My product got hit by this bug too. ( it uses 0.9.8y branch). I understand
the fix is in main branch, but I am curious - will 0.9.8 be patched
eventually?
--
View this message in context:
Hello openSSL gurus,
I faced an issue of pathlen constraint checking by openSSL when verifying the
client certificate. I did few studies for how openSSL does that and I
appreciate your assistance on clarifying the issue.
1. The certificate chain with a pathlen constraint defined in a root CA:
Anybody here ? :-)
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Serge Kolodeznyh
Sent: Thursday, February 17, 2011 12:55 PM
To: openssl-users@openssl.org
Subject: Shared library problem ?- Solaris - nonstandard ssl
Hello all.
I'm trying to build openssl 1.0.0 (c/d) on Solaris 10 u8 (x86/64bit).
I compiled it in 64-bit mode and with key -openssldir=/usr/local/ssl64
Make is ok and make test/install is ok.
But, when I'm checking links for shared librares, I see that link to
libcrypto isn't found:
# ldd
the appropiate headers, libraries, dev package
using aptitude
HTH
Kind regards/met vriendelijke groet,
Serge Fonville
http://www.sergefonville.nl
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528
http://www.google.com/support/forum
)
Is this at all possible? (using OpenSSI)
Thanks a lot in advance
Regards,
Serge Fonville
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Just a thought.
If the MAC is part of the client certifcate, why would that prevent anything?
If you want to check the MAC, do that somewhere else, because if the
client can see it is in the cert, it can be spoofed
HTH
Regards,
Serge Fonville
On Wed, Sep 9, 2009 at 2:32 PM, Anoop C
All services are loadbalanced and will transparantly fail over
To prevent split-brain I use a serial null-modem cable with heartbeat
Thanks a lot in advance
Regards,
Serge Fonville
__
OpenSSL Project
that uses a certificate issued by any CA
Bacically, are you distributing keys to terminals?
Regards,
Serge Fonville
On Wed, Sep 2, 2009 at 8:21 AM, Yin, Ben 1. (NSN - CN/Cheng
Du)ben.1@nsn.com wrote:
OK, regarding the CA deploy, such as, we have a one root ca and 1000 sub ca
signed by root ca
If your client application supports that, it could be done. but no
standard compliant application allows that to my knowledge.
On Wed, Sep 2, 2009 at 10:35 AM, Yin, Ben 1. (NSN - CN/Cheng
Du)ben.1@nsn.com wrote:
Hi Serge,
Maybe we can put the root ca into the verification chain if I can
, don't use openssl default verify functionality?
Br
Ben
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
Sent: Wednesday, September 02, 2009 11:59 AM
To: openssl-users@openssl.org
Subject: Re: Verify
please show me the client side code? :-)
Thanks.
Br
Ben
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
Sent: Wednesday, September 02, 2009 12:43 PM
To: openssl-users@openssl.org
Subject: Re: Verify
put in a vault
* Store only the CA certificates (not the keys) and the server
certificate and key on your server.
Obviously all keys are encrypted using a strong password...
Regards,
Serge Fonville
To answer your original question, you can not verify a chain without
all chain members to verify
/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtps5/s5vctch.html
http://nl.wikipedia.org/wiki/Secure_Sockets_Layer
HTH
Regards,
Serge Fonville
On Wed, Sep 2
the root in the chain check,
but it should be part of the chain?
HTH
Regards,
Serge Fonville
On Tue, Sep 1, 2009 at 1:04 PM, Yin, Ben 1. (NSN - CN/Cheng
Du)ben.1@nsn.com wrote:
Hi,
It there a way to verify certificate with out root ca? I have 4 certificate:
rootca.pem is the root ca (self
Hi,
I was wondering, is it possible to specify all settings that are in
openssl.cnf on the commandline as well?
This would make generating certificates a lot easier.
Thanks in advance
Regards,
Serge Fonville
__
OpenSSL Project
'
Are you distributing the keys as well?
HTH
Regards,
Serge Fonville
On Tue, Sep 1, 2009 at 2:13 PM, Yin, Ben 1. (NSN - CN/Cheng
Du)ben.1@nsn.com wrote:
I only want to verfiy the signature (I mean the procedure when sub ca
sign the certiticate). So I guess sub ca and certification should has
of the purpose of the root ca if it should not
need to be trusted
Regards,
Serge Fonville
On Tue, Sep 1, 2009 at 3:52 PM, Yin, Ben 1. (NSN - CN/Cheng
Du)ben.1@nsn.com wrote:
No. In our enviroment. The root CA private key is isolated and absolutly
safe. Regarding the compromised, I means CA can't
-outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA
..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey
..\demo_store\private\ca_private_key.pem -CAcreateserial
Regards,
Gerald
On Mon, Aug 17, 2009 at 7:20 PM, Serge Fonville
serge.fonvi...@gmail.comwrote:
What does your
The request is signed with the ca private key.
What command do you use when you start the s_server
HTH
Regards,
Serge Fonville
On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat
vishalsaraswat...@gmail.com wrote:
Hi,
To my surprise. I tried the same steps and I am getting a similar kind
I forgot,
I used this as examples
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
Also, googling on openssl certificate authority seems to belp
On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville
serge.fonvi...@gmail.comwrote:
The request is signed with the ca private key.
What command do you
certificate to verify its contents
Regards,
Serge Fonville
On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich
nutri...@gmail.comwrote:
Hello,
I am trying to create a certificate, on win, and I am having some troubles
with OpenSSL. First I generate a key. That's ok. Then I create
On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville
serge.fonvi...@gmail.comwrote:
Hi,
I assume you have done a lot of googling and have read the docs
extensively.
First, what is your end goal?
Since creating a certificate and having it signed by your own CA is not
that difficult.
What
;c...@next-motion.de rfc822%3...@next-motion.de
Action: failed
Status: 5.2.2
X-Display-Name: Carsten Breitbarth - next.motion OHG
-- Forwarded message --
From: Serge Fonville serge.fonvi...@gmail.com
To: openssl-users@openssl.org
Date: Mon, 17 Aug 2009 18:20:37 +0200
Hi,
I figured out what I did wrong,
after a lot of googling I found that I needed to add copy_extensions = copy
to the ca_default section
After this, it woiks as expected.
Thanks for the help.
Regards,
Serge Fonville
On Sat, Aug 15, 2009 at 4:10 AM, Klarth kah@gmail.com wrote:
What
rather
solve it in a different way.are there reasons why it needs to be done like
this?
Thanks in advance
Regards,
Serge Fonville
Hi Goetz.
Did the request contain the subjectAltName extension ?
Did the openssl.cnf file contain the copy_extensions entry ?
No it did not.
Thanks!
That completely solved my problem
Regards,
Serge Fonville
need to change.
What Am I doing wrong?
Windows Vista Home Premium x64
Apache 2.2 x64
Openssl 0.9.8e x64
Thanks in advance,
Serge Fonville
Hi,
well I have to create a certificate for our maindomian as well as for some
subdomains.
Use a wildcard domain for your CN
Unless each domain had a separate IP
You need to specify *.mydaomin.tld as the CN
HTH
Regards,
Serge Fonville
Has anyone of you an idea how to get that done, so
,
Serge Fonville
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord
NSS is
the worst.
If anyone disagrees, please explain why!
HTH
Regards,
Serge Fonville
On Tue, Aug 11, 2009 at 9:35 AM, Roger No-Spamroger_no_s...@hotmail.com wrote:
Recently there has been some discussion on th Internet regarding so called
null-prefix attacks, see
http://www.thoughtcrime.org
Recently there has been some discussion on th Internet regarding so called
null-prefix attacks, see
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl
vulnerable to this attack?
I read the PDF and my first question would be.
How is this relevant to openssl, since it is
Hi,
How do I get an issuer statement (when viewed in IE).
What settings in openssl.cnf are required and do I need to specift any
extra commandline switches?
Thanks in advance
Regards,
Serge Fonville
__
OpenSSL Project
... was omitted from the manual pages, better
fix that.
I'll look into that
Regrds,
Serge Fonville
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
anyone else with a similar problem can use it
I probably forgot some important points. so please do point them out
Thanks a lot in advance!!!
Regards,
Serge Fonville
@echo off
md C:\ProgramData\OpenSSL\Fonville IT CA
cd /d C:\ProgramData\OpenSSL\Fonville IT CA
md root
cd root
type NUL index.txt
Hi,
is it possible to link statically the ssleay32.dll along my application so I won't need to provide the dll to my customers?
I use windows xp and msvc++ 6.0.
thank you.
Do you Yahoo!?
All your favorites on one personal page Try My Yahoo!
hi,
I'm trying to compile with static libs using msvc 6.0
but unsuccessfully, is there a workspace (dsw) file or
makefile for msvc 6.0 to produce the ssl lib? so I can
link to my application without the need of a dll.
--- eggy [EMAIL PROTECTED] wrote:
Hello, I reformated my pc a day or so
-
From: Serge
To: openssl-users@openssl.org
Sent: Monday, January 10, 2005 2:29 PM
Subject: linking ssleay32.dll statically inside
the app?
Hi,
is it possible to link statically the ssleay32.dll
along my application so I won't need to provide the
dll to my customers?
I
in my application, but still, only 1 mere kbyte
to support ssl/tls!!!
--- Bernhard Froehlich [EMAIL PROTECTED] wrote:
Serge wrote:
Hi!
It makes a lot of sense and I understand a lot
better
now, I was not encrypting my username and password,
I
think the encryption at that point (auth login
of course there is no check done in this code, just add the check for server answer, and it works!
Socket = HttpConnect ("smtp.gmail.com", 465);read = SSL_set_fd(ssl, Socket);read = SSL_connect(ssl);read = SSL_get_error(ssl, read);read = SSL_read(ssl, reply, sizeof(reply));strcpy (reply, "EHLO
oh I know, I just send the piece of code as I test it out, of course, someone needs to refine, to add test for every line of code! to test return code from function.
David Schwartz [EMAIL PROTECTED] wrote:
read = SSL_read(ssl, reply, sizeof(reply));strcpy (reply,
So far, I have tried with ssl functions, then with BIO functions but without success. I have search an answer or documents explaining how to do that but not found.
Here's what I do with ssl:
SSL *ssl;SSL_CTX *ctx;
void __fastcall TForm1::Button1Click(TObject *Sender){char reply[1024];SOCKET
_errors_fp
(stderr); return pkey; }
This function fails on attempt to load key with
0x reading ;(
Something wrong? I guess in new version PEM_ASN1_read
has additional parameter and nobody knows about contents.
Thanks,
Serge Batov
43 matches
Mail list logo