./
/
- C. A. R. Hoare/
*From: *David von Oheimb
*Date: *Monday, October 3, 2022 at 15:13
*To: *Uri Blumenthal , openssl-users
*Subject: *Re: Q: creating CSR for encryption
Requesting a cert in a CSR for a key pair that cannot be used for signing is
indeed impossible in the widely used PKCS#10 format
(except if one break sthe PKCS#10 requirement of a self-signature, e.g., by
applying a dummy signature).
A viable solution is to use a different CSR format, such as
Hi, I'm not an expert on this topic, but this is looks like of interest here:
https://stackoverflow.com/questions/58488774/configure-tomcat-hibernate-to-have-a-cryptographic-provider-supporting-1-2-840-1
23 Aug 2022 10:34:51 李周华 :
> Hi , guys
>
>
> I have use the follow openssl commands to
The below warning message looks a bit like it was produced by OpenSSL,
but pretty sure it actually comes from the freeradius server code, which
appears to use one of the OpenSSL certificate checking callback
mechanisms. So you should ask there what the exact intention for this
warning is and how
Yes, the TLS diagnostics can be confusing:
it reports "wrong version" also when there is no TLS (version) being
used by the peer at all.
David
On Mon, 2022-07-11 at 00:16 -0400, Viktor Dukhovni wrote:
> On Sun, Jul 10, 2022 at 02:41:23PM +, loic nicolas wrote:
>
> > I am trying to connect
due to some general build issue you have, such as some
inconsistency with pre-installed OpenSSL versions.
Sorry that I do not have the time to provide further aid on such general
build issues.
David
>
> Am 2022-06-21 22:52, schrieb David von Oheimb:
> > Hallo Beni,
> >
> > go
Hi Michael,
openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass: -nodes
is sufficient to convert all credentials in the PKCS#12 file to a single
PEM file with the key being stored unencrypted.
Since OpenSSL 3.0, the outdated -nodes option has been deprecated; so
there better use -noenc.
Since OpenSSL 3.0,
one can use the -copy_extensions` option of openssl req to copy over any
SANs contained in the CSR to the cert being created
or use -addext to directly specify extensions without the need to use a
config file,
or simply use the -x509 and -subj options to build a cert from
Hi Philip,
I just had a look a look at the commit you referenced.
Indeed this bug got fixed there, apparently without this fact being mentioned
there. This commit was part of OpenSSL_1_1_0-pre1, so presumably it was
released with 1.1.0.
15 May 2022
Yeah, self-signed certs are absolutely useful - you just need to be very
careful which ones you trust for what.
Such certs are widely used to provide trust anchor information,
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even
Yeah, self-signed certs are absolutely useful - you just need to be very
careful which ones you trust for what.
Such certs are widely used to provide trust anchor information,
typically of root CAs,
but conceptually and pragmatically, as Jordan also stated below,
they can make much sense even
@Philip,
it should not be hard to copy the core code from apps/req.c and cut out
all parts not needed for generating a PKCS#10 CSR (including its
self-signature).
Yet beware that a general-purpose library function that has (at least)
the flexibility offered by that app would need a
@Philip,
it should not be hard to copy the core code from apps/req.c and cut out
all parts not needed for generating a PKCS#10 CSR (including its
self-signature).
Yet beware that a general-purpose library function that has (at least)
the flexibility offered by that app would need a
On 13.10.21 01:32, Philip Prindeville wrote:
Is there demo code for creating a CSR?
demos/x509/mkreq.c seems to have gone away a while ago...
Thanks!
What I generally take as demo/sample code is the OpenSSL apps
implementation in apps/ ,
though that can be rather complicated due to many
On 13.10.21 01:32, Philip Prindeville wrote:
Is there demo code for creating a CSR?
demos/x509/mkreq.c seems to have gone away a while ago...
Thanks!
What I generally take as demo/sample code is the OpenSSL apps
implementation in apps/ ,
though that can be rather complicated due to many
Hello Hiroshi,
unfortunately the memory allocation failure reporting of OpenSSL is
still unsystematic;
see also https://github.com/openssl/openssl/issues/6251.
SSL_CTX_new() is pretty complex and can fail for many reasons.
In the case you quote below, its call of
EVP_get_digestbyname("ssl3-md5")
Hello Dennis,
here are answers to your questions.
* All CRL signatures are (by default) verified - otherwise status
checking by CRLs would be insecure. The function used is
def_crl_verify() in crypto/x509/x_crl.c
* All CRLs are kept in the X509_STORE such that they can be reused for
What I use is
X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);
which is not an official API function but defined in apps/lib/apps.c:
/*
* name is expected to be in the format /type0=value0/type1=value1/type2=...
* where + can be used instead of / to form multi-valued RDNs
Hi Marc,
I just came across your below message of March, which arrived in a bit
weird form (I removed duplicate text sections in the below quote) and
appears unanswered - sorry for that.
It has been a while since I last used engines, but the following variant
-newkey
Hello Petr,
thank you for your message and filing the related issue at
https://github.com/openssl/openssl/issues/16041.
I very much appreciate such feedback on the new CMP implementation and
its tests.
You are right that the behavior of the mock server appears pretty
strange regarding the checks
Hello Reinier,
around five years back I was looking for such an implementation as an
alternative to the rather limited CAPI engine, mostly because the
C(rypto )API does not support ECC.
The only thing I found at that time was
https://mta.openssl.org/pipermail/openssl-dev/2016-June/007362.html and
On Thu, 01 Jul 2021 15:22:46 +0200, Joe Carroll wrote:
> I'm getting a "missing separator" error on line 56.
Would be good to add a note to the top of both Makefile and makefile for
which flavor of make they are intended,
and maybe we can add some check to them that gives a more to-the-point
hint
I also had this problem several years back but did not find the nifty
though counter-intuitive workaround using cr2pkcs7 given below.
Since then I've been using a Perl script like this:
> #!/usr/bin/perl
> $/ = '-END CERTIFICATE-';
> while(<>) {
> if(m|$/|s) {
> print STDERR
Hi Nan, Viktor, et al.,
/From: openssl-users https://mta.openssl.org/mailman/listinfo/openssl-users>> On Behalf Of
Viktor//Dukhovni //Sent: Wednesday, 31 March, 2021 10:31/
> Most likely you haven't configured a suitable CAfile and/or CApath,
> which contains the root CA that ultimately issued
Embedded Devel,
my sympathy - I know this can be painful and frustrating.
>From which old OpenSSL version to which target version do you need to
get the code updated?
And as info to whoever may be considering picking up this task: which is
your timeline for that?
Within OpenSSL we are currently
I'd welcome support for CBOR(-encoded) certificates since they can save
a lot of space
for both the data itself and the code handling it, which may be vital
for IoT scenarios, for instance.
It looks like the standardization of their definition got pretty far
already.
Although it is certainly
On 01.01.21 08:07, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net>
> Thank you so much for your deep investigation!
My pleasure!
> With subjectKeyIdentifier and authorityKeyIdentifier extensions, it
> works like a charm!
Good to hear.
I've meanwhile submitted a pull
On 25.12.20 00:35, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net> I will update to a new version
> and try again.
Good. Ideally try also a current 3.0.0 alpha release because there have
been some changes to cert chain building and verification recently.
> To append cert
.30
> (0x7f4b7e851000)
> ```
> Actually, the old cert and new cert both are not expired yet, just the
> old cert is not consistent with server side. The new cert has the same
> content with server side imported cert(after replaced).
>
> David von Oheimb mailto:d...@ddvo.net>> 于2020
Back on 13 May 2016 I had proposed by email to a couple of people
including Rich Salz
a third library level (on top of crypto and ssl) with more high-level,
application-oriented code.
His response was:
> That is a really interesting idea. Please bring this up on openssl-dev
> mailing list.
Then
on developers?
Maybe other OpenSSL users have specific experience on error and timeout
handling for BIO_do_connect() etc.
and can comment in more detail on the (approximate) solution,
bio_connect(), that I gave below?
On 28.08.2017 13:46, David von Oheimb wrote:
> Hi all,
>
> I'
Hi,
is anyone out there developing or planning an implementation of EST
(Enrollment over Secure Transport) in C/C++, making use of OpenSSL?
Best,
David
__
OpenSSL Project
32 matches
Mail list logo