Did you call SSL_library_init(),SSL_load_error_strings(), etc.?
gary clark [EMAIL PROTECTED] wrote: Hello,
After performing the following:
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
Huh! Dumped the result of theh failure and errorcode.
The ctx value is:
ctx=0x0
Thank you Heikki Toivonen and Goetz Babin-Ebell, your
suggestions were very helpful.
-David
david kine wrote:
How does one load verify locations into a SSL_CTX
from
in-memory X509 certificates?
You can get the X509_STORE from the SSL_CTX.
There you do an X509_STORE_add_cert
Hello,
I am developing a secure HTTP web proxy server using
OpenSSL 0.9.6d. It supports SSL/TLS on both client
and server sides. I have already implemented the
basic secure connection and authentication functions
using examples found in OpenSSL books.
I am not a security expert, and my
the use of SSLv2. This way, you
got an SSLv3 and
TLSv1 client.
Cesc
On 6/29/05, david kine [EMAIL PROTECTED]
wrote:
Hello,
How should I program my client application to
support
both TSLv1 and SSLv3?
According to RFC2246 appendix E, the client sends
a
single SSLv3 record
Hello,
I'm having great success securing my application with
OpenSSLL, but I have a small question regarding client
certificates and private keys.
I load a PKCS#12 file into an SSL_CTX as follows:
1. Use PKCS12_parse() to read the client certificate,
private key, and trusted CA stack
2. Use
How do I access the client certificate and private key
from an SSL_CTX?
It was previously loaded into the SSL_CTX with
SSL_CTX_use_certificate() and
SSL_CTX_use_PrivateKey().
Thanks for the help,
-David
__
Do You Yahoo!?
Tired of spam? Yahoo!
I am implemeting CRL support in an application on
Solaris using OpenSSL 0.9.6d 9 May 2002.
According to the information I have gathered, CRL
support is not available in pre-0.9.7 OpenSSL
releases.
I have the opportunity to easily upgrade to 0.9.7g.
Will 0.9.7g provide the suport necessary for
is that 0.9.7 is
necessary for handling CRL's, yet I see CRL functions
in 0.9.6.
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Tue, Aug 09, 2005, david kine wrote:
I am implemeting CRL support in an application on
Solaris using OpenSSL 0.9.6d 9 May 2002.
According to the information I
My application requires a feature that allows
connection to secure servers whose certificates may
have expired.
I suppose that the OpenSSL verify callback function,
set with the function SSL_CTX_set_verify(), can
inspect an error condition and return true to
establish the secure connection.
My
I think that I found the answer - get the error code
from the X509_STORE_CTX and check for the value
X509_V_ERR_CERT_HAS_EXPIRED (defined in x509_vfy.h).
-David
--- david kine [EMAIL PROTECTED] wrote:
My application requires a feature that allows
connection to secure servers whose
In the book Network Security with OpenSSL on pages
124-125 is a list of OpenSSL commands to create a root
CA, and a server CA signed with the root CA.
My question is, how would I use the openssl CA command
to revoke the server CA certificate by the root CA,
and generate a CRL?
I have tried
this problem?
Or modify CA.pl?
Thanks,
-David
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Tue, Nov 08, 2005, david kine wrote:
In the book Network Security with OpenSSL on
pages
124-125 is a list of OpenSSL commands to create a
root
CA, and a server CA signed with the root CA
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Wed, Nov 09, 2005, david kine wrote:
I'm attempting to use CA.pl on a Solaris 10 Sparc
system. OpenSSL is provided on the distribution
CD's
(OpenSSL 0.9.7d 17 Mar 2004). I use the following
commands:
1. CA.pl -newca
2
Very clever, thanks for the tips.
-David
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Wed, Nov 09, 2005, david kine wrote:
I've switched over to a Linux system running
OpenSSL
0.9.7a Feb 19 2003, and copied the CA.pl from
Solaris,
now everything works fine.
Going back
to get certificate CRL message.
Perhaps this is a clue.
To summarize, my program works perfectly unless I set
the X509_V_FLAG_CRL_CHECK flag, whether or not I add a
CRL using X509_load_crl_file().
-David
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Wed, Nov 09, 2005, david kine wrote
: unable to get certificate
CRL.
I solved this problem in my SSL verify callback
function by checking for error == 3, and returning
true. In other words, by simply ignoring the error!
Thanks for all the help,
-David
--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Thu, Nov 10, 2005, david
Try openssl ca -revoke
-David
--- Anthony Azzopardi [EMAIL PROTECTED]
wrote:
I'm reading the 'SSL Certificates HOWTO', by F.
Martin. In the
'Certificate Management' chapter it tells how to
'revoke' the
certificate by this command:
openssl -revoke newcert.pem,
but this command
Hello,I have a certificate authority A who signs an entity B, who then signs and entity C.I will use C as the server certificate in s_server.This is a chain of three certificates.How do I load all three into s_server?The "-cert" option seems to allow only one certificate.I will
Hello,My secure client application performs post-connection fully-qualified-domain-name authentication. According to RFC 2818, "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field
there is an openssl.cnf file setting for this purpose? I notice the line "#subjectAltName=email:copy" in the system's openssl.cnf file.Thanks,-DavidVictor Duchovni [EMAIL PROTECTED] wrote: On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote: My code to retrieve the common name from t
Thank you very much!-DavidVictor Duchovni [EMAIL PROTECTED] wrote: On Fri, Jun 09, 2006 at 12:25:52AM +0200, Goetz Babin-Ebell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 david kine schrieb: Hello David, One more question: how do I, using the CA.pl script, generate a certificate
You're missingthe -CAfile option in s_client."M. Fioretti" [EMAIL PROTECTED] wrote: On Wed, Jun 14, 2006 12:11:55 PM +0200, io ([EMAIL PROTECTED])wrote: Hello, I am configuring a remote x86 Centos 4.3 box (running in UML) as personal web and email server. Openssl version is openssl-0.9.7a-43.8.
22 matches
Mail list logo