X509_STORE function to clear error

Hi, What is the function to use to clear any error in X509_STORE_CTX Thanks, Arun

RE: unable to build dynamic library on HP-UX RISC and Itanium

This is a suggested configuration. -D stands for preprocessor define. /home/sambuild/OpenSSL ./config -h Usage: config [options] -d Add a debug- prefix to machine choice. -t Test mode, do not run the Configure perl script. -h This help. Any other text will be passed to the

RE: unable to build dynamic library on HP-UX RISC and Itanium

Extra -DXXX does not heart the preprocessor :-) This OpenSSL 0.9.8 -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: June 2, 2010 5:11 PM To: Alona Rossen Cc: openssl-users@openssl.org Subject: Re: unable to build dynamic library on HP-UX RISC and Itanium

Detect CRL format

Hi, Given a CRL file, how to detect its format. whether it is in PEM encoded format or ASN1. Thanks, Arun

Re: Detect CRL format

Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded. This works ONLY if you are sure that the given

RE: self-signed SSL certificates and trusted root certificate

--- On Wed, 6/2/10, Eisenacher, Patrick patrick.eisenac...@bdr.de wrote: -Original Message- From: Vieri --- On Tue, 6/1/10, Dave Thompson wrote: CN doesn't need to be hostname or domainname for a CA cert. Technically not required on entity cert either, but on WWW

Re: Detect CRL format

On Thu, Jun 03, 2010, Mounir IDRASSI wrote: Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded.

Re: Detect CRL format

Thanks! On Thu, Jun 3, 2010 at 4:54 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Jun 03, 2010, Mounir IDRASSI wrote: Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30

get_crl callback

Hi, Is setting X509_STORE_CTX-get_crl to my-call-back-function a right way of getting a call back to load the crl for the X509 certificate. Thanks, Arun

NameConstraints are not being applied (or I don't know how to enforce them?)

I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as critical. Is this OpenSSL misbehaving or did

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

On Thu, Jun 03, 2010, jeff wrote: I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as

RE: unable to build dynamic library on HP-UX RISC and Itanium

That's a long-superseded OpenSSL release from 5 years ago; it's unlikely that anyone will be able to remember issues building for HP-UX on IA64 with that release, especially when they're required to guess or mind-read most of what you're doing and what problem you're seeing. In another message

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote: I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

On Thu, Jun 03, 2010, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Does OpenSSL trust chain validation include any checks on name constraints? OpenSSL 1.0.0 does, sufficient to

Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)

On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating certificates. Yes I later tried to verify and I still

Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)

Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be little point in preventing a CA from attempting to sign violating

Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)

On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when certificates are being *verified*. There seems to be

trying to send an unsigned cms

the code below works fine if signed = true. If signed = false, i2d_CMS_bio_stream seg faults. I've looked through the code inside CMS_sign and didn't see anything else obvious that I should call. any suggestions on what I'm missing for an unsigned CMS? -- Chris Bare ch...@bareflix.com

Re: trying to send an unsigned cms

On Thu, Jun 03, 2010, Chris Bare wrote: the code below works fine if signed = true. If signed = false, i2d_CMS_bio_stream seg faults. I've looked through the code inside CMS_sign and didn't see anything else obvious that I should call. any suggestions on what I'm missing for an unsigned

Re: [openssl-users] Re: NameConstraints are not being applied (or I don\'t know how to enforce them?)

On Thu, Jun 03, 2010, Victor Duchovni wrote: On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote: Hodie III Non. Iun. MMX, Victor Duchovni scripsit: On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote: I would expect such constraints to only apply when

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Which is a shame... I'm far too stupid to be writing code like

RE: self-signed SSL certificates and trusted root certificate

From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Wednesday, 02 June, 2010 03:48 Amazingly IE7 on testing likes even CA:false, which is crazy. What store did the cert get put in? Was it the Trusted Root Certification Authorities? If you let Windows automatically select

RE: self-signed SSL certificates and trusted root certificate

From: owner-openssl-us...@openssl.org On Behalf Of Vieri Sent: Thursday, 03 June, 2010 06:42 To: openssl-users@openssl.org Subject: RE: self-signed SSL certificates and trusted root certificate How does one issue a cert for multiple CN? Subject alternative name is one possibility. ...

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

On Fri, Jun 04, 2010 at 01:19:52AM +0100, David Woodhouse wrote: On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote: Generally, OpenSSL does not verify peer names, only the certificate trust chain, and peername checks are left up to applications. Which is a shame... I'm far too

The question about the Apache SSL

Hello, I have a question about the apache SSL,please help me. Thanks.(httpd-2.2.15-win32-x86-openssl-0.9.8m-r2.msi) Operation： 1、I made a SSL certification files by myself, and start the openssl s_server； OpenSSL s_server -cert server.pem -key server_nokey.pem -accept -state -debug