Can you figure out a way to do it from the v1 fields? keyUsage is an
extension requiring v3.
-Kyle H
On Sep 24, 2012 11:28 PM, sanjaya joshi joshi.sanj...@gmail.com wrote:
Hi,
We can conclude an X509 V1 certificate to be a root ca using
(EXFLAG_V1|EXFLAG_SS).
Similarly, is there a way to
Suggestions from my experience:
-Failing to verify the certificate after calling SSL_accept()
-Failing to verify minimum cipher strength for the application
-Failing to understand that the NULL suites give nothing and only take
extra bytes
-Misunderstanding that DN=CN:CA1;DN=CN:you does NOT match
You can find out if the V1 cert verifies directly with any of the
certificates in the trust store or its own public key. There's pretty
much nothing else you can do with it, other than try to link it to a
Distinguished Name that may or may not be useful.
Also, (EXFLAG_V1|EXFLAG_SS) doesn't tell
Create a new self-signed client CA certificate with the same key and
Subject, setting the Issuer to the Subject of the client CA, and signed
with the client CA private key. Use this as your client-authenticatior
root.
Alternatively, you might play around with policies, but that relies on your
This sounds like a Microsoft tech support issue, not an OpenSSL issue.
A packet capture of the entire session (minimized to the smallest number of
page-load attempts that displays the problem) would go a long way toward
helping troubleshoot it. Since you're on Windows 7, I suggest Wireshark (
No source available means that the debugging information cannot be found
to display in your Eclipse environment.
OpenSSL is compatible with Windows 7 x64, and your programs can make use of
its features. You will not be able to trace through the OpenSSL library if
you do not build it from source
Why do you not have sha-256 values for the Windows installer? Or a
detached GPG signature for it?
-Kyle H
On Wed, Mar 5, 2014 at 4:09 PM, Michal Trojnara michal.trojn...@mirt.netwrote:
Dear Users,
I have released version 5.00 of stunnel.
The ChangeLog entry:
stunnel 5.00 disables some
What is your platform? When were each of 0.9.8 (unpatched, it appears) and
1.0.0d compiled? What toolchains were used to compile them?
-Kyle H
On Sun, Mar 16, 2014 at 8:42 PM, Mithun Kumar mithunsi...@gmail.com wrote:
Hello Dave,
When client gets server certificate(SQLServer) and tries
There exists engine_pkcs11, but I'm seeing caveats that it can only
work if OpenSSL is statically linked. This may have changed. (It
also apparently only does RSA.)
-Kyle H
On Tue, Apr 8, 2014 at 10:31 AM, whitehat r3...@hotmail.com wrote:
Hi
I am using OpenSSL 1.0.2 on Windows 7 (Visual
on Mac, dynamically-loaded libraries have the extension .dylib, not .so.
On Feb 3, 2008, at 11:04 AM, Michael Sierchio wrote:
Joel Christner wrote:
The issue I'm seeing is when compiling:
mac# openssl version
OpenSSL 0.9.7l 28 Sep 2006
mac# gcc blowfish.c -o blowfish
...
Undefined symbols:
My understanding is that it doesn't need to be displayed by the
binary, it only needs to be displayed in materials that accompany the
binary (documentation, etc). I am not a lawyer, but the plain
language implies this.
Please be aware, though, that if you advertise your product and state
that it
FIPS 1.0 is no longer valid for procurement, thus to avoid confusion
it is no longer available from the download site.
-Kyle H
On Feb 8, 2008 3:07 PM, Briones, Frank [EMAIL PROTECTED] wrote:
Hi there,
I am looking for a previous version of OpenSSL, FIPS 1.0, but is not
available at the
Actually, the failure is expected. Since it must not be allowed in
FIPS mode, it has to be tested to make sure that it doesn't
inadvertently fall through and let it happen.
The wording in the tests should be interpreted as, test that SSL3 is
forbidden in FIPS mode, test that SSL2 is forbidden in
Firefox does not use OpenSSL or OpenSSL's certificate mechanism. It
has its own, and you must import your CA certificate into its store.
For more information, I'd direct you to the
[EMAIL PROTECTED] mailing list. This is not a bug in
OpenSSL.
-Kyle H
On Feb 19, 2008 12:53 AM, Andreas K.
the certificate.
As you can see from my previous e-mails, it's openssl that fails. Thanks
for your comment anyway.
Andreas
On Tue, 19 Feb 2008, Kyle Hamilton wrote:
#]From: Kyle Hamilton [EMAIL PROTECTED]
#]To: openssl-users@openssl.org
#]Date: Tue, 19 Feb 2008 01:15:00 -0800
#]Subject: Re: CA
It's rather infeasable to keep the same private key and generate a new
public key. If you keep the private key after the expiration of the
certificate, you can still decrypt messages encrypted to it; thus, if
you generate a new pub/priv pair, you just need to keep the old key,
and use all the
On Sat, Mar 15, 2008 at 12:12 PM, Mick [EMAIL PROTECTED] wrote:
On Saturday 15 March 2008, Kyle Hamilton wrote:
It's rather infeasable to keep the same private key and generate a new
public key. If you keep the private key after the expiration of the
certificate, you can still decrypt
On Sat, Mar 15, 2008 at 11:36 PM, David Schwartz [EMAIL PROTECTED] wrote:
For example, suppose I create a public/private keypair that I don't think
anyone can break for 50 years. If I make the certificate valid for 30 years
because of this, it would obviously be a bad idea to keep the same
On Sun, Mar 16, 2008 at 10:44 PM, David Schwartz [EMAIL PROTECTED] wrote:
If you can't trust the system that generates and stores your private key,
you're screwed anyway. So I don't see that this argument has any validity.
The issue is 'who is trusting what?'
David's apparent statement is
On Sun, Mar 16, 2008 at 10:57 PM, Michael Sierchio [EMAIL PROTECTED] wrote:
David Schwartz wrote:
If you can't trust the system that generates and stores your private key,
you're screwed anyway. So I don't see that this argument has any validity.
A timestamp is not an attribute of a
On Sun, Mar 16, 2008 at 11:27 PM, Michael Sierchio [EMAIL PROTECTED] wrote:
David Schwartz wrote:
You have to have absolute trust in any entity that will generate or store
your private key. Thus you can trust any information in it -- anyone who
could put in bogus information could give
On Mon, Mar 17, 2008 at 12:14 AM, Michael Sierchio [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
A key's lifetime is, cryptographically speaking, the amount of time
for which it can be expected to provide a sane level of security in
relation to the value of the data which it protects
On Tue, Mar 18, 2008 at 1:58 PM, Michael Sierchio [EMAIL PROTECTED] wrote:
David Schwartz wrote:
Michael Sierchio:
If it's your policy not to reuse keys, or allow their use beyond
the lifespan of the certificate, then the enforcement mechanism
for this MUST be in the CA.
I
On Wed, Mar 19, 2008 at 10:45 AM, Michael Sierchio [EMAIL PROTECTED] wrote:
Steffen DETTMER wrote:
For operational, administrative and forensic concerns I think it
is important to know the key generation time as well as who
generated it in exactly which way, who gave the key to whom
On Tue, Mar 18, 2008 at 5:01 PM, Michael Sierchio [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
Certificate issuance is a statement of identity binding for a given
key at a given assurance. No more, no less.
No, it isn't. It's often more.
Such as...?
A CA does not and cannot
I'm going to hop in here and mention that MacOSX has a basic but
useful X.509 CA app integrated into its Keychain Access application.
-Kyle H
On Mon, Mar 24, 2008 at 12:02 PM, Patrick Patterson
[EMAIL PROTECTED] wrote:
3: Your budget. If you are using raw OpenSSL for your CA, you probably
The most important thing to look at are the BIO_* functions. These
are the functions that abstract out the underlying transport layer (be
it TCP, UNIX sockets, memory) so that the library itself doesn't need
to know about them.
The easiest way to understand how to do it, if you have a custom TCP
Requiring a private key to be embedded into the binary is almost
always a flawed design, because you're handing secret information to a
computer controlled by someone you want to avoid having that data.
Including 'trusted' moduli in the binary is also generally a flawed
design, for the same
On Wed, Apr 9, 2008 at 2:10 PM, David Schwartz [EMAIL PROTECTED] wrote:
Thanks Kyle,
Here is my situation:
I have a server which can sign certificates over tls(implemented in
both client and peer).
I generate a public/private key pair for each peer now.
I need a way
On Wed, Apr 9, 2008 at 2:21 PM, Julian [EMAIL PROTECTED] wrote:
Right, Gotcha!
There is one flaw in this design however.
Peers:
A, B, E
By this scenario all three peers would be able to communicate, not just A
and B, but also E.
If E does not have a certificate signed by the CA, then
On Wed, Apr 9, 2008 at 3:52 PM, David Schwartz [EMAIL PROTECTED] wrote:
Right, Gotcha!
There is one flaw in this design however.
Peers:
A, B, E
By this scenario all three peers would be able to communicate, not
just A and B, but also E.
Do you want the server to have
On Thu, Apr 10, 2008 at 2:00 AM, Steffen DETTMER
[EMAIL PROTECTED] wrote:
* Kyle Hamilton wrote on Wed, Apr 09, 2008 at 14:22 -0700:
Each peer goes through this process:
1) peer creates a keypair
2) peer generates a CSR (certificate signing request) for its public key.
3) peer
On Thu, Apr 10, 2008 at 3:36 AM, David Schwartz [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
You can have B contact the server and obtain a signed authorization
certificate for its key that uses custom extensions to specify 'is
authorized to connect to A' for a given timeframe
David Schwartz wrote:
And with respect to the other thread, I agree with you. The level of
security should be the highest that doesn't require sacrificing things that
are more important than security. Sometimes all you need is to keep out your
kid sister, sometimes you have to keep out
If E got the public key of the server, then he would be able to
authenticate certificates signed by the server. The 'secret' or
'private' key is what's needed to create a signature for a
certificate, and without it it's impossible to perform the proof that
the private key is known to E. (sure, E
I believe that you have to explicitly allow the SSLv2 ciphers if you
want to enable the use of the old, insecure, hackable, crackable, and
almost-completely-worthless-from-a-security-standpoint protocol that
is SSLv2.
Please don't use SSLv2. The sooner everyone moves away from it the
sooner its
each key and signs only one for key signing.
Peer A generates a session key and signs it.
Peer A connects to Peer B over TLS.
Peer A exchanges public key with Peer B.
Peer A and B now have encrypted channel that C cannot decrypt.
Thoughts?
On Apr 10, 2008, at 4:59 AM, Kyle Hamilton
Please note that you have just divulged that private key, and should
not use it for anything other than development. (It's up to you, but
I wouldn't feel safe knowing that it had been compromised.)
-Kyle H
On Fri, Apr 11, 2008 at 12:45 AM, geragray [EMAIL PROTECTED] wrote:
[...]
My initial idea would be that you're passing in an invalid pointer to
SSL_read. Does this happen with, say, openssl s_client?
Remember a couple of things:
1) You MUST use the proper version of the library (debug or release)
with the appropriate build setting in your project (debug or release).
)
Before calling SSL_read I assured that the buffer (used as the second
parameter) was allocated.
Any other suggestions or questions?
Thanks for your time!
Regards,
Scerbatiuc Ion
- Original Message
From: Kyle Hamilton [EMAIL PROTECTED]
To: openssl-users
Problem:
It's looking for the path where openssl's make install would put the
header files. Specifically, it's looking for
../include/openssl/hmac.h.
Potential Solutions (choose 1):
(1) mv ../openssl ../include
(2) ln -s ../openssl ../include/openssl
(3) -I..
(4) (preferred to ensure that all
ergh. My apologies for not catching that. You're right, it shouldn't
matter on the client side.
Okay... going back to basics (I'm sorry if this seems a bit
patronizing, I honestly don't intend it to be such), a segfault occurs
on a pointer dereference, trying to gain access to memory which is
How did you compile and install openSSL? Which version of OpenSSL are
you using?
-Kyle H
On Fri, Apr 18, 2008 at 6:20 AM, Rodrigo Castro [EMAIL PROTECTED] wrote:
Hello to all, this is my first post here. Can anyone help me with the
following problem? After configuring and installing openssl,
at 11:34 AM, Kyle Hamilton [EMAIL PROTECTED] wrote:
How did you compile and install openSSL? Which version of OpenSSL are
you using?
-Kyle H
On Fri, Apr 18, 2008 at 6:20 AM, Rodrigo Castro [EMAIL PROTECTED]
wrote:
Hello to all, this is my first post here. Can anyone help me
The only thing I would state is that setuid programs, on most UNIXes,
ignore the LD_LIBRARY_PATH.
I would also note that LD_LIBRARY_PATH is NOT universal. On OSX,
DYLD_LIBRARY_PATH is the equivalent, but there's also other
environment variables which can do the same thing.
And this doesn't even
Ah. This is a bit of a quandary. But, there are a couple of options for you.
1) Do not use ld to link to libcrypto or libssl. Instead, use the
ldopen() family of functions to open and bind those files yourself at
runtime.
2) Use the package manager available on the system to identify what
the
On Tue, Apr 22, 2008 at 12:59 AM, Lutz Jaenicke [EMAIL PROTECTED] wrote:
Ok, so we are facing a violation of policies at the CA. At the date of
certificate verification we are however checking whether all components
of the certificate chain are valid at this day.
Even though the
The best way to create a CA using only openssl tools is to use the
CA.pl or CA.sh shell scripts.
The best way to create and manage a CA is to use other tools.
-Kyle H
On Tue, Apr 22, 2008 at 2:17 PM, Jason Dusek [EMAIL PROTECTED] wrote:
In the HOWTO on making certificates, it suggests we
Um...
In order to make a FIPS-validated module, you MUST do:
./config fips
No other command is allowed, and no other command will produce a
fips-validated module.
-Kyle H
On Mon, Apr 28, 2008 at 11:48 AM, Christophe RICARD [EMAIL PROTECTED] wrote:
Hello,
I am trying to compile
Short answer: No.
Longer answer: The code will perform cryptographic verification, but
it doesn't know anything about the structure of PDF documents or how
their signatures are put together. Thus, depending on the algorithms
in use, it might be be useful as a toolkit to help perform validation
This appears to be a case of your configuration file being truncated,
or your environment otherwise slightly messed up.
The main error is, of course, the PRNG not seeded error -- as it
says, you need to read the OpenSSL FAQ for information on how to solve
it. (It goes into much tried-and-true
The FIPS certification process is a black box. Literally, it will be
complete when it will be complete, and we can't know until it goes
into final recommendation phase (which is usually the last step before
NIST grants the certification).
-Kyle H
On Fri, May 30, 2008 at 1:57 AM, Gatfield,
If you don't know the passphrase, you must generate a new keypair, and
get that public key certified into a new certificate. (For more
information, including the appropriate commands, please refer to the
FAQ on openssl.org and any special instructions provided by your CA.)
Apache will use
Notepad may save it with a Byte Order Mark (aka 'non-breaking
zero-width space') at the beginning. It may also not be saving it as
UTF-8, but rather UTF-16.
The better way to convert to UTF-8 is to use something like ICU
(International Components for Unicode, at http://icu-project.org/) to
This isn't an openssl query. The appropriate mechanism is to figure
out what server software the server is running, and query there.
-Kyle H
On Wed, Jun 4, 2008 at 10:23 AM, arguellodw [EMAIL PROTECTED] wrote:
Hello all,
Using cute ftp, I'm connecting with an explicit ssl connection to a
It is in your openssl.conf. It should be OrganizationName_max = 64,
if I remember correctly. Just raise that number.
-Kyle H
On Mon, Jun 9, 2008 at 4:55 AM, Florian Lindner [EMAIL PROTECTED] wrote:
Hallo,
I want to create a Certificate Signing Request (CSR) with Debian etch
openssl.
Look for OrganizationName_max = 64 in your openssl.conf. Raise this
as necessary.
-Kyle H
On Mon, Jun 9, 2008 at 9:43 AM, Florian Lindner [EMAIL PROTECTED] wrote:
No, the name long Name was only a placeholder. problems making
Certificate Request was the error message from openSSL.
The real
Read the manpage for verify(1ssl) for information on how to get
openssl's commandline tools to recognize a root certificate as
'trusted'.
The same type of thing must be done in your client. The root
certificate must be added to the list of CAs that are trusted. I'm
not quite sure the precise
It doesn't have a method for sharing the keys. Since TLS (and DTLS)
are designed to prevent man-in-the-middle attacks, each endpoint adds
its own parameters to the cryptographic mishmash during the key
negotiation phase. This would require each multicast listener to get
its own
The only mode that should cause the same encrypted data to be sent
twice in exactly the same manner is ECB -- Electronic Code Book.
Because this has been recognized by cryptographers as being vulnerable
to many different cryptographic analysis techniques, I am not aware of
any SSL/TLS
Uh, what is the actual behavior? Have you attempted to debug it with
openssl s_client? Have you attempted to figure out what a real
webserver, such as Apache, does with the same input?
This is not a general we will debug your code for you list, but we
can point you in the directions to look for
PUT is part of the DAV specification. I'm seeing
http://www.webdav.org/perldav/ as being a good start. It states that
Crypt::SSLeay (and thus openssl) is necessary for getting HTTPS
support into LWP, which the HTTP::DAV module uses.
-Kyle H
On Thu, Jun 19, 2008 at 7:27 AM, David M. Funk [EMAIL
xxx:~$ openssl s_client -connect ecc.fedora.redhat.com:8443 -ssl3 -state -debug
CONNECTED(0003)
SSL_connect:before/connect initialization
write to 0020BFC0 [00132000] (86 bytes = 86 (0x56))
- 16 03 00 00 51 01 00 00-4d 03 00 48 5a a5 74 38 Q...M..HZ.t8
0010 - 59 cc f7 49 e3 a2 ee
Your client needs to have a certificate issued by a CA that the server
trusts, and the server must request client authentication by
name-of-CA-that-it-will-accept. The client can then provide its
certificate (it knows which one based on the requested issuer name)
and prove ownership of the
I do have to point out, no CA pays Mozilla to be in Firefox's
database. What the CA pays for is the auditing required to pass
Mozilla's criteria for inclusion in the database.
That said, my personal opinion is that the CA model is broken from the
start, and I am pushing for a way to opt out of
Technically, the mime-type application/xml requires that ALL content
be encoded in UTF-8. (This is an artifact of XML itself specifying
that it is always UTF-8.)
If it's not valid UTF-8, then it's not valid XML, which (depending on
your environment) may not even need to be evaluated for its
The patent on the RSA algorithm expired several years ago, in 2003.
-Kyle H
On Tue, Jun 24, 2008 at 6:44 AM, sathish subramanian
[EMAIL PROTECTED] wrote:
Hi,
I would like to bundle libssl library with our product. I see that RSA has
strict patent restrictions, which makes libssl difficult to
From the 'genrsa' manpage:
NOTES
RSA private key generation essentially involves the generation of two
prime numbers. When generating a private key various symbols will be
output to indicate the progress of the generation. A . represents each
number which has passed an
The Nagle algorithm will attempt to coalesce multiple write() calls
into a single TCP packet. Since TLS/SSL are a record format atop TCP,
you need to handle the recordss as independent of each other -- i.e.,
you need to process the first TLS record, and then use the results of
that processing to
,
Vijay K.
On Thu, Jun 26, 2008 at 11:30 AM, Kyle Hamilton [EMAIL PROTECTED] wrote:
The Nagle algorithm will attempt to coalesce multiple write() calls
into a single TCP packet. Since TLS/SSL are a record format atop TCP,
you need to handle the recordss as independent of each other -- i.e
Include -lcrypto in your command. -lcrypto is a separate library from
-lssl, and both are necessary.
-Kyle H
On Thu, Jun 26, 2008 at 3:35 PM, Marco Sommella
[EMAIL PROTECTED] wrote:
Hi,
i'm using OpenSolaris 2008.05 snv_91. if i try to compile with gcc -lssl
file.c receive this error:
An SSLv3 certificate is an X.509v3 certificate that conforms to
certain requirements.
Since SSLv3 is not actually an internet standard, I would suggest
looking at TLSv1 and TLSv1.1 (the latter of which is not yet supported
by openssl, to my knowledge).
That said, the PKI howtos at carillon.com
http://www.openssl.org/docs/apps/x509v3_config.html
Look for 'Subject Alternative Name'.
I have not looked at OpenBSD's isakmpd, so I don't know what exactly
they need to have in there.
-Kyle H
On Tue, Jul 1, 2008 at 3:00 PM, [EMAIL PROTECTED] wrote:
I've been wrestling with the openssl.cnf
If the firewall is interfering, then the firewall is likely the
endpoint of the proxy connection, and is applying its access rules --
the client is not authorized to make a connection, so the server is
shutting it down with the appropriate access_denied error code.
Granted, this doesn't help
The CA is the point of trust -- the trust anchor. Since the server
certificate is issued by the anchor, the client needs the anchor's
certificate to be able to verify it.
If you want to bypass this, look at the definition of
SSL_set_verify(). If your verification callback returns 0, the
Need information on the environment (NT, or which version of *nix).
For *nix, try running 'stty sane', and then also try hitting ctrl+j
and ctrl+m as alternatives to your 'enter' key.
Also, openssl allows you to put the passphrase into an environment
variable if necessary.
The fact that passwd
OpenSSL does not automatically retrieve the CRL. Only CA certificates
issue CRLs (unless you're using proxy certificates). If the CA issues
a CRL, the information about it will be in the CA certificate, and it
will need to be retrieved before it can be added.
I know that OpenSSL handles OCSP,
OpenSSL has nothing to do with any higher-level application protocol.
If the proxy itself supports persistent connections, OpenSSL will not
forcibly close the proxy connection after a single connection;
however, it also cannot and does not enforce that the proxy support
persistency.
This is
On Tue, Jul 15, 2008 at 7:57 AM, Oil Supply [EMAIL PROTECTED] wrote:
If you are including a value in there that is meant to be read by a person,
then yes. If you are including a value in there that is meant to be
interpretted and acted upon by a Relying Party computer program, then no -
but
In your OpenSSL distribution, you should have gotten a script called
either CA.pl or CA.sh. They automate the steps necessary to create a
CA and to sign certificates with that CA. (It should be noted that it
is NOT intended to do everything an actual CA needs to do, it is quite
possibly the most
The 1.2.0-test tarball IS NOT FIPS VALIDATED. You cannot make a
FIPS-validated module from it.
When the 1.2.0 validation occurs, it will be announced here, the
certificate will be posted on the NIST's website, the full validated
tarball will be made available, and the certificate's
Does the client receive the data properly?
Does the server receive the data properly?
You may have padding going on, you may have an initialization vector
being preset, you may have a whole bunch of things going on under the
hood. As long as both the client and the server agree on what's going
Please read the Wikipedia page on it? Due to some of the
circumstances surrounding the RSA algorithm's patenting, it became
impossible for patents to be issued on the algorithm outside the US.
This, along with the US government's encryption export policies, is
why the PGPi (international PGP)
This is, unfortunately, not an openssl problem.
If you can use 'openssl s_client -connect host:port' to figure out
what the connection is doing, it might help you track down what's
going on -- but since it's not an openssl problem, we really can't
help you.
-Kyle H
On Wed, Jul 23, 2008 at 12:09
Why is this a problem? What is the problem? SSL and TLS are designed
to abstract out underlying protocol details from the protocol client.
What are you doing that requires a 1 to 1 correspondence?
-Kyle H
2008/7/27 abc_123_ok [EMAIL PROTECTED]:
I can't fix my problem , anybady can help me?
DESCRIPTION
SSL_get_peer_certificate() returns a pointer to the X509 certificate
the peer presented. If the peer did not present a certificate, NULL is
returned.
Please see the manual page for SSL_get_peer_certificate for more
information (including information on how to tell
'certificate verify failed' means that the certificate received from
the remote side cannot be verified locally. This is usually because
it's self-signed and not locally cached as a trusted certificate, but
more generically means that it's not signed by a trusted CA.
'ldap_bind: Can't contact
How do you know that s isn't null? Have you actually called
SSL_CTX_set_verify or SSL_set_verify? Without that being called,
there is no request for the certificate from the client. How do you
know the client is sending the certificate?
Can you still send data across the link? Or is it torn
I'm curious: what does SSL_get_last_error give? What stack does
ERR_get_error give?
-Kyle H
On Tue, Jul 29, 2008 at 11:36 AM, Alen Puzic [EMAIL PROTECTED] wrote:
We are using dynamic linking - using dlopen to open the shared objects
and then load the function symbols we are using. All the
The verify(1ssl) man page has descriptions of these error codes. 7 is
X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure,
which is described as: the signature of the certificate is invalid.
I would presume that this is because the signature cannot be verified
with the public key
Because no data has been transmitted on the socket, the client didn't
send an RST, and SO_KEEPALIVE wasn't set on the socket.
-Kyle H
On Tue, Aug 5, 2008 at 10:19 AM, Du, Jinsong [EMAIL PROTECTED] wrote:
Hi Urjit,
Unfortunately, I can't reach the computers with problem when running
the
loop to deal with time out situation,
is there any other way to prevent OpenSSL library to wait for reading
a socket indefinitely?
Thanks
-J Du
On Tue, Aug 5, 2008 at 2:11 PM, Kyle Hamilton [EMAIL PROTECTED] wrote:
Because no data has been transmitted on the socket, the client didn't
send
This is not the place to try to get support with the rand() library of
any IAR product. You will need to check with IAR. I'm pretty sure
that the answer is no, though, especially when used like that.
-Kyle H
On Fri, Aug 8, 2008 at 12:27 AM, abc_123_ok [EMAIL PROTECTED] wrote:
Dear All,
In
A server is not allowed to sign certificates unless its certificate
has a CA:TRUE extended attribute, and key signing as an extended
usage field.
If it doesn't have those, it's not going to chain properly, no matter
how you've got it set up.
Only a CA can sign end-entity certificates.
-Kyle H
Most likely, it probably has something to do with
http://www.openssl.org/support/faq.html#PROG2 , probably a lack of
CRYPTO_malloc_init().
-Kyle H
On Tue, Aug 12, 2008 at 12:17 PM, Chris Hatko [EMAIL PROTECTED] wrote:
I've got a ActiveX control which uses several different dll's
(LIBEAY32.dll
Well, the question becomes: Which government are you trying to work
around the restrictions of?
OpenSSL is open-source. In the United States, while it may fall under
the export class EI on the CCR, it also falls under export exemption
TSU (see http://www.access.gpo.gov/bis/ear/txt/740.txt
X.509 refers to the certificate version. 0 == version 1, 1 == version
2, 2 == version 3.
Version 1 certificates have no means for any extensions.
Version 2 certificates are CRLs.
Version 3 certificates are the current norm, and most likely what you want.
The best reference currently is RFC5280,
What you're saying is this:
1) You know who the principal is (and therefore the CN to stick into
your certificate), due to your pre-existing protocol.
2) You know what the public key is, also due to your pre-existing protocol.
3) You've already verified the proof of possession of the private key
You cannot share a single SSL connection across multiple threads
(i.e., your reader and writer must be in the same thread). This is
documented at http://www.openssl.org/support/faq.html#PROG1 thus:
1. Is OpenSSL thread-safe?
Yes (with limitations: an SSL connection may not concurrently be used
To follow up my previous quoting of the FAQ:
You create the SSL_CTX with SSL_CTX_new(), listen() on the appropriate
port, then accept() the connection, which gives you a file descriptor.
Spawn a thread to handle that descriptor. Use SSL_new(SSL_CTX *) to
generate a new SSL structure, and then
1 - 100 of 829 matches
Mail list logo