Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages

On 18.05.2016 21:10, Viktor Dukhovni wrote: On May 18, 2016, at 1:26 PM, Walter H. wrote: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem contains a root certificate /tmp/cert.pem

Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages

On 18/05/2016 21:38, Walter H. wrote: On 18.05.2016 21:10, Viktor Dukhovni wrote: On May 18, 2016, at 1:26 PM, Walter H. wrote: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem

Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages

> On May 18, 2016, at 1:26 PM, Walter H. wrote: > > openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first > -untrusted /tmp/chain.pem /tmp/cert.pem > > /tmp/chain.pem contains a root certificate > /tmp/cert.pem contains a certificate that was

[openssl-users] Certificate validating (openssl -verify ...) and interpreting messages

Hello, when running this: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem contains a root certificate /tmp/cert.pem contains a certificate that was signed by this root certificate; I get the following

Re: [openssl-users] Reload certificates?

> Is there something I'm missing? Nope. > Would it be reasonable to have OpenSSL watch the metadata on the file or > directory and, on change, discard cached certificates and, for a file, reload > the file? Unlikely to happen :) -- Jordan Brown, Oracle Solaris -- openssl-users mailing list

[openssl-users] Reload certificates?

We have OpenSSL consumers (primarily but not exclusively OpenLDAP). Some of them are long-running processes. We'd like to be able to update the list of trusted certificates and have the changes take effect, without needing to restart those long-running processes and preferably without needing to

Re: [openssl-users] Reload certificates?

I believe that's specific to the servers in question. Often you can "restart" a server by giving it a SIGHUP. I don't know if slapd and slurpd will respond in the way you want. From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jordan Brown Sent: Wednesday, May 18,

Re: [openssl-users] Reload certificates?

On 5/18/2016 10:52 AM, Scott Neugroschl wrote: > > I believe that’s specific to the servers in question. Often you can > “restart” a server by giving it a SIGHUP. I don’t know if slapd and > slurpd will respond in the way you want. > I'm thinking more of long-running client applications.

Re: [openssl-users] Reload certificates?

On 5/18/2016 10:51 AM, Salz, Rich wrote: >> Would it be reasonable to have OpenSSL watch the metadata on the file or >> directory and, on change, discard cached certificates and, for a file, >> reload the file? > Unlikely to happen :) Are you saying that because nobody is interested in doing

Re: [openssl-users] Reload certificates?

On 18.05.2016 19:51, Salz, Rich wrote: Is there something I'm missing? Nope. From the description of SSL_CTX_load_verify_locations i would have expected that certificates loaded via the CApath mechanism are loaded anew for every verification process. If this is not the case an appropriate

Re: [openssl-users] Reload certificates?

On 18/05/2016 20:00, Jordan Brown wrote: On 5/18/2016 10:51 AM, Salz, Rich wrote: Would it be reasonable to have OpenSSL watch the metadata on the file or directory and, on change, discard cached certificates and, for a file, reload the file? Unlikely to happen :) Are you saying that