:04
my server needs to accept DHE ciphers from clients so I think I would need
to
be able to load static dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem
certificates on server side. In order
From: owner-openssl-us...@openssl.org On Behalf Of Francis GASCHET
Sent: Wednesday, September 17, 2014 13:35
We use openSSL in OFTP2 implementation. The OFTP2 working group
decided
to strongly recommend to use preferably the cipher suites including PFS
(ephemeral Diffie Hellman).
snip
To
From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop
Sent: Monday, September 15, 2014 22:50
And, one more question:
How can I tell what format/encryption my pkcs12 files are in?
[I believe for Android platform use, I need p12 certs/keys - so I'm working
on the
From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
Sent: Friday, September 12, 2014 04:31
*If* you are now using a legacy-format encrypted private-key (and your
original
error message suggested you might need some form of private key, which does
necessarily mean legacy
-fingerprint is the hash of the whole cert. The question was hash of issuer
name.
If youre satisfied with hash of the issuer name as encoded, which should
not
but can differ from the canonicalized form OpenSSL uses for lookup, you can:
- use asn1parse to find the byte position of the
line is causing the problem with
openSSL?
Thank you,
Liz
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Tuesday, September 09, 2014 5:49 PM
To: openssl-users@openssl.org
Subject: RE: cannot read PEM key file - no start line
(Sorry not inline, my Outlook can’t do that for HTML.)
That’s actually a subvariant I forgot to describe: PKCS#8 *version 2*.
It has “BEGIN ENCRYPTED PRIVATE KEY” (not specifying RSA etc.) like version 1,
but instead of a single PBE algorithm-id PBE-with-$kdf-and-$cipher it has a
structure
I was half wrong before.
The base64 read in EVP_Decode* allows 76. But the PEM parser in PEM_read_bio
enforces exactly 64 only for input files that have PEM-encrypt headers
which in practice is only encrypted legacy-format privatekey files.
(Nonprivate things like cert, CSR, publickey,
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Monday, September 08, 2014 08:42
On Sun, Sep 07, 2014 at 07:26:05PM -0700, Liz Fall wrote:
I have checked and verified that there is no whitespace. Also, the
BEGIN
and END statements look correct. However, each
For the legacy formats (dashes-BEGIN PRIVATE RSA KEY or PRIVATE EC KEY)
just look on the DEK-Info: header line.
For PKCS#8 format (dashes-BEGIN ENCRYPTED PRIVATE KEY) do
openssl asn1parse key.pem
and the third line will be an OBJECT (really OID) in the form
pbeWithhashandcipher.
1) That doesn't make sense. Maybe you mean the socket come from (TCP-level)
accept and you give it to SSL_set_fd?
That does make sense and should work for one connection=socket at a time
i.e. accept #3, connect SSL to #3,
do send and receive until connection closed, close socket and SSL_clear,
This is not a –dev question, and there’s no need to send three times.
scp uses the SSH protocol. OpenSSL does not implement SSH.
OpenSSH, which is a different product from a different source, implements
SSH, although in their design the scp program doesn’t do any comms at all,
it just
and how do I generate an ECDSA certificate?
To generate a selfsigned ECDSA cert the same ways you do RSA,
except use EC instead of RSA.
- use req -new with EC key or -newkey with EC parms and -x509
to generate selfsigned cert directly.
- use req -new with key or -newkey to generate CSR,
then
Both of those are using an RSA certificate; DHE or ECDHE is key-exchange
only
not authentication. However the servers must configure *parameters* for
temp DH and temp ECDH respectively; do they? For ECDHE the parameters
must use one of the (named) curves specified by the client; openssl
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
Sent: Thursday, August 07, 2014 16:48
Your client is saying that it's failing the certificate verification of
the server certificate. It's probably not using the CAfile that you
passed to openssl s_client.
-Kyle H
On
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Monday, August 04, 2014 11:21
On Mon, Aug 04, 2014 at 05:43:47AM +, Mitra, Rituparna (STSD) wrote:
1. app1: sends a CGI POST request to app2 ? the POST request has
the
UN (username).
2. app2:
From: owner-openssl-us...@openssl.org On Behalf Of dave
Sent: Monday, August 04, 2014 15:50
I have it that the elliptic multiply is not standard. So I have been
skip tracing though the code.
It starts with ec_key.c, with EC_KEY_generate_key. This grabs the
group or or the particular
From: owner-openssl-us...@openssl.org On Behalf Of dave paxton
Sent: Thursday, July 31, 2014 20:12
In looking at this today I found what the new ec key is doing. It
does a BN_rand_range operation. That does have the rand.h include. It
looks like it is using from the random area
If by heavy bit you mean the most significant bit, that's backwards.
DES (and 3DES) keys put the parity bits in the least significant bit.
The low-level DES_* API in OpenSSL has options to set a key with
checking for parity and weak and semi-weak keys, or without,
and also routines to
This is almost certainly belongs in -users only, but if I restrict reply it
looks unanswered.
From: owner-openssl-us...@openssl.org On Behalf Of Nayna Jain
Sent: Thursday, July 31, 2014 17:37
We got one of our openssl version upgraded to openssl 1.0.1e version.
But after that I am facing
Did you successfully load the root cert into the SERVER truststore?
The requirements are not quite symmetric:
Almost always (except for anon and non-PK):
server MUST set privatekey and matching cert, and preferably any chain
cert(s) (you have none)
client MUST set truststore containing
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Thursday, July 24, 2014 14:18
On Thu, Jul 24, 2014 at 08:07:01AM -0700, phildoch wrote:
The key format needed by the system is algorithm-specific DER format.
I am not aware of any standard formats for keys other
It's a good idea for server to set client-CA list, but not required. If it
isn't set,
libssl server will send CertReq with an empty list, which the RFCs permit,
and the browsers I have to hand (IE9, FF31, Chrome36.something) all handle.
The OP's problem is more likely on the client side.
-4ubuntu5.14 installed
OpenSSL 1.0.1 14 Mar 2012
built on: Fri Jun 20 18:54:15 UTC 2014
platform: debian-amd64
As you pointed yes the server preference is set on the origin side.
--David
On Tue, Jul 22, 2014 at 9:17 AM, Dave Thompson dthomp...@prinpay.com wrote:
You can’t be running 1.0.1
You can’t be running 1.0.1 as released; it doesn’t have
BLOCK_CIPHER_PAD_IS_WRONG
in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have
UNKNOWN_ALERT_TYPE
at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and
UNKNOWN_ALERT_TYPE shortly before (but not at) 1270
From: owner-openssl-us...@openssl.org On Behalf Of Walter H.
Sent: Thursday, July 17, 2014 13:58
does anybody know what to write in the extension config to get this
X509v3 Name Constraints as the attached certificate (intel-ca.pem,
intel-ca.text)?
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
Sent: Tuesday, July 08, 2014 20:33
On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson dthomp...@prinpay.com
wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
Sent: Tuesday, July 08, 2014 16:20
from Dave Thompson:
I would first try x509 -noout -subject|issuer -nameopt multiline,show_type
and see if that helps.
Pointed me in the right direction. What i found was that Issuer for
certificate A, which was the one that was NOT working, looked like this:
[cbarbe@localhost foropensslusers
From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles
Sent: Sunday, July 06, 2014 22:42
I have the following certificates and associated private keys:
A - certificate A generated with one version of my software not using
openssl
B - certificate B generated with a new version of
From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles
Sent: Monday, July 07, 2014 21:59
I will try an ASN.1 decoder tomorrow. Thanks for the suggestion!
One thing I did try today was to have both servers generate their
certificates
using the same private key. Theoretically I
From: owner-openssl-us...@openssl.org On Behalf Of nicolas@free.fr
Sent: Friday, June 13, 2014 06:15
the fact is a server can only send a single certificate, however this one can
be
signed by multiple CAs
Kind of. There's a difference between what we humans perceive as a CA
(somebody
From: owner-openssl-us...@openssl.org On Behalf Of Anant Rao
Sent: Wednesday, June 11, 2014 09:45
The signature is generated by a client program (also a 'c' program). What is
the format of a signature? How do I find out?
The format for an ECDSA or DSA signature is an ASN.1 SEQUENCE of two
From: owner-openssl-us...@openssl.org On Behalf Of open...@comaxis.com
Sent: Saturday, June 07, 2014 09:35
I am attempting to use the d2i_PKCS12_fp() API call in a Windows DLL
compiled with the multi-threaded (/MT) runtime library. On this call I
get the runtime error
On platforms where shared-lib is supported at all it is usually the default
build
and the conventional packaging. Are you sure you don’t already have it?
Or do you mean you want to build a different and/or modified version, as shared?
What almost(?) everybody does and the build process is
From: owner-openssl-us...@openssl.org On Behalf Of Sven Reissmann
Sent: Thursday, May 29, 2014 12:24
snip
What I did was:
- I generated a newRootCA (new keypair, selfsigned certificate).
- I generated another selfsigned certificate (bridgeCert) from the
newRootCA's private key. From
From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
Sent: Wednesday, May 28, 2014 13:04
On 5/25/2014 2:22 PM, Hanno Böck wrote:
Some clients (e.g. all common browsers) do fallbacks that in fact
can invalidate all improvements of later tls versions.
These fallbacks also can
From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick
Sent: Tuesday, May 27, 2014 12:41
From: Sven Reissmann
What I want to achieve is having a new rootCA, which replaces an
oldRootCA, which I am using until now.
So far the trust chain is: oldRoot - oldServerCert.
The third arg of PKCS7_verify (indata) should only be used for an ‘external’ or
‘detached’ signature
where the PKCS#7 does not contain the data. In your case it should be null.
Also note that the _BINARY flag isn’t actually used for “plain” PKCS#7, only
for SMIME.
And I don’t think it
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of David Li
Sent: Tuesday, May 20, 2014 13:05
snip
I am using SSL_CTX_use_certificate_chain_file() to load my server certificate
files at initialization.
The PEM file is created by concatenating
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dustin Oprea
Sent: Tuesday, May 20, 2014 14:07
On Tue, May 20, 2014 at 1:04 PM, David Li dlipub...@gmail.com wrote:
snip
The code that you cited doesn't use SSL_CTX_use_certificate_chain_file.
http://www.openssl.org/support/faq.html#PROG6
and if you haven't loaded error strings
http://www.openssl.org/support/faq.html#PROG7
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Darshan Mody
Sent: Monday, May 19, 2014 09:13
To:
EVP_BytesToKey implements (a tweak on) the original PKCS#5, which derived a key
and IV
by iterated hashing of a (reusable but secret) password with random (i.e.
unique) salt.
Given random salt this gives effectively random IV, but is unnecessarily
complicated.
This was recognized as a
From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
(openssl)
Sent: Thursday, April 24, 2014 16:15
openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
mycert.crt -certfile intermediate.crt -CAfile ca.crt
(Correct?)
So ... I just tried this, and
A lot of things on the Internet are wrong. The OpenSSL man page does not say
multiple
occurrences work and I'm pretty sure it never did, nor did the code. In
general
OpenSSL commandlines don't handle repeated options; the few exceptions are
noted.
pkcs12 -caname (NOT -cafile) IS one of the
What exactly do you include in correctly?
As that entry (rightly) explains, the (or each) server must have a key cert
from a CA
trusted by the client, and the (or each) client must have a key cert from a
CA trusted
by the server. Most clients trust the “well-known” CAs like Verisign
From: owner-openssl-us...@openssl.org On Behalf Of chetan
Sent: Monday, April 14, 2014 00:42
xxx.c is my program file.
So, i'm compile simply like cc xxx.c .
I am Gettting [undefined reference]
This is basic C programming. Whenever you link (not just compile) a C
program
that uses a
Possibly too Postelian, OpenSSL answers a received heartbeat request
(and thus before the fix answers a malicious request with leaked data)
even if the heartbeat extension was negotiated off.
Only the build option to exclude the code stops it.
OpenSSL will *send* hb request only if/after
and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
Thanks,
Lakshmi.
From: Dave Thompson mailto:dthomp...@prinpay.com dthomp...@prinpay.com
Reply-To: mailto:openssl
1. Modify the uplink logic to hardcode your DLL, and make sure your users'
programs never call this modified openssl, probably by using a nonstandard
filename(s), and then stand ready to provide updates every few months.
2. Rewrite the uplink logic to figure out which DLL is providing the
Are you looking at x,y values or an encoded (external) point?
If the latter, it might be different encoding format, there are 3.
Otherwise, you probably have something wrong, since OpenSSL
successfully interoperates with other EC implementations.
Post details - if you want to keep K
Through 1.0.1, put the CRL in PEM format in CAfile (specified or defaulted)
or in CApath (ditto) named or linked as $hash.r$num (c_rehash can do for
you).
I've never seen a CA distribute PEM so you almost certainly need to convert.
And specify -crl_check or -crl_check_all (see the man page or
1 - 100 of 1095 matches
Mail list logo
