Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

Could this be related to the recent work to treat the list of certificates as a SET of potentially relevant certificates rather than as an ordered list of certificates that must form the trust chain? Reading through the 1.1.0 changelog makes it unclear how much of this standards-compliance fix

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

On Tue, Sep 06, 2016 at 10:52:32PM +0200, Jakob Bohm wrote: > Could this be related to the recent work to treat the list of > certificates as a SET of potentially relevant certificates > rather than as an ordered list of certificates that must form > the trust chain? No, just a violation of the

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

Thank you Victor for that valuable analysis. The original self-signed CA file has a NUL at the end which has been propagated when we created the concatenated CA file. We'll have to see how that cert was created and also correct our concatenation routine to cater for trailing NULs. That will

Re: [openssl-users] Async engine and BIOs

On 06/09/16 17:10, Nicolas Brunie wrote: > Hi Everyone, >I am trying to mix an application with a buffer BIO over a SSL BIO > which uses an asynchronous engine for offloading. > >I had a quick look at the SSL BIO (ssl/bio_ssl.c) and it does not > seem to care about the error

Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

On Wed, Sep 7, 2016 at 3:14 AM, Salz, Rich wrote: > > > It's not a huge step to support full blown ISO 8601 (which has a few more > > alternatives to specify time intervals *). I like the idea. > > No, it *is* a huge step. There's a reason why W3C XML schema language > (XSD),

Re: [openssl-users] More secure use of DSA?

>> There is a need to combine algorithms of different kind. Since the security >> of >> the chain is that of its weakest links - it necessitates comparison between >> those different algorithms. > > Only if you think everything has to be equally protected.   Usually it is not “equally” but “at

Re: [openssl-users] DTLS fragmentation and mem BIO

2016-09-06 16:27 GMT+02:00 Matt Caswell : > > > On 06/09/16 15:22, Lorenzo Miniero wrote: > > 2016-09-06 16:05 GMT+02:00 Matt Caswell > >: > > > > > > > > On 06/09/16 14:55, Lorenzo Miniero wrote: > > > Apologies for reviving

Re: [openssl-users] Openssl 1_1_0 compatibility question

At 09:25 AM 9/5/2016, you wrote: david wrote: > On the client: > openssl enc -salt -a -A -aes128 -pass pass:123 > > On the server: > openssl enc -d -salt -a -A -aes128 -pass pass:123 > > When the ENCRYPTING software is 1_0_2h and the > decrypting software is 1_0_1e on Linux or 1_0_2h on

Re: [openssl-users] DTLS fragmentation and mem BIO

On 06/09/16 14:55, Lorenzo Miniero wrote: > Apologies for reviving this old thread, but a user of my project made me > notice that my code doesn't compile on Openssl 1.1.0 anymore. Apparently > the cause is some structures have been made opaque in the new version. > In my case, the structure

Re: [openssl-users] DTLS fragmentation and mem BIO

2016-09-06 16:05 GMT+02:00 Matt Caswell : > > > On 06/09/16 14:55, Lorenzo Miniero wrote: > > Apologies for reviving this old thread, but a user of my project made me > > notice that my code doesn't compile on Openssl 1.1.0 anymore. Apparently > > the cause is some structures

Re: [openssl-users] DTLS fragmentation and mem BIO

2015-06-05 20:42 GMT+02:00 Lorenzo Miniero : > 2015-06-05 20:18 GMT+02:00 Matt Caswell : > >> >> I see you got it working! Just some comments below >> >> On 05/06/15 12:34, Lorenzo Miniero wrote: >> > I've started looking into filters and I have some doubts,

Re: [openssl-users] DTLS fragmentation and mem BIO

On 06/09/16 15:22, Lorenzo Miniero wrote: > 2016-09-06 16:05 GMT+02:00 Matt Caswell >: > > > > On 06/09/16 14:55, Lorenzo Miniero wrote: > > Apologies for reviving this old thread, but a user of my project made me > > notice that my

[openssl-users] dates, times, durations in next release (commands)

I am thinking of standardizing the syntax for dates, times, and durations used by the applications in the next releases, based on http://www.w3schools.com/xml/schema_dtypes_date.asp (with the extension that lowercase letters can also be used). Objects that need dates (x509 etc) will have a

[openssl-users] Async engine and BIOs

Hi Everyone, I am trying to mix an application with a buffer BIO over a SSL BIO which uses an asynchronous engine for offloading. I had a quick look at the SSL BIO (ssl/bio_ssl.c) and it does not seem to care about the error SSL_ERROR_WANT_ASYNC coming from a SSL_write or a SSL_read.

Re: [openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working

> On Sep 6, 2016, at 11:53 AM, John Unsworth > wrote: > > I have noticed the following behaviour: > > 1 Create a certificate file with two CA certificates, one for the server > being connected to (server A) and one for another server (server B). > 2 Whichever

Re: [openssl-users] dates, times, durations in next release (commands)

On Tue, Sep 6, 2016 at 10:40 AM, Jakob Bohm wrote: ... > Another related (long standing) issue is the inability to > state an "as of" date to the various commands and APIs that > validate signatures, certificates etc. Both past and future > dates can be needed in various

Re: [openssl-users] dates, times, durations in next release (commands)

On 06/09/2016 19:11, Salz, Rich wrote: I am thinking of standardizing the syntax for dates, times, and durations used by the applications in the next releases, based on http://www.w3schools.com/xml/schema_dtypes_date.asp (with the extension that lowercase letters can also be used). Objects

Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

In message <490f88be6dcf4d5c9baa3f3b5e4c4...@usma1ex-dag1mb1.msg.corp.akamai.com> on Tue, 6 Sep 2016 17:11:01 +, "Salz, Rich" said: rsalz> I am thinking of standardizing the syntax for dates, times, and rsalz> durations used by the applications in the next releases, based

[openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working

OpenSSL 1.0.2h on Windows (different versions). I have noticed the following behaviour: 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B). 2 Whichever way the CA certificates are ordered the connect works

Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

In message <3a1728b8c014426bb3e557832d275...@usma1ex-dag1mb1.msg.corp.akamai.com> on Tue, 6 Sep 2016 19:14:38 +, "Salz, Rich" said: rsalz> rsalz> > It's not a huge step to support full blown ISO 8601 (which has a few more rsalz> > alternatives to specify time intervals

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

On Tue, Sep 06, 2016 at 06:10:42PM +, John Unsworth wrote: > This seems to me to be very easy to validate by just inserting a self-signed > certificate at the front of a CAfile that works. > > Attached are the 3 certificate files. > > _CAcerts.good is the first file with two certs the

Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

> It's not a huge step to support full blown ISO 8601 (which has a few more > alternatives to specify time intervals *). I like the idea. No, it *is* a huge step. There's a reason why W3C XML schema language (XSD), not known for being lightweight, profiled the ISO standard. -- openssl-users

Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

This seems to me to be very easy to validate by just inserting a self-signed certificate at the front of a CAfile that works. Attached are the 3 certificate files. _CAcerts.good is the first file with two certs the second of which is the CA cert for the server. _CAcerts.bad has the self-signed

Re: [openssl-users] [openssl-dev] dates, times, durations in next release (commands)

> Sorry, I was unclear. What I meant was that it's not a huge step from the XSD > to full blown ISO 8601. No, sorry, *I* was unclear. I think it is a huge step to go full-blown. E.g., all the missing fields and the 'w' duration. -- openssl-users mailing list To unsubscribe: