=not is not the issuer of /CN=foo/CN=bar (at
least not in what you described, /CN=foo/CN=bar may have another
certificate).
--
Erwann ABALEA
-
Pas de panique, ça sera pire.
__
OpenSSL Project http
Bonjour,
Le 02/07/2012 16:05, Mathias Tausig a écrit :
Which padding method does openssl use, when I sign a certificate with
the 'ca' command (using an RSA key)?
RSA PKCS#1v1.5
Is there a way to change it?
I don't think so.
--
Erwann ABALEA
Le 02/07/2012 19:38, Dr. Stephen Henson a écrit :
On Mon, Jul 02, 2012, Erwann Abalea wrote:
Le 02/07/2012 16:05, Mathias Tausig a écrit :
Is there a way to change it?
I don't think so.
In openssl 1.0.1 and later you can use the -sigopt to change the signature
format used. It currently
to ECDSA. It uses GOST R 34.11-94 to
hash data (just as {EC}DSA uses SHA{1,2*}).
--
Erwann ABALEA
Le 28/07/2012 21:31, Jeffrey Walton a écrit :
On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo xidex...@yahoo.com wrote:
Hi all!
The last problem is how to create GOST key pair for certificate
work on IETF about DANE certificates and
clarifications on RFC5280 about self-signed EE certificates. The
presented certificate is certainly such a DANE one.
--
Erwann ABALEA
-
pastacircopyge: quelqu'un qui a vraiment beaucoup de chance
Le 06/08/2012 13:04, Johannes Bauer a écrit :
Hi list
Bonjour,
Which part of the examples did you mimic?
32 bytes is the length of a SHA256, it's also the max message length of
a 256bits ECDSA key. Whence, I assume you're doing straight
ECDSA_do_sign() without hashing and padding the message.
--
Erwann ABALEA
-
paléogallicisme: style
Use the EVP_* interface for high-level functions.
Use ECDSA_do_sign() or other low-level functions if you're absolutely
sure about what you're doing.
--
Erwann ABALEA
Le 06/08/2012 14:31, Mohammad khodaei a écrit :
Yes, it's correct.
Now I try to feed the ECDSA_do_sign with the output
Bonjour,
Answers inline.
--
Erwann ABALEA
Le 14/08/2012 19:03, adrien pisarz a écrit :
Hi,
I have several questions about the ocsp functionnality. I read many
articles before asking those questions and unfortunetaly I still don't
have the answers. Maybe you can help me.
Fist of all, here
-grade system, you'll have to write
your own using the API.
--
Erwann ABALEA
:8f:46:08:11:d8:f7:65:eb:26:8f:e6:fe:
[...]
d2:61
|
publicExponent: 65537 (0x10001)
privateExponent:
|73:e4:bd:f4:e1:24:f6:ca:23:7c:90:99:d9:ad:9c:
[...]
11|
Using bc you can quickly get p, q, dp and dq. qinv is harder to get, but
it's possible.
--
Erwann ABALEA
, not sha1withRSA1024 or sha256withRSA4096.
A SHA256 certificate (or however you call it) can still produce
sha1withRSA signatures. The other way is also possible, of course.
--
Erwann ABALEA
__
OpenSSL Project
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Le 24/09/2012 21:03, Jakob Bohm a écrit :
Does that work with any other serious X.509 validation toolkit?
It should.
And in fact, OpenSSL works correctly, at least versions 1.0.1 (Ubuntu
Bonsoir,
Your public key parameter field is set to NULL. It must either be an OID
to name the curve, or explicit parameters.
--
Erwann ABALEA
Le 26/09/2012 14:17, Naveen Gopala Reddy a écrit :
Hi,
I am using openssl version 1.0.1c to parse the attached
certificate(test.pem) using
Le 25/09/2012 18:45, Jakob Bohm a écrit :
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
[...]
Any signature algorithm works by dividing the universe of N bit strings
into those that are validsignatures
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
as company_root_oid.2.5.29.32.1.
--
Erwann ABALEA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Bonjour,
Le 28/09/2012 16:29, Valentin Bud a écrit :
On Fri, Sep 28, 2012 at 02:53:35PM +0200, Erwann Abalea wrote:
Strange, my previous answer was sent empty, and every try results in
an empty mail stored in my postponed folder...
Anyway.
Use decimal numbers for an OID.
Yours
Where's the failure here?
hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization,
and in case of a NULL hostname or certificate it is returned by the
function, unmodified.
--
Erwann ABALEA
Le 27/10/2012 21:00, Jeffrey Walton a écrit :
On Sat, Oct 27, 2012 at 11:00 AM, Alban D
revoked certificates, and thus how useless it is
to revoke a certificate, because applications don't check for
revocation, or do it with a soft-fail behavior. That's something public
CAs want to be changed, and the lack of revocation check in your
examples won't help.
--
Erwann ABALEA
Le 27/10
Le 07/11/2012 16:08, Jakob Bohm a écrit :
On 11/7/2012 3:39 PM, Charles Mills wrote:
A struct tm is only granular down to whole seconds, right?
Yes, and it is not the easiest data type for data math either, even
when restricted to GMT/UT1/UTC.
Plus many OS/compiler supplied struct tm related
Answers inline.
--
Erwann ABALEA
-
paléocapridé: genre de vieille bique, cf paléotalpidé (vieille taupe) ou
paléogadidé (vieille morue)
Le 13/11/2012 19:34, Sanford Staab a écrit :
I have been struggling with openssl for a few months now writing batch
scripts on windows trying to make
In addition to Mr Henson answer, your CA certificate doesn't have any
keyUsage extension, depending on the toolkit it may not be considered a
valid CA.
Your countryName AVA is wrong, too. It must be only 2 characters long,
NL in your case.
--
Erwann ABALEA
-
yuppiexpédidétritus: cadavres
Your RSA public key is not pure DER encoded, it's DER+base64 encoded.
d2i_* functions take pure DER objects (binary on the wire).
--
Erwann ABALEA
-
multicoprothalassotope: station balnéaire de la Méditerranée
Le 16/11/2012 15:37, PraveenPVS a écrit :
Hi,
I need to load RSA Public key
Can you post here the certificate chain? Not the private key, only the
certificates, from the root down to the end-entity.
--
Erwann ABALEA
-
Ca se fait pas du tout d'avoir donné toutes les adresses email des
votants C bon pour les spammers ça !
[suit la liste intégrale des votants mal
Thanks.
The first certificate is your root CA, the second one is a version 1
certificate that can't be used as a CA (it would be insecure to allow it).
If your end-user certificate is issued by this second certificate, then
the error message is normal.
--
Erwann ABALEA
-
anatomie
Answers inline.
--
Erwann ABALEA
-
Un forum peut répondre à plusieurs besoins à la fois
Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur
middle-class ce qui provoque inévitablement des tensions.
-+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+-
Le
OpenSSL 1.0.1 works fine here, both with expired and revoked
certificates (i.e. correctly reports the status).
Could you share your elements (certs, CRLs)?
--
Erwann ABALEA
-
chlorophytophonie: musique pour les plantes vertes
Le 05/12/2012 15:11, Will Nordmeyer a écrit :
Hi, I've done
Bonjour,
See apps/apps.c, function setup_verify. It receives 2 arguments CAfile
and CApath.
Each one is processed independently, and if either one is NULL, its
corresponding default is used.
--
Erwann ABALEA
Le 06/12/2012 10:38, Ralph Holz a écrit :
Good day,
I was using openssl verify
to other parts (ts, s_client, s_server, ...).
Documented, of course.
But only for the app.
--
Erwann ABALEA
Le 06/12/2012 20:39, Chris Palmer a écrit :
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz
ralph-openssl-...@ralphholz.de wrote:
-CAfile fileA file of trusted certificates.
The lookup
Inline.
--
Erwann ABALEA
Le 07/12/2012 11:26, Ralph Holz a écrit :
Hi,
Yes, that clarifies the issue for me.
One thing I am wondering about now (as a user) would be how to get
openssl to disregard any local trusted cert list - i.e. how do I get it
to act on the provided CAFile only
Camellia is freely available on several licenses (BSD, GPL, MPL).
IDEA's patent has expired (2011 un Europe, 2012 in Japan+USA).
RC4 is an RSA trademark, no patent has been asked on the algorithm itself.
RC5 is still patented, by RSA.
--
Erwann ABALEA
-
aquadiemoctus: aujourd'hui (oui, je
The 0x00 byte in the BITSTRING is the number of unused bits in the last
octet of the encoded bit string.
See X.690 as a BER/DER reference. Document is free to download from ITU
website.
--
Erwann ABALEA
Le 24/01/2013 19:17, kap...@mizera.cz a écrit :
I have used header from my certificate
of several AVAs, AVAs are generally separated by
'+' character (instead of ','). For example, C=DE, O=Siemens,
GN=John+SN=Simner, which is equal to C=DE, O=Siemens, SN=Simner+GN=John.
This string representation is only informative.
--
Erwann ABALEA
Le 08/02/2013 16:42, Simner, John a écrit
Because this server is configured to send a self-signed certificate
(VeriSign Class 3 PCA). This is useless, and openssl warns you.
--
Erwann ABALEA
Le 11/02/2013 08:47, Prasanth Madhavan a écrit :
Hello Sir,
Why does |wget https://www.asb.co.nz| give |Self-signed certificate
encountered
oid_section = new_oids must be in the top level, not in [ca], [myca],
or whatever. Just move that declaration to the top.
ICAO has only defined document types 'P' and 'ID', hasn't it?
--
Erwann ABALEA
Le 13/02/2013 16:46, Eisenacher, Patrick a écrit :
I'm troubled by what seems to be a weird
the request. You still can set a CN in your
request, its content will be copied into the SAN.
--
Erwann ABALEA
Le 14/02/2013 07:18, Matthew Hall a écrit :
I am sure at least some would sign it because RFC 5280 PKIX standard was
written by the CAs themselves and they are the ones deprecating CN
man asn1parse
man ASN1_generate_nconf
That should give you some bootstrap information.
--
Erwann ABALEA
-
tridécatabulophobie: peur d'être treize à table
Le 28/02/2013 11:16, Walter H. a écrit :
Hello,
I have the following:
---
name = ASN1:SEQUENCE:section
[ section ]
value.1
It's probably the IV.
--
Erwann ABALEA
Le 08/03/2013 16:55, Tayade, Nilesh a écrit :
On performing the AES128 decryption, I see the decrypted data is preceded by a
block of 16bytes.
E.g. Below, 0x48 to 0x5a is the extra 16bytes block. And the actual 'GET'
request starts from 0x47 onwards
You should have received an HTTP 400 error, with an HTML page. The
service behind it may not be RFC3161 compliant, it may even not be
advertised as RFC3161 compliant.
Your solution works, but it doesn't answer the problem.
--
Erwann ABALEA
-
québésectophile: séparatiste québécois
Le 12/03
If you change the number of rounds, then it's not AES anymore, but a
custom Rijndael.
Reading the source code, it appears there's no support for that in
OpenSSL (and poking inside an AES_KEY to change the number of rounds
probably won't work).
--
Erwann ABALEA
Le 13/03/2013 14:32, Ewen Chan
uses.
Number of rounds is important for AES security as it is for any other
algorithm (think about attacks on reduced-rounds AES/SHA/whatever).
--
Erwann ABALEA
Le 13/03/2013 15:31, Ewen Chan a écrit :
So the algorithms include the number of rounds? I thought that it
would only describe the math
GPGPU isn't natively supported. You can write your own engine if you
want, but I think memory transfers will dominate the cost.
AES-NI is natively supported (I get about 550MB/s on my i5 M540 @2.53
GHz for 8k blocks).
--
Erwann ABALEA
Le 13/03/2013 16:49, Ewen Chan a écrit :
Would
to code using
the OpenSSL library.
On Wed, Mar 13, 2013 at 12:12 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
GPGPU isn't natively supported. You can write your own engine if you want,
but I think memory transfers will dominate the cost.
AES-NI is natively supported (I get about 550MB/s
on the runtime platform to speed it up).
--
Erwann ABALEA
Le 13/03/2013 18:07, Ewen Chan a écrit :
Yea, I've tried reading the man pages, but it doesn't list all of the
options available on there (which would tend to indicate that it is a
little behind compared to the development and released versions
to encrypt actual files? Have you encountered a CPU
bottleneck, a bug, or anything?
On Wed, Mar 13, 2013 at 1:31 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
If what you want is simply encrypt and decrypt files using command-line
openssl executable, then you don't need to play with engine
Le 13/03/2013 20:06, Ewen Chan a écrit :
I'm asking about the '-engine aesni' flag because when I google
openssl aes-ni - that's what comes up.
I've never used it before, but I'm about to as I've recently aquired a
system that supports AES-NI.
I'm also asking because I'm about to encrypt a
openssl enc encrypts one file at a time, and can read the first line
of a file to get the passphrase (in order to derive key and iv).
If you want to provide your own key and iv, you have to do it as command
line arguments.
Key management is out of scope.
--
Erwann ABALEA
Le 15/03/2013 06:33
its behaviour. It's not
resistant to a reboot, it's only process dependant.
Compare the following results:
* OPENSSL_ia32cap=~0x202 openssl speed -elapsed -evp
aes-128-cbc
* openssl speed -elapsed -evp aes-128-cbc
--
Erwann ABALEA
Le 15/03/2013 04:46, Ewen Chan a écrit
Le 15/03/2013 13:54, Ewen Chan a écrit :
Sorry, my bad. Wrong terminology.
(The AES wiki says that it uses a key.) But I was really thinking
about multiple passphrases.
And from this passphrase, a key and IV can be generated. It's more easy
to remember a passphrase than a bunch of hex
Bonjour,
Le 15/03/2013 14:07, Tim Tassonis a écrit :
Hi
I am trying to generate a csr in a c program by having the signing
part done by pkcs11 calls, and while I get no errors, the resulting
csr fails upon validation:
$ openssl req -verify -in wltx.csr
verify failure
, but you'll have to check with your clients. And find a way to
distribute this certificate.
--
Erwann ABALEA
Le 15/03/2013 15:53, Sven Dreyer a écrit :
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs
Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients
as binary data.
In fact, following your link, those are the first 2 answers...
--
Erwann ABALEA
Le 28/03/2013 19:08, Jevin Sonut a écrit :
hi,
i have encrypted a string using Blowfish from Openssl library
i got the following string A▓☼LÝ$øä²↓j╗ú¤Ä:ðï▲
i inserted the data into my database
Le 17/04/2013 18:40, Joan Moreau a écrit :
Le 17/04/2013 14:18, Viktor Dukhovni a écrit :
On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote:
2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]:
warning: TLS library problem: 16725:error:140D308A:SSL
think you could define your own with TLS1.0).
--
Erwann ABALEA
Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit :
Hi,
We are currently analyzing and understanding the security strength of
the openSSL internal implementation to certify the products.
In version 0.9.8d, TLSv1.0 alone
on collision of both MD5 and SHA1 at the same time.
--
Erwann ABALEA
Le 23/04/2013 14:28, David Jacobson a écrit :
Careful about this. The technically correct answer is misleading.
Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at
least the strength of stronger of the two
that may now
declare your certificate as revoked.
Verify the validity of the certificate at the current time. If you want
to periodically check for the validity of the certificate because you're
using it for a looong session, that's up to you.
--
Erwann ABALEA
Le 23/04/2013 19:17, Vijaya
Bonjour,
Le 26/04/2013 15:15, redpath a écrit :
I am adding a custom extension to an x509 a png icon basically (bytes).
Since the png icon is too large to post the data I have subsituted it with
a
file called sample.txt that has a text line This is a sample.
The code excerpt to add the
duplicate in information. The extended attributes have
information and the PEM has the base64 encoding below. Is there a way not to
have this duplicate info for efficient size?
--
Erwann ABALEA erwann.aba...@keynectis.com
__
OpenSSL
Le 28/04/2013 20:26, redpath a écrit :
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
A 64bits random number.
openssl req -x509 etcetera
The default serial number is quite
That question has been answered a few days ago. Here's an example:
openssl req -new -newkey rsa:2048 -keyout dumb.key -nodes -out dumb.req
-subj /C=UT/O=Whatever/GN=Per/SN=Edlund
--
Erwann ABALEA
Le 20/05/2013 16:47, Per Edlund a écrit :
Hello!
I need to create a key and a csr with SN
Are you sure there's a SAN extension in the displayed CSR?
Dump the entire content with asn1parse.
--
Erwann ABALEA
Le 23/05/2013 17:41, Craig White a écrit :
I want to be able to view CSR's with subjectAltName's but I can't figure out
any way to make it happen. I have poured over the man
Try these:
- split the certificates from your CA/cecert.pem into individual files
with correct hashes
- run strace -eopen openssl verify -CApath yourcacertsdirectory
client.cert
--
Erwann ABALEA
Le 04/06/2013 09:02, Leon Brits a écrit :
Hi all,
I have just created a new CA which has
countryName is ALWAYS a PrintableString, and is ALWAYS 2 characters long.
See X.520 for a normative definition, included in RFC5280 for information.
--
Erwann ABALEA
Le 20/06/2013 18:33, phildoch a écrit :
Country Name field in CA generated by openssl is encoded as PRINTABLESTRING
while other
Le 16/08/2013 20:10, Robert Moskowitz a écrit :
On 08/14/2013 05:37 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 14 August, 2013 15:49
I have a CA cert in pem format that uses ecdsa. I have tried
to display the contents with:
Bonjour,
Le 22/08/2013 14:56, Peter1234 a écrit :
You misunderstand how it’s supposed to work.
OpenSSL does not prevent you from signing anything. It can’t; for example,
you could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the
Bonjour,
Le 27/08/2013 18:14, Thaddeus Fuller a écrit :
Hello all,
I had a couple questions about X509 CRLs.
1) It appears that OpenSSL does not check my tree against the CRLs I provide.
If I revoke my own leaf certificate, and establish mutually-authenticated SSL,
OpenSSL does not prevent
That's software dependant.
Either one is a valid responder, and either response has the same value,
there's no priority.
--
Erwann ABALEA
Le 02/09/2013 10:27, deepak.kathuria a écrit :
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform. At OCSP
Requester side, if OCSP
The requestor is allowed to ask for any extension it wants.
The CA will do its job, ignore those requested extensions, and place the
good ones in the certificate. It can also change the subject name
contained in the certificate.
--
Erwann ABALEA
Le 09/09/2013 11:21, phildoch a écrit :
Oh I
Bonjour,
Le 10/10/2013 18:29, int0...@safe-mail.net a écrit :
Hi,
I've been asking this on the OpenVPN mailinglist, but didn't get an answer so
far. Therefore I hope you can help me.
We use OpenVPN in our company with the default cipher suite, which should be:
DHE_RSA_BF_CBC_SHA
So RSA is
Bonjour,
Le 11/10/2013 03:35, nehakochar a écrit :
Rajesh Malepati wrote
On Wed, Jul 24, 2013 at 9:30 PM, kirpit lt;
kirpit@
gt; wrote:
The server doesn't seem to care to respond to clients supporting TLS 1.2
ok:
openssl s_client -tls1 -connect emea.webservices.travelport.com:443
no
Le 11/10/2013 19:57, nehakochar a écrit :
Erwann ABALEA wrote
The server and client are both compliant.
With the first command, you tell the client to use TLS1.0 only. No more,
no less. The server is ok with it, and both negociate TLS1.0.
With the second command, you tell the client to use
The Linux kernel module isn't necessary for OpenSSL.
--
Erwann ABALEA
Le 07/11/2013 06:48, sarav.sars a écrit :
Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ?
Loading this module makes no difference in openssl speed output
Bonjour,
Le 13/11/2013 11:35, Igor Sverkos a écrit :
Hi,
please see the following certificate:
-BEGIN CERTIFICATE-
MIIEbTCCA1WgAwIBAgICLgAwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
[...]
uKnvqzQP10A7f3PBsGYRA2DCeMDavaEoizJnNyjCOQx4
-END CERTIFICATE-
It seems to be a valid
UTF8String (SIZE (1..MAX)),
bmpString BMPString (SIZE (1..MAX)) }
Nearly every attribute type is encoded as a DirectoryString. An empty
element doesn't respect the size constraint, so is invalid.
--
Erwann ABALEA
Le 13/11/2013 11:48, Ben Laurie a écrit :
On 13 November
Le 13/11/2013 13:30, Igor Sverkos a écrit :
Hello,
thank you for your response. There's one thing in your reply I don't
understand:
Erwann Abalea wrote:
It seems to be a valid certificate for OpenSSL, right?
OpenSSL can parse it, yes.
[...]
Reading X.520 shows that the DirectoryString
.
--
Erwann ABALEA
Le 25/11/2013 15:15, Sanjay Kumar (sanjaku5) a écrit :
Hi,
We need to send CN attribute in TeletexString format for ASN1DN Id
and certificate.
Does openssl support for TeletexString/ T61String(T61String, an
arbitrary string of T.61 (eight-bit) characters.) ?
What
certificates,
such as bogus live.com cert, but also DigiNotar CA certificates,
MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA
certificates not trusted for SSL use.
Don't use that file, at all.
--
Erwann ABALEA
by PKIX.
RFC5906 uses a trustRoot EKU, without any OID being proposed or
referenced. Your certificate includes the later one in the EKU extension.
--
Erwann ABALEA
Le 28/11/2013 14:26, Dereck Hurtubise a écrit :
It is NTP indicating that this certificate is held by a supposed
trusted root
Le 28/11/2013 22:18, Rob Stradling a écrit :
On 28/11/13 15:14, Erwann Abalea wrote:
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for this
has never been allocated. Crazy.
It's crazier than that. RFC5906
Le 29/11/2013 16:25, Dr. Stephen Henson a écrit :
On Thu, Nov 28, 2013, Erwann Abalea wrote:
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for
this has never been allocated. Crazy.
I just looked at OpenSSL's
Le 29/11/2013 17:53, Erwann Abalea a écrit :
Le 29/11/2013 16:25, Dr. Stephen Henson a écrit :
Changing OIDs in the table is problematical. If anything uses them it could
break them in all sorts of ways. The NID_* entries would change and text based
lookup would no longer work.
The reference
to only allow (EC)DHE key exchange mechanisms, by
tweaking its acceptable ciphersuites
--
Erwann ABALEA
Le 11/12/2013 20:29, Walter H. a écrit :
[...]
can please someone tell me why I get in FF (in an old 3.6 and in an
relatively actual one 24.2esr)
This Connection is Untrusted
www.google.nl uses
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and what
the server accepts. The error you get has been sent by the server.
--
Erwann ABALEA
Le 11/12/2013 22:34, Walter H. a écrit :
Hello
Le 13/12/2013 19:30, Walter H. a écrit :
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been
Don't regret it, it wasn't that bad ;)
--
Erwann ABALEA
Le 13/12/2013 20:39, andrew cooke a écrit :
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
it dpends how many characters differ when sorted.
in this case:
ECDHE
Bonsoir,
Le 14/01/2014 19:44, socket a écrit :
Hey all, I am wondering if anyone here could point me in the right direction
or even assist with a problem I have having.
According to RFC 2560:
All definitive response messages SHALL be digitally signed. The key
used to sign the response
Bonjour,
It seems OpenSSL 0.9.8j doesn't like receiving a New Session Ticket
message over an SSLv3 session, even when it sends an empty session
ticket in its ClientHello message.
Possible solutions:
-tls1 instead of -ssl3
add -no_ticket
--
Erwann ABALEA
Le 21/02/2014 11:03, Lvqier
Le 25/03/2014 17:44, Zack Williams a écrit :
On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek ste...@epy.co.at wrote:
I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides
three complete PKI examples you can play through and the prettiest
configuration files this
Le 25/03/2014 23:08, Zack Williams a écrit :
On Tue, Mar 25, 2014 at 10:54 AM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
2. I couldn't figure out what the [additional_oids] section of the
Expert example's root-ca.conf file is for - either through research or
going through the commit
Le 27/03/2014 11:14, Jeffrey Walton a écrit :
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek ste...@epy.co.at wrote:
On 25.03.2014, at 17:44, Zack Williams wrote:
...
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one
Darwinports.
--
Erwann ABALEA
Le 31/03/2014 21:18, Landen Landens a écrit :
My Mac still has OpenSSL 0.9.8. How may I update this to the latest
stable version?
I believe the latest stable version is at least 1.0.01
certificate can be viewed as an ID, and has to map to the
real world the most possible. Being unable to represent the name of a
company or the name of an individual because of a one size fits it
all decision, in an electronic world, is a shame (that's my opinion).
--
Erwann ABALEA [EMAIL PROTECTED
mind, it allows me to write functions with only one exit
point, and group deallocations together. There's no spaghetti
symptom, in C, as a goto must span in the same function.
--
Erwann ABALEA [EMAIL PROTECTED]
-
If you're not part of the solution, there's good money to be made in
prolonging
(this term has nothing to do here) a serial number *can* be
negative, if you're looking at the X.509 recommendation. That's surely
not the reason of the problem. Only the RFC (starting with 3280)
states that the serialNumber MUST be a positive integer.
--
Erwann ABALEA [EMAIL PROTECTED]
-
``Do or do
.509 is free to download from the ITU-T website, as is the whole
X.5xx group of documents, and most of the X.6xx (680 and 690 comes to
mind, for ASN.1 and its encodings). That wasn't the case some
months/years ago.
--
Erwann ABALEA [EMAIL PROTECTED]
-
Keyboard not connected, press F1 to continue
certificate (a VeriSign one, it seems) to a file, and
checked its signature:
openssl verify -CAfile rootv1.pem rootv1.pem
which replied Ok.
Do you have a better example of a bad certificate?
--
Erwann ABALEA [EMAIL PROTECTED]
-
I can't be stupid, I completed third grade
:
- either really revoke it, by changing the reason code while keeping
the date
- or completely remove it from the CRL, as you guessed.
If you plan to issue deltaCRLs, you MUST use the removeFromCRL
reason code for such certificates, only for the deltaCRLs.
--
Erwann ABALEA [EMAIL PROTECTED
at
http://www.itu.int/rec/T-REC-X.509-200508-I/en;.
RFC2459 is waaa obsolete, it has been replaced by RFC3280, and
then by RFC5280. It can't discuss wildcards, since it's an SSL-only
use case. Same goes for the X.509 standard (which is free to download
in PDF format).
--
Erwann ABALEA [EMAIL
handle non ISO8859-1 characters.
--
Erwann ABALEA erwann.aba...@keynectis.com
-
No wanna work. Wanna bang on keyboard.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
1 - 100 of 332 matches
Mail list logo