Re: FW: multi-byte subject DN display

Bin Lu wrote: If I use -nameopt utf8 option, the output of the subject is empty even for ascii string subject DN. This does not seem to match what is said in the man page. A bug? Please try out with the attached certificate (removing the .txt ext). Are the DN attributes with non-ASCII

Re: TLS authentication for ldap

Viktor Dukhovni wrote: On Mon, Sep 23, 2013 at 10:54:04AM -0400, Salz, Rich wrote: Another option is to use LDAP's STARTTLS support on port 389. It seems the config to require it is a bit obscure; http://www.openldap.org/lists/openldap-technical/201202/msg00414.html might be useful.

Re: about openldap client ssl

You should better ask OpenLDAP questions on the openldap-technical mailing list: http://www.openldap.org/lists/ Ciao, Michael. Robbie Mingfu Zhang wrote: Hi: If I set the TLSVerifyClient demand on openldap server side, then I'll got below error (set TLSVerifyClient as never/allow/try,

Re: Verisign Problem with smtp tls

Viktor Dukhovni wrote: With SMTP, PKIX certificate verification is pointless without explicit per-destination configuration: http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2 This is why I am working to implement and standardize SMTP with DANE TLS.

Re: Verisign Problem with smtp tls

Viktor Dukhovni wrote: On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote: http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2 This is why I am working to implement and standardize SMTP with DANE TLS. DANE itself does not help. It just shifts

Re: OpenSSL CA and signing certs with SANs

Jakob Bohm wrote: On 1/7/2014 12:17 AM, Biondo, Brandon A. wrote: I am using ‘ca’ not ‘x509’. It too ignores/discards extensions. Turning on copy_extensions solved the issue though, thanks. I have some follow-up questions: 1.If including SANs in CSRs is non-standard, what is the accepted way

Re: Verifying all subjects in a certificate chain

Graham Leggett wrote: In a typical client certificate scenario, you might verify that a certificate chain is complete, not expired, and trusted by a root certificate. If you were to choose a way to authorize the certificate over and above the check that the cert is valid, you might store

Re: RFC: Add additional security by bringing fingerprint into DNS

Mario Lombardo wrote: Hi *, this is just an idea. However it would increase the security of our crypto system in case a trusted CA has been compromised. The idea is to implement a DNS lookup of a host whenever a ssl connection is going to be established. The lookup may search the TXT

Re: Quite a funny and strange behaviour

Walter H. wrote: subjectKeyIdentifier=hash which parts of the certificate are included in generating this hash value? http://tools.ietf.org/html/rfc5280#section-4.2.1.2 Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature

Re: SSL/TLS renegotiation attack

sandeep kiran p wrote: Ours is an LDAP directory enabled application where we use SSL/TLS to protect binds to the directory. Right now we are using OpenSSL 0.9.8g to do this. Our application depends on external directory servers for authentication which are not maintained by us. So it is only

Extract DER of RecipientInfos from CMS

HI! Is there an API function in OpenSSL which extracts only the DER blob of RecipientInfos from a CMS message (needed for encrypted S/MIME message). Or has that to be done low-level with ASN.1 parser? Ciao, Michael. __ OpenSSL

S/MIME interop issue with Outlook 2010 beta

HI! Someone sent me an encrypted S/MIME message which I could not decrypt in Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE Linux 11.2 and and also tried with OpenSSL 1.0.0 (self-compiled).

Re: S/MIME interop issue with Outlook 2010 beta

Dr. Stephen Henson wrote: On Tue, Mar 30, 2010, Michael Strder wrote: Someone sent me an encrypted S/MIME message which I could not decrypt in Mozilla's Seamonkey. Trying to determine the cause for that I wanted to look at the RecipientInfos structure with OpenSSL 0.9.8k shipped with openSUSE

Re: openLDAP with CRL

shake kvc wrote: I want to be able to store CRLs in the openldap repository so that I can retrieve them using a LDAP client. Basically, the client would be given a LDAP URL as follows: ldap://xxx.yyy.com/CN=Challenger(1),CN=xxx,CN=C

Costs (was: Extract DER of RecipientInfos from CMS)

customer. Ciao, Michael. -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 E-Mail: mich...@stroeder.comhttp://www.stroeder.com __ OpenSSL

Re: mod_authz_ldap help....

Luisç Nevesã wrote: I am trying to use mod_authz_ldap to query a X.509 certificate on a ldap directory This is rather a LDAP-related question e.g. for the openldap-technical mailing list if you're using OpenLDAP server or the more general list l...@umich.edu. in the directory, i have stored

Re: OCSP request with SHA256

Carla Coutinho wrote: I'm trying to generate an OCSP request containing Issuer Name Hash and Issuer Key Hash calculated with hashing algorithm SHA256. I've already instaled OpenSSL 1.0.0, which has the option '-sha256', but that doesn't seem to be working (the Hash Algorithm is always SHA1).

Re: print smime cipher

Rainer Giedat wrote: i have a hard time figuring out how i can print the cipher used to encrypt a smime encrypted mail. openssl smime -in test.eml -pk7out|openssl asn1parse Or with OpenSSL 1.0 in case S/MIME MUA sent CMS instead of PKCS#7: openssl cms -in test.eml -cmsout -outform pem|openssl

Re: Certificate with multiple CN fields - valid?

John Nagle wrote: Normally, when a certificate is to be valid for more than one domain name, one name is in the CN field, and the others are in the subjectAltName extension. But look at the cert for https://www.ipmirror.com/;. This might serve as an interesting example for the people

Displaying modulus

HI! There is a difference when displaying the modulus with command-line tool. Here's the relevant excerpt of the following command: openssl x509 -noout -text -modulus -in cert.pem [..] Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:

String-Representations of DNs

HI! It's confusing that OpenSSL seems to output distinguished names in different string representations. While one can use command-line argument -nameopt to influence the output of openssl x509 -issuer -subject this does not affect DN output of X.509v3 extensions and there's no such argument for

trust settings on the root CA

man 1ssl verify says: The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. For compatibility with previous versions of SSLeay and OpenSSL a certificate with no trust settings is considered to be valid for all purposes. I

Re: trust settings on the root CA

Michael Ströder wrote: man 1ssl verify says: The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. For compatibility with previous versions of SSLeay and OpenSSL a certificate with no trust settings is considered

openssl verify fails

HI! I'm feeling dumb since this simple command fails and I cannot see why: $ openssl verify -CAfile rootcacert.pem subcacert.pem subcacert.pem: C = DE, O = SCA Deutsche Post Com GmbH, CN = Signtrust CERT Root CA 1:PN error 2 at 1 depth lookup:unable to get issuer certificate I've attached the

Re: openssl verify fails

Erik Tkal wrote: Your rootcacert is not a root cert, as it was issued by C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication and Email. You need to append that cert as well to your CAfile. Shouldn't it be possible to

Re: openssl verify fails

Bruce Stephens wrote: Erik Tkal et...@juniper.net writes: Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say It is an error if the whole chain cannot be built up. Maybe, but I think it's just as reasonable to regard it as a bug in the docs. I think it's useful for verify to

Re: openssl verify fails

Bruce Stephens wrote: Bruce Stephens bruce.steph...@isode.com writes: Dr. Stephen Henson st...@openssl.org writes: [...] Is that unmodified OpenSSL 0.9.8o? If so that's peculiar I get the expected error here. No, it's Debian's 0.9.8o-2. Ah, my fault. Obvious in retrospect: Debian's

Re: SSL Communication using BIO

Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael.

Re: smime verify bug???

Mailing List SVR wrote: Il 20/07/2011 17:06, Dr. Stephen Henson ha scritto: On Wed, Jul 20, 2011, Mailing List SVR wrote: Il 20/07/2011 08:44, Mailing List SVR ha scritto: Hi, openssl seems unable to verify the attacched sod.pem, other pem file works fine there is something strange with the

Re: Multiple certificate requests in one message

Victor B. Wagner wrote: RFC 2511 defines ASN.1 syntax for putting multiple certificate request into one message: [..] Question is - how widespread is use of this syntax, is there any real-world CA which understand CertReqMessages sequence. There are several PKI implementations which support

Re: PKI design question

Victor Duchovni wrote: On Thu, Nov 23, 2006 at 06:46:23PM -0300, Mart?n Coco wrote: My main goal is to design a PKI for our server infrastructure (ldaps, https, mail, vpn, etc.) The problem is that, for example, when reading the mentioned book, all the examples are based on people, but not on

Re: SSLv3 handshaking fails on solaris

Donny Dinh wrote: * ./openssl s_client -connect www.google.com:443 -state* [..] *6709:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20* *6709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:* If I force

Parsing X.509v3 extensions

HI! I'm currently trying to parse the X.509v3 certificate extensions with the help of an ASN.1 parser module for Python. I'm somewhat stuck into detail problems since I'm a total ASN.1 newbie. Maybe I have misunderstood some concepts. If I'm parsing the extensions do I have to use a-priori

Re: Sun's Java keytool and OpenSSL RSA cert

Dr S N Henson wrote: making sure there's no summary info before BEGIN CERTIFICATE and seeing if you can find what format keytool wants. Uuumpf! Yes, my fault (turning red): I did not remove the text before BEGIN CERTIFICATE line. Sorry. Ciao, Michael.

Re: Sun's Java keytool and OpenSSL RSA cert

Xiaohua Cheng wrote: So, now keytool can recognize the certificate your OpenSSL generates? Yes. keytool of JDK 1.3, X509v3 server cert with some extensions. It always returns "unrecognized format" when I was trying to import certificate generated with OpenSSL into the keystore. Try to

Re: Urgent: Trusting Self Signed Certificate

Deepak wrote: I have a piece of Java (JSSE) code BTW: news:comp.lang.java.security is a more appropriate forum for these kind of questions... Ciao, Michael. __ OpenSSL Project

Re: About the SSL transaction when using Proxy Server

Ri Li wrote: I have some question about the SSL, when my office is using a Proxy server to go to the internet. Is the SSL encryption only encryt between the Proxy Server to the Internet Web Server? or protect from user under proxy server to Internet Web Server?? If you configured your web

Re: openssl smime verify

Mahesh Anantharaman wrote: openssl smime -verify -noverify -nointern -nochain -in message.txt -certfile myfile.pem Note that you normally MUST verify the validity of the sender's certificate against a trusted root cert which you retrieved in a secure way. Otherwise you have to make sure that

Re: openssl smime verify

Dr S N Henson wrote: The email is always checked against the senders certificate: it is extracted from the signed email automatically so there is no need to donwload it manually. Note: With Outlook (Express) you can turn off adding the sender's certificate to the S/MIME signature to reduce

Re: openSSL

Optik Marko wrote: Please can you send me links from German-sites for openSSL? English is too difficult for me. You're lucky (Du hast Glück): http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ Ciao, Michael. __ OpenSSL

Re: Open VPN - Anybody interested / suggestions

Peter Stamfest wrote: Hello OpenSSL users, [..] * UDP based instead of TCP based (see below for reasons) SSL sits on top of a connection-oriented protocol like e.g. TCP or PPP. Some VPN products use SSL over PPP over UDP. Did you mean that? But what's wrong with IPSec, S/WAN and

Re: JSSE untrusted certificate chain

Alex Cosic wrote: JSSE java client [..] untrusted certificate chain. 1. Slightly off-topic here. Better ask in news:comp.lang.java.security 2. Read the docs of Sun's keytool. keytool -import -alias "My CA" ... Ciao, Michael.

Re: Open VPN - Anybody interested / suggestions

Peter Stamfest wrote: On Fri, 5 Jan 2001, Michael Strvder wrote: SSL sits on top of a connection-oriented protocol like e.g. TCP or PPP. Some VPN products use SSL over PPP over UDP. Did you mean that? What I have in mind is not SSL over UDP. Off course since UDP is not a

Re: Open VPN - Anybody interested / suggestions

Peter Stamfest wrote: * IPSec is hard to configure But please give us a reason why you believe that the configuration of "your solution" would be easier. Yes, it's somewhat more complicated than starting setup.exe and just click a "Next" button if it's meant to be really secure. The main

Re: Open VPN - Anybody interested / suggestions

If we want to continue this thread I suggest to switch to news:comp.dcom.vpn for not filling up openssl-users with off-topic discussion. Ciao, Michael. __ OpenSSL Project http://www.openssl.org

Re: On-the-fly self generated certs for network application

Marco Cunha wrote: we can't have our clients going around creating, signing installing new certificates every once in a while so I was thinking about doing the following : Look into openssl.c and friends and figure out a way of making the server generate a CA cert and server cert on the

Re: attach file in smime

mariano Jess wrote: Somebody Knows if it's possible to send attach files with smime. Yes, it's possible. Note the MIME in S/MIME. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User

Re: Certificates with many Virtual host

Reiner Buehl wrote: There is a (not recommended) possibility for this: If all of your hosts belong to the same domain you could generate a so called "wildcard certificate". This is a certificate with a hostname like '*.mydomain.org' AFAIK this does not work with M$ IE. Ciao, Michael.

Re: Certificate renewal

Maxime Dubois wrote: So I need to keep request files as I keep cert files... Maybe you can also try to generate a new request from an expired cert. openssl x509 -x509toreq I think renewal is interesting because [...] It's always a matter of your local policy. Ciao, Michael.

Re: Intermediate CA Revocation?

Maxime Dubois wrote: What I wanted to know is: How does a root CA say it does not trust anymore a sub-CA it has signed before? By revoking the certificate of the sub CA. Revoking means putting it into the root CA's CRL. Ciao, Michael.

Re: Certificate renewal

Maxime Dubois wrote: This solution was interesting but it seems that I need the private key of the user certificate to sign the request Yes, my fault. Use the old cert request. You should store them for auditing reasons anyway. Ciao, Michael.

Re: Netscape accepts cert from evil empire

[EMAIL PROTECTED] wrote: I created a cert with the host name known as www.evilempire.com and netscape was quite happy to accept it and never reported that the URL I typed in does not match the name carried within the cert. You're wrong. Even those old Netscape Navigator 4.0x certainly asks

Re: Display of a User Certificate in Netscape Address book

Robert Hannemann wrote: i´ve generated a Certificate with DER encoding and add it to an LDAP Directory User Entry. When i search the LDAPentry with Netscape Addressbook, the Attributes of the Result looks good, but the Certificate is displayed as an binary string like :

Re: Linux and EVP_rc5_32_12_16_ofb

[EMAIL PROTECTED] wrote: Ng Pheng Siong wrote: Hi, I've gotten a few messages about M2Crypto not working on Linux (Red Hat 7.1, SuSe 7.1) because undefined symbol: EVP_rc5_32_12_16_ofb. I understand the packaged OpenSSL on those platforms are versions of 0.9.6. I don't have

Re: Certificates database

haikel wrote: I need to develop an application that allows me to update, automaticaly, netscape and IE with new certificates and private keys. IMHO this is not possible in general since the user's certificate and key database is hopefully protected with his/her passphrase. If you want to

Re: you suck re: Richard Levitte's comment

StarTux wrote: [EMAIL PROTECTED] wrote: We should be able to deal with this problem ourselves because it affects us often enough. Yes. :-( ANy suggestions how? Who has admin rights to the list? Anyone with admin rights should be able to nuke anyone off of the list quietly and

Re: Creating and administrating local CA's

Steffen Dettmer wrote: I'm setting up a CA useing openssl and mod_ssl for Apache. I'm writing some perl scripts for standard jobs, like: - Certificate verifying with Netscape (nsRevocationUrl in v3 SSL ext) - Certificate distributing (a cert list sorted by DN hierachie) where an user

CA hierarchy in openssl.cnf

HI! I´m working on a CA framework which takes all parameters from openssl.cnf. I want to write a (Python) script which does all of the CA certificate stuff. In order to generate a whole CA hierarchies (Root-CA signs other CA´s) there should be a parameter in the openssl.cnf which CA is signed by

pyca-0.4

HI! I would like to announce a new beta release of pyca, a set of scripts and CGI-BIN programs for setting up and running a certificate authority using OpenSSL. See http://sites.inka.de/ms/python/pyca/ for further details. Unfortunately there´s no real documentation available up to now and

Re: pyca-0.4

Phil Tracy wrote: At 04:33 AM 4/27/99 , you wrote: I would like to announce a new beta release of pyca, a set of scripts and CGI-BIN programs for setting up and running a certificate authority using OpenSSL. Thanks for the contirbution! It looks great so far. I'm just getting started

Re: About pyCA

Raul Gutierrez wrote: I am installing the pyCA package and when i run from the browser the ca-index.py script i get the followin error: Internal Server Error When i saw the eeror log i saw the following: [..] Traceback (innermost last): File

Re: MSIE certificate expiration problem

Erwann ABALEA wrote: On Tue, 13 Jul 1999, Radovan Semancik wrote: I have problem with OpenSSL generated certificates. MSIE 4 and MSIE 5 both say that this certificate has expored: [..] - the server/client certificate has a notAfterDate that falls AFTER the CA's one... It's

Re: Certificate server

CASTELAIN Didier wrote: Is there a Certificate server in Freeware or for a trial period ? Have a look at: http://www.openssl.org/related/apps.html Ciao, Michael. __ OpenSSL Project

Re: CRL Question

ssl wrote: On Mon, 30 Aug 1999, Michael Ströder wrote: ssl wrote: below the cert info, you'll see the "Check Certificate Status" button, [..] By this method, the cert must have "nsRevocationUrl" pointing to a cgi to check it. This on-line certif

Certificates and MS IE

HI! I'm currently having a hard time integrating support for MS Internet Explorer 4+ into my poor man's CA package pyCA. I managed to generate a certificate request and get the issued certificate installed into IE with some small VBScript code. But I have several questions: 1. MS IE accepts

Re: cert LDAP publication

"Salz, Rich" wrote: type of certificate to publish in an LDAP directory for support of S/MIME, etc. Are there any strong feelings about X.509 vs. PKCS12 (or others) or encoding types? I thought everyone used the DER representation of the X.509 certificate structure. (That is what

Re: What US companies need to know about RSA

HI! Please, can we stop the off-topic discussion here? We have enough to read all day. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL

Re: Signing IE Cert

Gideon Serfontein wrote: I am having a problem signing a Microsoft IE certificate , [..] If anyone can help me , or has gotten the Xenroll.dll to work , please let me know. I can send you a gzipped tar-ball with a snapshot of pyCA (http://sites.inka.de/ms/python/pyca/) which does include

Re: open source COMMUNITY?

Hi Mike, yes, you are on the wrong mailing-list. Mike Bartlett wrote: I was under the impression that OpenSSL was an SSL mod to Apache BASED ON SSLEAY and hence should have its own method or similar method to getca. Any idea where getca is - should I install something else? No. OpenSSL

Re: license for openssl in UK and proof the NSA monitors all emails.

"Rubinstein, Dmitry" wrote: will have any hits from 'mil' TLD. [..] I've got 1768 total hits for 3 months [..] Have many hits and good luck unveiling the NSA conspiracy! [..] BTW, the military guy must have found your site pretty dull, if there were no more hits... ;-) (Sigh!) I only

Domino-Server and SGC

HI! I read the mod_ssl-README about Server Gated Cryptography / Global Server IDs. Well, that seems interesting to me. I created a server cert for a Notes/Domino Server 4.61 with X.509v3 attributes msSGC and nsSGC set. But the Domino Server seems not to accept the certificate. Does somebody has

Re: DSA key sizes

Eric Rescorla wrote: Technically, they're both correct. This posting is sent to the list several times. Can someone stop this please? Ciao, Michael. __ OpenSSL Project http://www.openssl.org

Re: PEM certs formatted at 76 chars per line

"Pablo J. Royo" wrote: I´m using this cert from Baltimore with openssl0.9.5a. This question is for openssl-users not openssl-dev. I don´t know why they generate PEM certs with 76 chars in each line, instead of 64 as everybody does. Should be no problem. Depends on their base64 lib. If

Re: Who uses heartbeat?

Graham Leggett wrote: On 13 Apr 2014, at 12:25 PM, Hanno Böck ha...@hboeck.de wrote: I wasn't really sure where to ask this, but I think this list is appropriate. While having read so much about heartbleed, one question stays unanswered for me all the time: What's the use of this

Re: Who uses heartbeat?

Graham Leggett wrote: On 13 Apr 2014, at 2:04 PM, Michael Ströder mich...@stroeder.com wrote: No, it does *not* answer the question. The question was: Who is currently using it? Just to clarify any possible confusion, whether or not a piece of software actively uses the heartbeat makes

Re: [openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?

Alexandre Arantes wrote: one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client. There are no standardized naming rules for client certs like the TLS server hostname check implemented at the client

Re: [openssl-users] Thoughts about security, privacy, ...

Walter H. wrote: > On Thu, October 29, 2015 11:07, Jakob Bohm wrote: >> She (Eve) would know that the requesting party Alice >> was talking to Bob at the very moment she sent Trent >> the OCSP *request* for Bob's certificate. >> >> [...] equivalent of having (almost complete) real time >> copies

Re: [openssl-users] OCSP_sendreq_bio()

Walter H. wrote: > On 28.10.2015 16:44, Jakob Bohm wrote: >> On 27/10/2015 21:21, Walter H. wrote: >>> On 26.10.2015 21:42, rosect...@yahoo.com wrote: Hi, I need some help on this call. I am building an OCSP client following guide in openssl and compile the code in Cygwin

Re: [openssl-users] Thoughts about security, privacy, ...

Walter H. wrote: > On 30.10.2015 21:42, Michael Ströder wrote: >> Walter H. wrote: >>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote: >>>> She (Eve) would know that the requesting party Alice >>>> was talking to Bob at the very moment she sent Trent >

Re: [openssl-users] Thoughts about security, privacy, ...

Walter H. wrote: > On 31.10.2015 13:01, Michael Ströder wrote: >> Walter H. wrote: >>> On 30.10.2015 21:42, Michael Ströder wrote: >>>> Walter H. wrote: >>>>> On Thu, October 29, 2015 11:07, Jakob Bohm wrote: >>>>>> She (Eve) would

Re: [openssl-users] Personal CA: are cert serial numbers critical?

Tom Browder wrote: > I plan to tidy my automation before the issue of new certs, but I wonder > how critical it is to ensure unique certificate serial numbers given that > the certs are only used for us. I'm not even sure I'll ever revoke any > cert (they were issued to expire sometime in 2030).

Re: [openssl-users] 802.1AR certificate generation and the config file

Robert Moskowitz wrote: > On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: >> On Fri, Aug 11, 2017, Robert Moskowitz wrote: >> >>> I would want the 'openssl req' command to prompt for hwType and >>> hsSerialNum. At least for now. >>> >> Note that you can't get the 'openssl req' command prompt

Re: [openssl-users] 802.1AR certificate generation and the config file

Robert Moskowitz wrote: > I am getting a SAN in the csr e.g.: > > Attributes: > Requested Extensions: > X509v3 Subject Alternative Name: > IP Address:192.168.2.1 > [..] > But I am not getting SAN in the cert. Perhaps I need something for SAN in the >

Re: [openssl-users] Segmentation fault ssl23_connect()

Sanjaya Joshi wrote: > I use openldap_2.3.39 to initiate secure LDAP connection (starttls) to > external LDAP > server. The used openssl version is 1.0.2k. I'm not sure whether OpenSSL 1.0.2k is even usable with this ancient OpenLDAP version. Especially it was set to historic status by the

Re: [openssl-users] Lattice Ciphers

Colony.three via openssl-users wrote: > I've set mine to test this comprehensively. (Apache and NginX)  With > Apache Firefox -ignores- server-prescribed ciphers and chooses an EC.  > NginX does properly prevail with the algo.  Was this an accident, Apache? I'd suggest to read the Apache httpd

Re: [openssl-users] OpenSSL engine and TPM usage.

Michael Richardson wrote: > > Jakob Bohm wrote: > >> I wanted to know when we use engine instance for encyrption/decryption > >> operation, can it be done selectively? > > > Please beware that many TPM chips were recently discovered to contain a > > broken

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Viktor Dukhovni wrote: >> On Jan 19, 2018, at 10:09 PM, Frank Migge wrote: >> Object 04: X509v3 Extended Key Usage: TLS Web Server Authentication >> >> This is were I would check first. >> >> I am not fully sure, but believe that Extended Key Usage should *not* be >>

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

On 12/6/18 11:56 PM, Jakob Bohm via openssl-users wrote: > Different levels of certainty is the point. Which never worked well in practice, no matter how hard people tried to clearly define levels if certainty. Ciao, Michael. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

On 12/7/18 11:44 PM, Michael Wojcik wrote: > Homograph attacks combined with phishing would be much cheaper and > easier. Get a DV certificate from Let's Encrypt for anazom.com or > amazom.com, or any of the Unicode homograph possibilies> > Part of the point of EV certificates was supposed to be

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote: > On 05/12/2018 17:59, Viktor Dukhovni wrote: >> IIRC Apple's Safari is ending support for EV, and some say that EV >> has failed, and are not sorry to see it go. > > This is very bad for security.  So far the only real failures have > been:

OpenSSL key agent available?

HI! Does anybody know an engine implementation which delegates private key operations to a running key agent listening on a Unix domain socket? Similar like ssh-agent or gpg-agent but available for applications using OpenSSL API. Ciao, Michael.

Re: Multi-valued RDN in Subject Alternative Name extension

On 6/18/20 9:12 AM, Williams, Gareth wrote: > I can successfully add a multi-value RDN to the Subject of a > certificate request using the + format in the config file: > [..] > However, if I add a SAN to the request: > [..] > the resulting request has them as separate RDNs (as if the + is not >

Re: How to create indirect CRL using openssl ca command

On 3/10/22 14:06, edr dr wrote: I would like to be able to automate the process of updating CRLs in order to be able to keep the CRL validity time short. Understandable. At the same time, I do not want to store passwords used for certificate creation in cleartext anywhere. It's a pity that

Re: Best Practices for private key files handling

On 9/18/22 06:09, Philip Prindeville wrote: On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users wrote: You still haven't explained your threat model, or what mitigation the application can take if this requirement is violated, or why you think this is a "best practice". > The threat