are
existing connections they continue to run on the previous www_context
until they close. New connections come off the new one. You just have
to run a mutex to make sure that you don't try to create a new
connection while the "re-keying" is "in process".
--
Karl Denning
re fine
as well.
This appears to be be ok with the current code; I've yet to have it blow
up in my face although at present the certs in question are reasonably
long-lived. Whether it's robust enough to handle very short-term
certificates I do not know.
--
Karl Denninger
k...@denninger.net <mailto
ot how it works.
You post and reference a corporate email address, which he did, /you
just took the action under the banner of the company./
Akamai is entirely _*and justifiably*_ exposed to being "canceled" on
that basis.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger
On 2/12/2020 12:59, Michael Leone wrote:
>
>
> On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <mailto:k...@denninger.net>> wrote:
>
> On 2/12/2020 11:32, Michael Leone wrote:
>> So we are mostly a MS Windows shop. But I use a Linux openssl as
>> my
delegate intermediates as well.
Just note that when an end entity certificate is validated the entire
chain back to the root of trust (which is self-signed) has to be able to
be verified.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
the workflow you are attempting to implement,
and why, because I suspect you may be going about this the hard way.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
capability against the server so it can verify that the server it thinks
it is talking to is actually the one it's communicating with.
--
-- Karl Denninger
/The Market-Ticker/
S/MIME Email accepted and preferred
smime.p7s
Description: S/MIME Cryptographic Signature
On 5/14/2019 09:48, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
>> Karl Denninger
>> Sent: Monday, May 13, 2019 16:32
>> On 5/13/2019 16:44, Christopher R wrote:
>>> All I want is whatever remnants of t
en
create a new one under the same common name. Since the index file is a
flat file you can edit it, but you also have to make sure the other
places it references are also updated or the software can get confused.
The better choice when an error is made is to revoke the bad cert, which
preven
ependent. It may also
be that the hostname is not defined in the server's configuration file.
Without knowing what the web server in question is all I can do there is
guess as to exactly what is missing, but in any event the issue is in
the web server application configuration and not OpenSSL.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
close(slave_socket[x].fd);
. Clean up the rest of the things you need to do
when the connection ends
Since the next connection may come from a different peer I do not use
SSL_clear but rather SSL_free.
The call to shutdown() tells the OS to send any data queued
just try to perform an
> encrypt-decrypt sequence using the pair I have, and use the success of
> that as confirmation that my ssl connection will work later, as far as
> the certs are concerned. Would that be the right way to go about it?
>
IMHO see above.
--
Karl Denninger
k...@den
On 1/10/2018 14:07, Benjamin Kaduk wrote:
> On 01/10/2018 08:41 AM, Karl Denninger wrote:
>> We start with a context that I load a dhparam file to (so I can take a
>> DH connection) along with an edh curve, then set an acceptable cipher
>> list for it to use.
>>
?
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
the caller *should* free the underlying object when finished with it.
>
> I've now confirmed with a quick test program and valgrind.
>
> Oops,
> -Dave
Thanks.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferr
X509 structure around
that got allocated by the d2i_X509 call or do I free it after I've
pushed it into the store?
The docs are silent on this as far as I can tell but some example code
I've seen floating around doesn't free it.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.
think you want is PEM_read_PrivateKey.
>
I'll look in there; my assumption was that I could trivially convert a
PEM file into an internal DER representation by stripping the flag lines
from the front and rear and then decoding the base64 piece.
Thanks; I'll figger it out :-)
--
Karl Denninger
k...@d
On 12/28/2017 16:57, Karl Denninger wrote:
> On 12/28/2017 16:15, Karl Denninger wrote:
>> On 12/26/2017 14:07, Kurt Roeckx wrote:
>>> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>>>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
&g
On 12/28/2017 16:15, Karl Denninger wrote:
> On 12/26/2017 14:07, Kurt Roeckx wrote:
>> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>>> So if you put locks around the SSL_CTX object whe
On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private
On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private
*ctx, unsigned char *d, long
len);
And likewise, I can just bytewise load a DER file (e.g. read() it into a
memory buffer) and then pass that as it's simply a binary copy of the
Base64 contained within the markers (plus the EC parameters if it's an
ECDSA key)?
If so that makes it materially easi
uot; program, not from the command line; we'll assume I have the key and
cert files already.)
TIA
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-
es with the ballot that Rich mentioned since
you have more entropy than required.
At least I think that meets the requirements
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
sted.
Do be aware of the semantics and exceptions (which you must handle -- or
else) described in the documentation however -- especially for
non-blocking sockets. Due to the potential for renegotiations and
similar failing to pay attention to those can result in some pretty
interesting "surprises&
protocol itself implements window control
(size of outstanding transmissions that are allowed), sACK can come into
play, latency of the circuit and routing points in the middle get
involved, etc. For wide-area connections (think Internet) slow-start
congestion control (which helps avoid a fast se
e case with a
public CA. (In other words someone has to tell the CA it was stolen so
the CA can issue the revocation, and the application must check that
revocation resource.)
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted em
choose to load said keys) along with the ECDH cipher set. For a server
you also have to consider whether you're going to multiplex or
multithread as OpenSSL requires some additional attention at the
programming level (for locking) in a threaded application.
--
Karl Denninger
k...@denninger.net
openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html
>
>
>
> Hope this helps,
>
>
>
> Regards,
>
>
>
> Michel.
>
>
>
> *De :*openssl-users [mailto:openssl-users-boun...@openssl.org] *De la
> part de* Karl Denninger
> *Envoyé :* lu
Wilson wrote:
> On the client side, double check that you are creating the SSL object
> from the context AFTER you set the client cert for the context, and
> not the other way around.
>
> On Sun, Jan 10, 2016 at 2:18 PM, Karl Denninger <k...@denninger.net
> <mailto:k.
On 1/10/2016 21:43, Viktor Dukhovni wrote:
> On Sun, Jan 10, 2016 at 08:20:41PM -0600, Karl Denninger wrote:
>
>> I found the problem... for an unexplained reason either the certificate
>> or key were corrupt; I have added checking to make sure they're
>> coheren
a.openssl.org/mailman/listinfo/openssl-users>
>
>
>
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.n
772/ssl/c-examples/NSopenssl/common.c
> <http://www.cs.odu.edu/%7Ecs772/ssl/c-examples/NSopenssl/common.c>
>
> look for "post_connection_check".
>
> This is just something I remember from reading. I have no experience
> with it.
>
> On Sun, Jan 10, 2016 at 7:07 PM, Karl De
lled (!) and when I attempt to get the peer certificate with
SSL_get_peer_certificate() so I can walk through it and check the
returned attributes (I wish to use the subjectAltName field among
others) I get back a NULL.
This has to be something stupid on my part, because I should get the
v
34 matches
Mail list logo