Re: [EXTERNAL] RE: enforcing mutual auth from the client

On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief

RE: [EXTERNAL] RE: enforcing mutual auth from the client

> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to > will > require a client

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> My latest attempt to code the below DER is this. It compiles, but the d2i > segfaults on apparently the second element. > > Anything obviously wrong? > > typedef struct { > ASN1_INTEGER *version; > ASN1_INTEGER *serialNumber; > X509_ALGOR *signature; > X509_PUBKEY *key; >

RE: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

> >> Now I would like to do the other end, where I have der and I want to > >> parse back to the structure, using d2i() > >> > >> 1 - Is there a tutorial on this? > > > > Seems like you don't need one. If you got i2d working you should have d2i > already! > > > > I wasn't clear. The input and

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

From: Narayana, Sunil Kumar Sent: Thursday, December 17, 2020 8:17 AM To: Sands, Daniel ; openssl-users@openssl.org Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0 Hi, For the equivalent replacement of DH_compute_key in 3.0, we tried to perform the steps

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

Hi Daniel, Thanks we will try it out. One more doubt regarding DH_generate_key, as per earlier suggestion we tried following changes to replicate the generate key, but we observe that the out put key is not matching with the one that is obtained by DH_generate_key() of older

RE: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0

We do have generated the key using EVP_PKEY_gen as suggested in earlier emails, but since this was a non-ephemeral and we wanted to store the key in "raw" octet bytes, so we did extracted the whole DH priv/pub key pair out from the key generated via EVP_PKEY_gen ( using as suggested…

RE: DH_compute_key () - replacement in 3.0

to exactly replace this we are generating “pubparam_key/priparam_key” using bn_publicKey/dh->priv_key as below OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL; OSSL_PARAM *pubparams = NULL, priparams = NULL; EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL; EVP_PKEY_CTX *pubctx =

RE: DH_generate_key

Dear openssl team, While migrating from 1.0.2 to 3.0, we found that DH_generate_key() has be deprecated. And as per the man page, it is advised to use EVP_PKEY_derive_init &

RE: [EXTERNAL] How to get all certs into a .der file.

According to the documentation, cURL can use p12 files just fine. curl --cert bob.p12:bobspassword --cert-type p12 https://some.secure.site Or you can omit the password part and use -key mykey with your password in the mykey file, in order to hide the password from PS queries. From:

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

On Fri, 2018-11-30 at 23:55 +, Michael Wojcik wrote: > > "Self-signed certificate in certificate chain" does not to me > > > convey "No > > > certificate hash links" (or "CA certificate not found in hash > > > links"). > > > Viktor's points are all good ones, but considering how often this >