Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 Thread Ben Humpert
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni : > > In other words, you can concatenate all the trusted root CA > certs into the "cert.pem" file in that directory, but this > has a performance cost, as all the certificates are loaded > into memory and parse even though most

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 Thread Walter H.
On 13.12.2015 11:34, Ben Humpert wrote: 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni: In other words, you can concatenate all the trusted root CA certs into the "cert.pem" file in that directory, but this has a performance cost, as all the certificates are loaded into

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 Thread Viktor Dukhovni
> On Dec 13, 2015, at 5:34 AM, Ben Humpert wrote: > > 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni : >> >> In other words, you can concatenate all the trusted root CA >> certs into the "cert.pem" file in that directory, but this >> has a performance cost,

Re: [openssl-users] OCSP service dependant on time valid CRLs

2015-12-13 Thread daniel bryan
Thanks Erwann, I appreciate your point regarding the cost of a signing operation. I plan to take action on this. Pointing out RFC 5280 in regards to what status it will return when it fails to download a fresh CRL helped a lot. I now see that revoked is not "a" correct response according to the

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 Thread Ben Humpert
2015-12-13 20:27 GMT+01:00 Viktor Dukhovni : > > This is both wrong and irrelevant. The OP should proceed as instructed. > OpenSSL's CAfile feature reads multiple certificates from a single file. Exactly that is the point. Only "linux based" tools will be able to read

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-13 Thread Jayalakshmi bhat
Hi All, Thanks for all the responses. As mentioned by Matt in the discussion thread,constant_time_msb performs the copy the msb of the input to all of the other bits so the return value should either be one of 0x or 0x. I found another interesting thing,constant_time_msb

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

2015-12-13 Thread Salz, Rich
> And we don't know on which client OP will have to use that pem file, thus > give advise that works on all clients, not just OpenSSL or GnuTLS or whatever. It is quite reasonable to give openssl-specific answers on the openssl-users mailing list, isn’t it?