John Zornig wrote:
I came across a mistake in one of the HOWTO documents
http://www.openssl.org/docs/HOWTO/proxy_certificates.txt
- in all other cases, proxy certificate validation can be enabled
before starting the application by setting the envirnoment variable
OPENSSL_ALLOW_PROXY
On 18/07/2006, at 3:44 PM, Jorey Bump wrote:John Zornig wrote: I came across a mistake in one of the HOWTO documentshttp://www.openssl.org/docs/HOWTO/proxy_certificates.txt - in all other cases, proxy certificate validation can be enabled before starting the application by setting the
At 15:20 17.07.2006 -0700, you wrote:
Excuse me if I am saying the obvious.
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Yes, I know that. But in our case there is no renegotiation: SSL_write
never returns an error and if the
Hi all. I'm new here and i have a question.
I'm working with smart card at low level, without using opensc and other
software like it; now, i can compute digital signature of a stream of bytes
obtaining the same result as in OpenSSL. The digital signature is a stream
of bytes too, how can i
Girish Venkatachalam wrote:
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Thats not strictly true, the receiving end does have a tiny bit of
control over when to process it. From recent discussion in this list my
Trying to find a full list of the options in the conf file please,
and the search order?
http://www.openssl.org/docs/apps/ca.html# shows some
but not all?
E.g. the _default
and _max
_min
etc
TIA
regards
--
Dave Pawson
XSLT XSL-FO FAQ.
http://www.dpawson.co.uk
Hi All,
Where do I find the definition for GENERAL_NAME_free? There are few
files using this function.
But I am not anle find the definition for this function. Please can any
one help me.
Thanks,
Jaya.
__
OpenSSL Project
Hello,
Hi all. I'm new here and i have a question.
I'm working with smart card at low level, without using opensc and other
software like it; now, i can compute digital signature of a stream of bytes
obtaining the same result as in OpenSSL. The digital signature is a stream
of bytes too, how
Henrik Thuermer wrote:
At 15:20 17.07.2006 -0700, you wrote:
Yes, I know that. But in our case there is no renegotiation: SSL_write
never returns an error and if the SSL_read return value is below zero
SSL_get_error returns only WANT_READ. In that case there was never someting
in the outgoing
First of all, thank you for your answer.
You understand perfectly. Yes, as you said after some APDU exchange i have a
stream message digest encrypted with smart card private key. A stream like
this, for example:
79 E0 D4 DB AC 47 93 F6 D8 0C E8 FD A9 35 CB 45 64 06 20 D2...and so on...
Now,
Here is another interesting one,
What I mean by a null write is allow the write machinery to flush and
emit outstanding data or deal with renegotiation requests that need
write operations to be performed but I wont want to send any new
application data ?
The man page for SSL_write()
I use RSA_generate_key() function and I can get private key only as pkcs#1.
I can't find out how to convert it to pkcs#8.
Can anyone help me?
--
View this message in context:
http://www.nabble.com/How-to-store-RSA-priv.-key-in-pkcs-8--tf1959792.html#a5375956
Sent from the OpenSSL - User forum
Hello,
You understand perfectly. Yes, as you said after some APDU exchange i have a
stream message digest encrypted with smart card private key. A stream like
this, for example:
79 E0 D4 DB AC 47 93 F6 D8 0C E8 FD A9 35 CB 45 64 06 20 D2...and so on...
Now, how can i save this stream in
ok. i undertsand. but is there any way to do that without programming? this i
s a little part of a big project and i'dl like to test all steps before
starting to develop. I 'd like to know if there is a simple way to create a
verifiable file from the bytes. I tried to use notepad, notepad++ and
Hi
The OpenSSL 9.8a has install.w64 file that gives details about how to
compile the same for 64 bit.. We are done with compilation and running
performance tests over the same.. In case anyone else has done this
exercise, please share the results and any issues with 64bit OpenSSL
(if any)..
Hi,
I am planning to ssl enable my client server
application, that I will be making available for commercial use. In this process
I had planned to use openssl command line utility as CA to give out certificates
(I am going to work as private CA). But just then, I came across a
Hi
I feel lots of people like us do use the OpenSSL CAs. One problem you
would face is to install the CA Cert in each and every client browser
else that would give pop-ups.. Apart from that, I feel this is as much
secure as any commercial CA..
-Krishna
On 7/18/06, Urjit Gokhale [EMAIL
Urjit Gokhale wrote:
Hi,
I am planning to ssl enable my client server application, that I will
be making available for commercial use. In this process I had planned
to use openssl command line utility as CA to give out certificates (I
am going to work as private CA). But just then, I came
Objective: To generate a certificate and private key for use by MS IIS server.
Used openssl to create the CA self signed cert.
Generated a cert request using openssl.
Issued request to the CA.
CA signs it and generates the cert.
We need this certificate to be loaded into an IIS certificate
Urjit Gokhale wrote:
So now I am a little confused about using openssl command line utility
as CA to give out certificates.
What could be the reasons for using anything other than openssl as CA?
Are there security issues?
Are people using openssl as their private CA? are any particular
At 11:14 18.07.2006 +0100, you wrote:
I'm a little interested in the three_byte_header situation you raised.
If I understand the outline correctly you were questioning whether it is
safe to mix calls of SSL_read() and SSL_write() because when you looked
over the SSL library code you saw a
Hello all,
I'm having a difficulty trying to find API info.
#1. I need to be able to encrypt strings with AES and pass that off to
other functions that will pass that data over regular http.
#2. For other data I'm looking to setup an https tunnel and pass data
through it.
I chose to look into
Hi.
I am writing an application that uses openssl. I need to be able to load
encrypted private keys.
I copied the code out of openssl/crypto/apps/ec.c (one of the key
types I'm importing is the ec-key type). Specifically, I call
PEM_read_bio_ECPrivateKey(bp, NULL, NULL, passin);
where bp
On Tue, Jul 18, 2006, Seth Nielson wrote:
where bp is the bio, and passin is the char* passphrase. It works
fine for unencrypted keys (passin == NULL), but it fails on encrypted
keys with the following message:
26600:error:0906B072:PEM routines:PEM_get_EVP_CIPHER_INFO:unsupported
On Tue, Jul 18, 2006, Dave Pawson wrote:
Objective: To generate a certificate and private key for use by MS IIS
server.
Used openssl to create the CA self signed cert.
Generated a cert request using openssl.
Issued request to the CA.
CA signs it and generates the cert.
We need
Do you know stunnel ( www.stunnel.org ) ?
You could use that to setup https tunnel.
man evp will give u enuf info on encrypting strings
with OpenSSL.
OpenSSL really is the definitive resource for
cryptography. :-)
Please find attached my code. It may be of use.
regards,
Girish
--- Mayorga,
We have our own CA that uses perl to call openssl directly, and have
used it for several years. We store everything in a database though
instead of relying on openssl's text files that it uses natively.
Right now we are in the process of rewriting the CA in ruby, so we can
use ruby on rails for
Great thanks for that now I have some linker issues My project settings
are set to /MTd so I'm linking against libeay32MTd.lib but no dice, also
I heard numerous mention to INSTALL.W32 but I cant seem to find it,
where is it??
Thank again,
AJ
-Original Message-
From: [EMAIL PROTECTED]
Marek Marcola wrote:
I think that this returns proper return code, for example
(some prepared errors):
I'll have to confirm, but this did not appear to be the case if the tool
failed to sign a csr due to a preexisting CN already issued in a cert. I
found just a size-zero file created.
Mike
--
Hello,
I think that this returns proper return code, for example
(some prepared errors):
I'll have to confirm, but this did not appear to be the case if the tool
failed to sign a csr due to a preexisting CN already issued in a cert. I
found just a size-zero file created.
Maybe good and
Hello,
If I'm using openssl to manage a CA, and I need to issue a new cert with
the same CN as a previously issued Cert, is it enough to revoke the
previous cert with that CN?
Thanks,
Mike
--
Michael P. Soulier [EMAIL PROTECTED], 613-592-2122 x2522
Any intelligent fool can make things bigger
You should be able to issue multiple certs to the same CN. One such
example would be an email-signing certificate, and a separate
code-signing certificate.
Revocation of the prior one is optional, but is encouraged if the
private key has been lost or compromised.
-Kyle H
On 7/18/06, Michael
Kyle Hamilton wrote:
You should be able to issue multiple certs to the same CN. One such
example would be an email-signing certificate, and a separate
code-signing certificate.
Thanks for the quick answer.
I've had problems doing this. The openssl tool complains that there is
already a cert
Marek Marcola wrote:
Maybe good and acceptable solution to this problem will be
just always checking newly created certificate,
for example with command:
$ openssl verify -CAfile cacert.pem new_cert.pem
This should give you information on generated certificate status
independently
Are you using CA.pl for it? (And what's the exact text of the error you get?)
-Kyle H
On 7/18/06, Michael P. Soulier [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
You should be able to issue multiple certs to the same CN. One such
example would be an email-signing certificate, and a
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
You navigate up and up with the issuername matching
the subject name until both are same.
HTH
--- Michael P. Soulier [EMAIL PROTECTED]
wrote:
Marek Marcola wrote:
Maybe good
Kyle Hamilton wrote:
Are you using CA.pl for it? (And what's the exact text of the error you
get?)
No, I'm not. Let me reproduce it and capture it for you.
Mike
__
OpenSSL Project
On 7/18/06, Michael P. Soulier [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
You should be able to issue multiple certs to the same CN. One such
example would be an email-signing certificate, and a separate
code-signing certificate.
Thanks for the quick answer.
I've had problems doing
Hello,
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
Yes, and the file cacert.pem can have many certificates
or in other words - all needed.
Just add to this file all CA certificates from your
verify path.
Best regards,
--
What could be the reasons for using anything other than openssl as CA? Are
there security issues?
Are people using openssl as their private CA? are any particular problems
reported regarding the use of openssl as private CA on large scale?
I was designing an open Java/C CA a few years back,
On Tue, Jul 18, 2006, Michael P. Soulier wrote:
Hello,
If I'm using openssl to manage a CA, and I need to issue a new cert with
the same CN as a previously issued Cert, is it enough to revoke the
previous cert with that CN?
Note that there is no problem issuing a certificate with the
So now I am a little confused about using openssl command line utility as CA
to give out certificates.
What could be the reasons for using anything other than openssl as CA? Are
there security issues?
Are people using openssl as their private CA? are any particular problems
reported regarding
On 7/18/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Tue, Jul 18, 2006, Michael P. Soulier wrote:
Hello,
If I'm using openssl to manage a CA, and I need to issue a new cert with
the same CN as a previously issued Cert, is it enough to revoke the
previous cert with that CN?
Note
Does openSSL licence permit to tailor openSSL? e.g., we only need the
SHA-512 algorithm, so we want to tailor openSSL to only include this
algorithm in order to reduce openSSL's footprint (we have very strict
footprint limitation requirement).
Is it permitted? Thanks!
Best Regards,
Xie, Bo
In message [EMAIL PROTECTED] on Wed, 19 Jul 2006 07:46:19 +0800, Bo Xie
[EMAIL PROTECTED] said:
xiebopublic Does openSSL licence permit to tailor openSSL? e.g., we only need
the
xiebopublic SHA-512 algorithm, so we want to tailor openSSL to only include
this
xiebopublic algorithm in order to
45 matches
Mail list logo