It appears this is resolved already, sort of. It appears the one thing I did
not try after revoking the serverCA certificate with my root was to concatenate
the new CRL to the root cert on the client machine. When I did that, my client
got a certificate revoked error.
However, I do have a
However, I do have a question. Is there any way around this requirement? The
requirement of apending the root certificate and CRL files on the client
machine in /etc/ssl/crls?
It totally depends on the client program that you are using. So, which client?
The validation code won't, on
@openssl.org
Date: Wed, 30 Jul 2014 15:15:51 -0400
Subject: RE: Can't get my CRL to work on my OpenSSL client
However, I do have a question. Is there any way around this requirement?
The requirement of apending the root certificate and CRL files on the
client machine in /etc/ssl/crls
No, I'm saying that putting the CRL's into the local directory is okay, and
OpenSSL will parse them. How you get them there is your issue :)
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
: Can't get my CRL to work on my OpenSSL client
No, I’m saying that putting the CRL’s into the local directory is okay, and
OpenSSL will parse them. How you get them there is your issue J -- Principal
Security EngineerAkamai Technologies, Cambridge MAIM: rs...@jabber.me Twitter:
RichSalz
No, I was confused; when you said append to the root cert I thought you meant
copying it into the local directory. You meant literally appending it to the
cert. I suppose you could create a new file with a similar name...
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM:
tell.
Thanks for your prompt responses, by the way.
From: rs...@akamai.com
To: openssl-users@openssl.org
Date: Wed, 30 Jul 2014 16:02:56 -0400
Subject: RE: Can't get my CRL to work on my OpenSSL client
No, I was confused; when you said “append to the root cert” I thought you meant
copying
Yes, but as far as I'm aware doesn't go very far into that part of the code.
See what happens when other devs (in timezones closer to GMT) reply.
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
On Wed, Jul 30, 2014, Jason Schultz wrote:
OK. So as far as you're aware, there's not a way to avoid the requirement of
the combined root cert/CRL file when checking for revoked certificates? I
would prefer to just have to deal with the CRL in PEM format, but the CRL
file must always be the
every .pem file in the
/etc/ssl/crls directory and read in each one(successfullly).
Date: Wed, 30 Jul 2014 23:44:45 +0200
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Can't get my CRL to work on my OpenSSL client
On Wed, Jul 30, 2014, Jason Schultz wrote:
OK. So
Thanks Steve,
I have been having a discussion with some friends of mine on this.
They were thinking that the problem from the recent random number issue
is a real problem in older 32 bit systems. I was thinking it is not as
bad as they are thinking. Since I was looking into this with the old
On Wed, Jul 30, 2014 at 5:54 PM, dave paxton dpax...@me.com wrote:
...
They were thinking that the problem from the recent random number issue
is a real problem in older 32 bit systems. ... One suggestion is they
used a get milli command to fill the 64 bits. I thought that was
silly. So I
12 matches
Mail list logo