OpenSSL OCSP Responder used in a CGI Skript

Hello, I have created a self signed root CA certificate, and two other CA certificate, that I signed with this self signed root certificate; and these SubCA certificates are used for signing requests; with the root CA I signed also a certificate, with the purpose of signing OCSP Responder;

OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither /dev/null nor 21 file nor 21 /dev/null, let this line disappear so this shoots either a 500 page or an invalid OCSP response is sent, which results

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Dr. Stephen Henson wrote: On Wed, Dec 12, 2012, Walter H. wrote: Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither /dev/null nor 21 file nor 21 /dev/null, let this line disappear so this shoots

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Salz, Rich wrote: neither /dev/null nor 21 file nor 21 /dev/null, let this line disappear Redirections happen left-to-right. So do this: /dev/null 21 left-to-right? outer-to-inner, I understand; Or the simpler 2/dev/nul ok Thanks, Walter

Re: Feedback Please: New OpenSSL PKI Tutorial

Hallo, https://pki-tutorial.readthedocs.org/en/latest/cadb.html - Serial number files ... what is the CRL number file? where can I configure this? Thanks, Walter On Mon, December 17, 2012 15:23, Stefan H. Holek wrote: Hi All! I have been working on an OpenSSL PKI tutorial, and the time has

Using OpenSSL in a makefile?

Hello, why does the following makefile not succeed? all: pckdCRL.zip .SUFFIXES: .SUFFIXES: .text .pem .crl .pem.crl: openssl crl -in $ -outform der -out $@ .pem.text: openssl crl -noout -text -in $ $@ pckdCRL.zip: rootCRL.pem rootCRL.crl rootCRL.text zip -9 -j pckdCRL.zip

openssl RPM package

Hello, is there an openssl RPM package with version 0.9.8 or better for CentOS 4.x? (upgrade to CentOS 5.x or 6.x is impossible) Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature

Re: OpenSSl / SMIME and header : Disposition-Notification-To

My config is : OS : centos 6 OpenSSL : openssl-1.0.0-20.el6_2.5.x86_64 My commands are : oppenssl smime -sign -in myfile -signer mycertif.pem -inkey mykey.pem | openssl smime -out signedfile -from m...@me.me -to t...@to.to -subject mysubject -encrypt -des3 myencryption.pem sendmail

Re: overflow when calling X509_gmtime_adj() on 32-bit systems

Hi On 02.02.2013 23:55, Alexander Hollerith wrote: The php openssl library implements a function named openssl_csr_sign() and inside that function one can find the following line: X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days); This obviously provokes an

Re: Problems creating valid signing certificats

On Wed, February 6, 2013 23:47, Thomas Koeller wrote: bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose sslserver cacert/host_ca.pem cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller

id-pda-dateOfBirth in Subject?

Hello, can someone please tell me the correct syntax and/or give me an example of using NID id-pda-dateOfBirth when requesting a certificate by calling openssl req -config openssl.cnf -new -key cert.key -subj /.../id-pda-dateOfBirth=? -out cert.csr must there be something special in the

x509 certificate conforming to RFC 3739

Hello, can someone, please tell me, how to generate a certificate that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739) Thanks, Walter __ OpenSSL Project http://www.openssl.org User

Re: x509 certificate conforming to RFC 3739

On Fri, February 15, 2013 07:07, Matthew Hall wrote: On Fri, Feb 15, 2013 at 07:03:20AM +0100, Walter H. wrote: Hello, can someone, please tell me, how to generate a certificate that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739) Thanks, Walter Hi Walter, We could help

Re: x509 certificate conforming to RFC 3739

On 15.02.2013 07:42, Walter H. wrote: On Fri, February 15, 2013 07:07, Matthew Hall wrote: On Fri, Feb 15, 2013 at 07:03:20AM +0100, Walter H. wrote: Hello, can someone, please tell me, how to generate a certificate that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739) Thanks

Syntax in extension section of openssl.cnf

Hello, I have the following: --- name = ASN1:SEQUENCE:section [ section ] value.1 = XXX:text --- what is possible to have instead of XXX? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature

Re: [openssl-users] Syntax in extension section of openssl.cnf

Thanks, Walter On 28.02.2013 12:03, Erwann Abalea wrote: man asn1parse man ASN1_generate_nconf That should give you some bootstrap information. -- Erwann ABALEA - tridécatabulophobie: peur d'être treize à table Le 28/02/2013 11:16, Walter H. a écrit : Hello, I have the following

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

Hello, try this for generating the TSA-reply openssl ts -reply -config openssl.cnf -section tsa_timestamp -queryfile TSA-query -inkey ts.key -signer ts.crt -out TSA-reply where ts.crt and ts.key are the timestamping certificate and private key (without passphrase) and TSA-query is the

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

Do you think OpenSSL is a game? On 11.03.2013 22:02, kap...@mizera.cz wrote: Thank you, but this thread is about TS from real Certification Authority and problem with attribute certificates. --kapetr Dne 11.3.2013 21:16, Walter H. napsal(a): Hello, try this for generating the TSA-reply

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

Hello, I found the following: http://tsa.postsignum.cz:444 produces the following error, when using this as time stamp server with adobe standard/pro BER decoding error what software do they use? my solution with OpenSSL works ... Greetings, Walter smime.p7s Description: S/MIME

Re: openssl-user - UTF8 characters in configuration file

Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields.

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

On 13.03.2013 01:19, kap...@mizera.cz wrote: Dne 12.3.2013 20:36, Walter H. napsal(a): Hello, I found the following: http://tsa.postsignum.cz:444 do you have account by this TSA ? No. if there is a need to have an account; then this page is not conforming to any RFC - HTTP 400

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

On 16.03.2013 19:27, kap...@mizera.cz wrote: Dne 16.3.2013 12:58, Walter H. napsal(a): Unfortunately not, it is official paid service. But You can make tests on testing TSA: http://www.postsignum.cz/testovaci_casova_razitka.html I don't understand this language; can you tell me the URL

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

On 17.03.2013 16:37, kap...@mizera.cz wrote: Dne 16.3.2013 20:58, Walter H. napsal(a): I tried this with my Adobe Acrobat, and you wouldn't believe it; it doesn't work with Adobe Acrobat, too. the error message - I use German version: Fehler beim Erstellen der Unterschriftseigenschaften des

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

On 17.03.2013 18:48, kap...@mizera.cz wrote: be verified - the same as you had ... OpenSSL and Adobe conform to RFC 3161; but not this TSA ... correct, the error message means, that the received timestamp could not But the discussed TSA postsignum would not exist at all if there would be a

Re: Timestamp for Microsoft Authenticode?

Hi, thanks for your infos can you please tell me, where I can find your postings to this topic, you made in the past? On 19.03.2013 20:07, Jakob Bohm wrote: Won't work (as you saw), this function doesn't take the actual ContentInfo structure as input, but data which it will (mis)treat as

Re: Timestamp for Microsoft Authenticode?

On 25.03.2013 18:05, Jakob Bohm wrote: This one lacks the data part, it seems to have been generated without the -nodetach option. - myreply02cms-asn1.text This one has the data part, but lacks the signingTime attribute which is the whole point of this exercise. how can I correct this?

Re: 0.9.8 vs 1.0.x

the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) Greetings, Walter On 26.03.2013 18:50, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major

Re: Building on Windows in 64 bit mode

Hello, look into the .DEF file, there is the information, which type of dynamic library should be generated; it is very probable, that your .DEF file is for 32-bit only; Walter Am 08.07.2013 10:59, schrieb Andrew MARLOW: Hello gentlemen, I am trying to build openssl 1.0.1e on

Re: OCSP and self signed

On 30.07.2013 19:51, Eisenacher, Patrick wrote: I was wondering how the root cert gets revoked. Anyway thanks for posting that request. A self-signed certificate can't be revoked via a crl, because you won't be able to successfully verify its signature. keep in mind, that in case you detect a

Re: OCSP and self signed

Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 31-07-2013 11:02, Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote: Jakob, I don't

Re: OCSP and self signed

On 31.07.2013 16:47, Jakob Bohm wrote: the only cert that can't be checked by OCSP is the root cert itself; This is where I disagree, can you point me to an actual reason why not, which is not refuted by my logical ABC argument above. the Authority Information Access extension does not make

Re: CA hierarchy / pathlen:0

Hi, this shouldn't be, because you marked this extension as critical; what is your OpenSSL release? and in case of Linux, which distro (version/release) are you using? Walter On 20.08.2013 20:18, Peter1234 wrote: Hi all, although I issued a certificate for an intermediate CA (CA2) with a

Re: OCSP Requestor behavior when OCSP Respone not received.

On 02.09.2013 10:33, deepak.kathuria wrote: Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. OCSP Requester sends the OCSP Request to OCSP Responder and if OCSP Responder will not come, then what will be the expected behavior of OCSP Requester in this case? this can be

Version difference

Hello, can someone please tell me the difference between OpenSSL x.x.x any date and OpenSSL x.x.x-fips any date is there a difference in functionality? is there a difference in legality? what does it tell to me, when openssl version shows fips, and what does it tell, when openssl version

Strange behaviour

Hello, there exists a self signed root CA certificate (A) one intermediate CA certificate (B) and this intermedia certificate has signed a SSL certificate (C) of a web server; the SSL certificate has in its 'Authority Information Access' extension the URL to the intermediate CA certificate,

Re: Signature did not match the certificate request

On 08.10.2013 15:00, Rahul Tolani wrote: Actual Subject Property = subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\x00 this is just a bug - the \x00 looks like the terminating \0 ... Required Subject Property = subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1 Greetings, Walter

Re: Strange behaviour

I thought similar, but it becomes more strange; if the webserver uses a certificate that is signed from a CA with built in token, then this needn't be; and in case it is signed from my internediate certificate, this doesn't help ... Greetings, Walter On 07.10.2013 09:39, Mat Arge wrote:

Re: Signature Algorithm that was disabled because that algorithm is not secure

Hello, On 30.10.2013 18:17, Marcus Schmitt wrote: I have one problem after I created a root-CA, intermediate-CA and a server certificate. After I configured my apache with the server cert, key and intermediate cert and importing the root-CA to firefox 24 I received the following error when I

Re: Signature Algorithm that was disabled because that algorithm is not secure

Hello Marcus On 30.10.2013 19:26, Marcus Schmitt wrote: nameopt = default_ca certopt = default_ca what do this lines should mean in your openssl.cnf? can you do the following with each of your generated certificates: openssl

SSL/TLS encryption algorithms

Hello, Which one of the following two is better (1) or (2)? (1) SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=256 SSL_COMPRESS_METHOD=NULL SSL_PROTOCOL=TLSv1 SSL_SECURE_RENEG=true (2) SSL_CIPHER=AES128-SHA256

Re: SSL/TLS encryption algorithms

Hello, On 01.11.2013 22:34, Viktor Dukhovni wrote: On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote: Which one of the following two is better (1) or (2)? (1) SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx

Re: SSL/TLS encryption algorithms

On 01.11.2013 23:12, Viktor Dukhovni wrote: $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 $ openssl ciphers -v AES128-SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)

Re: SSL/TLS encryption algorithms

On 03.11.2013 18:27, Viktor Dukhovni wrote: On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote: how would I define forward-secrecy on Apache webserver? If the server negotiated both ciphers, it already supports forward-secrecy (aka PFS) if the client does too. What about a browser

Re: Multi-level certificate chains

On Tue, November 12, 2013 05:47, Alan Jakimiuk wrote: Is there a way I can make all three linked? this should be the default. ie. Cert A-Cert B-Cert C in the certification path? Any help would be appreciated can you view the certificates? openssl x509 -noout -text -in certfile you should

Re: Error 18: self signed certificate

Windows has its own System wide certificate store; look at certmgr.msc keep in mind, that some applications have their own store e.g. Mozilla ThunderBird, Mozilla FireFox and some other can use this system wide certificate store e.g. Adobe Reader/Pro/Std Walter On 15.11.2013 09:57, Manoj

Re: Verification of a x509 certificate signature

Hi, On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote: X509v3 Extended Key Usage: Trust Root what is this strange? 'Trust Root' as Extended Key Usage? __ OpenSSL Project

Re: Verification of a x509 certificate signature

the ASN.1 dump of this certificate ... 0 470: SEQUENCE { 4 319: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 5: INTEGER 00 D6 2D F4 34 20 13: SEQUENCE { 22 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5) 33 0:

Squid - Proxy certificate

Hello, can someone give me an example of the certificate, that is used here: http_port 3128 ssl-bump cert=/etc/squid/cert/cert.pem I'm using the latest CentOS release (6.5) with squid 3.1.10 I generated one with this: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj

Somewhat conflicting configuration and strange behaviour (was: SELinux prevents running squid 3.3.11 on CentOS 6.5)

/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/ I hope it helps. Eliezer On 08/12/13 22:34, Walter H. wrote: Hello, I have the ident problem as here: http://comments.gmane.org/gmane.comp.web.squid.general/99601 SELinux=enforcing prevents running squid ... my system: a CentOS

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. The server is capable

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

On 13.12.2013 21:16, andrew cooke wrote: well, i realised i couldn't answer the question seriously... what is ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find it). does any server actually

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

On 14.12.2013 00:00, Dr. Stephen Henson wrote: How are you disabling RSA key exchange? by setting all ciphers beginning with RSA to no in FF If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs

Re: A small note on Windows 8 GetVersion() depreciation

On 09.01.2014 19:48, Watson, Patrick wrote: I'd recommend using VerifyVersionInfo: http://msdn.microsoft.com/en-us/library/windows/desktop/ms725492(v=vs.85).aspx. It's supported from Win2k onward and isn't deprecated as of Win 8.1. I don't remember for sure if it's present in Windows CE and

Re: Extended Validation OIDS

On 07.02.2014 21:04, Tom Pfeifer wrote: ...which are required for Extended Validation (EV) certificates. I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs specified in the [new_oids] section in openssl.cnf like this:

Quite a funny and strange behaviour

Hello, it is already solved, but I just want to tell others; I have two VMs, one with an older CentOS 4.x and one with a new CentOS 6.5 both run Postfix as MTA; both have configured a smarthost; the smarthost allows STARTTLS and has a certificate, that is issued by AlphaSSL; the Authority

Re: Quite a funny and strange behaviour

On 20.02.2014 17:57, Viktor Dukhovni wrote: On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote: the older CentOS 4.x has in it's ca-bundle.crt a root certificate that expired at the end of last month (on Jan. 28th, 2014), also attached (rootexpired.txt), no other valid root certificate

Re: Extend SSL Certificate

On 09.03.2014 14:39, Michael Post wrote: last year i created my keys, certs and so on with the following steps for an openvpn server: the only certificate that is still valid is your self signed ca certificate; # Serverside openssl req -new -x509 -newkey rsa:2048 -keyout

Re: OpenSSL PKI Tutorial updated

Hello, On Thu, March 27, 2014 10:47, Stefan H. Holek wrote: 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one layer of CA's below the Root), but to do so on the Intermediate CA's? Pathlen is not used on root CA certs.

Re: OpenSSL Security Advisory

On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch

Re: Increment certificate serial numbers randomly

On 26.04.2014 05:52, csa321 wrote: We've generated our own CA for self-signing certificates. The issue is that we package up the openssl install for installation on multiple servers. Therefore, the root CA we create is part of the package as well. the private key of the root CA should

Re: Increment certificate serial numbers randomly

On 29.04.2014 20:15, Jakob Bohm wrote: I seem to (vaguely) recall that there was once an option or standard for using a certificate-contents-related hash as the serial number, but I can't seem to find it right now. Hi, could you please try to find this; I would be interested in such - a way

Re: Increment certificate serial numbers randomly

On 29.04.2014 21:38, d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial number has maximum length ..., 256 bit is quite too big .. smime.p7s Description: S/MIME Cryptographic

Re: Increment certificate serial numbers randomly

On 30.04.2014 03:57, Nikolay Elenkov wrote: What hasn't been suggested is giving each server, etc. its own sub-CA signed by the root. Then there won't be a need to have the root key at multiple places and not problems with serial. Additionally, clients will only have to install and trust the

Re: Increment certificate serial numbers randomly

On 29.04.2014 22:32, Tim Hudson wrote: On 30/04/2014 6:05 AM, Walter H. wrote: On 29.04.2014 21:38, d...@deadhat.com mailto:d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial

Re: Verification of a certificate chain

Hello, On Tue, May 27, 2014 15:44, Sven Reissmann wrote: Hi, I'm having a comprehension question on certificate verification. Having a trustchain like this: rootCA - subCA - subCA2 I can verify the subCA2 certificate using the command: openssl verify -CAfile rootCA.pem -untrusted

x509v3 Extension: X509v3 Name Constraints?

Hello, does anybody know what to write in the extension config to get this X509v3 Name Constraints as the attached certificate (intel-ca.pem, intel-ca.text)? Thanks. -- Greetings, Walter -BEGIN CERTIFICATE- MIIJWTCCCEGgAwIBAgIQeRdKqRQXNv4Vp8qfLP9FiDANBgkqhkiG9w0BAQUFADBv

ECDSA Certificate

On 08.08.2014 02:11, Dr. Stephen Henson wrote: Well maybe, maybe not. Just because a ciphersuite is included in the cipherlist doesn't mean it is included or could be selected. For example if you set a ciphersuite which uses ECDSA authentication it wont be selected if the server doesn't include

Re: ECDSA Certificate

haven't configured none of those ... Is the second server on not-very-recent RedHat or CentOS? Yes, it is a CentOS 6.5 *From:*owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Walter H. *Sent:* Sunday, August 10, 2014 02:39 *To:* openssl-users@openssl.org

Re: Case-sensitive cipher names are a bad idea

Hello On 15.08.2014 17:43, Salz, Rich wrote: Does ANYONE think that case-sensitive cipher names are good idea? this is a bad idea; or can you explain the difference between tlsv1:rc4-md5 and TLSV1:RC4-MD5? Someone who types TLSV1:RC4-MD5 will find things working, but is likely to be

Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'

On 05.11.2014 18:47, neil carter wrote: I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, ' perl Configure VC-WIN32

Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'

On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the

Re: [openssl-users] Freeze to mailing list memberships

On 05.12.2014 21:46, Kurt Roeckx wrote: On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote: On 26/11/14 02:05, Salz, Rich wrote: We will soon be freezing the mailing list memberships for a couple of days. We are moving to a new server and upgrading the mail infrastructure Are you aware that

Re: [openssl-users] Freeze to mailing list memberships

On 05.12.2014 23:08, Kurt Roeckx wrote: On Fri, Dec 05, 2014 at 02:50:00PM -0700, Philip Prindeville wrote: On Dec 5, 2014, at 1:57 PM, Walter H.walte...@mathemainzel.info wrote: On 05.12.2014 21:46, Kurt Roeckx wrote: On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote: On 26/11/14 02:05,

Re: [openssl-users] Problems verifying OCSP signatures

On 03.01.2015 18:16, Richard Moore wrote: I've now got this working, though to do so I seem to have to take the certificates supplied in the OCSP response directly out of the certs field of the OCSP_BASICRESP and add these as intermediates for the verification too. It feels bad to directly

[openssl-users] Strange behaviour with Chrome (client OS = WinXP x64) ...

the mentioned error above, when activating this mentioned policy? the question to squid specialists: was it a good idea signing the SSL-bump CA certificate with the root certificate of my CA? Thanks -- Best regards, Walter H. smime.p7s Description: S/MIME Cryptographic Signature

Re: [openssl-users] base64 decode in C

Hi, before calling this function, remove any whitespace; Walter smime.p7s Description: S/MIME Cryptographic Signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] base64 decode in C

On 18.03.2015 16:08, Prashant Bapat wrote: printf(Base64 decoded string is : %s\n, b64_decode(str, strlen(str))); // This should print binary for a ssh key. not really, because the return of b64_decode is not a C string; and the format specfier %s expects a C string; smime.p7s Description:

[openssl-users] S/MIME Mails signed with SHA256 certificate and/or SHA256 Hash

Hello, has anybody got a reliable source or knowledge about which mail clients - especially which Thunderbird release - should be capable of verifying such mails correctly? this openssl smime -verify -CAfile trusted.crt -in mail.eml successfully verifies such an e-Mail; Thanks, Walter --

Re: [openssl-users] Certificate serialnumber?

On 05.07.2015 14:19, David Thompson wrote: Quoting the man page for req(1) -- although depending on the packaging which I don't know for CentOS it may be a different section like 1s or 1ssl -- and also on the web https://www.openssl.org/docs/apps/req.html -x509 this option outputs a self

[openssl-users] Certificate serialnumber?

Hello, I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid) like this: I havn't defined anything - everything is set default from the linux distribution openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout

[openssl-users] DH parameters [was: Vulnerability logjam downgrades TLS connections to 512 Bit]

Hello On 22.05.2015 08:30, Jeffrey Walton wrote: Or are you talking about server certificates with fixed DH parameters? can you please tell me more about this? how do I have to create the certificate request? (using debian 7 latest updates installed: 'apt-get update apt-get upgrade' has

Re: [openssl-users] S/MIME Mails signed with SHA256 certificate and/or SHA256 Hash

On 29.06.2015 10:48, Jakob Bohm wrote: On 26/06/2015 21:41, Walter H. wrote: Hello, has anybody got a reliable source or knowledge about which mail clients - especially which Thunderbird release - should be capable of verifying such mails correctly? I believe GlobalSign has a knowledge

[openssl-users] Thoughts about security, privacy, ... (was: OCSP_sendreq_bio())

Hello Jabob, On Thu, October 29, 2015 11:07, Jakob Bohm wrote: > On 28/10/2015 21:58, Walter H. wrote: >> On 28.10.2015 18:34, Jakob Bohm wrote: >>> On 28/10/2015 17:36, Walter H. wrote: >>>>>> OCSP must not be https ... >>>>>> the same with

Re: [openssl-users] OCSP_sendreq_bio()

On 26.10.2015 21:42, rosect...@yahoo.com wrote: Hi, I need some help on this call. I am building an OCSP client following guide in openssl and compile the code in Cygwin environment. My openssl version is 1.0.1h. With HTTP based OCSP, the code works fine. But, with HTTPs, the code gets

Re: [openssl-users] OCSP_sendreq_bio()

On 28.10.2015 17:27, Steve Marquess wrote: There are environments where https must be used for OCSP, due to policy fiat and/or firewall restrictions. -Steve M. OCSP works through proxies; there is no reason for having such strange setups ... Walter smime.p7s Description: S/MIME

Re: [openssl-users] OCSP_sendreq_bio()

On 28.10.2015 16:44, Jakob Bohm wrote: On 27/10/2015 21:21, Walter H. wrote: On 26.10.2015 21:42, rosect...@yahoo.com wrote: Hi, I need some help on this call. I am building an OCSP client following guide in openssl and compile the code in Cygwin environment. My openssl version is 1.0.1h

Re: [openssl-users] Thoughts about security, privacy, ...

On 31.10.2015 23:23, Michael Ströder wrote: Walter H. wrote: give me a hint for finding S/MIME certificates, finding my own would be nice; You claim that clear-text OCSP requests are not a privacy issue. yes ..., a security problem I mentioned in connection with stupid CAs some posts before

Re: [openssl-users] Thoughts about security, privacy, ...

On 01.11.2015 10:25, Matt Caswell wrote: CT is the answer to a big problem. I fail to see that CAs deploying CT is a problem. I also don't see why only a CA can do this. There might be some adversaries that are perfectly capable of building large databases of certificates that they have

Re: [openssl-users] Thoughts about security, privacy, ...

On 30.10.2015 21:42, Michael Ströder wrote: Walter H. wrote: On Thu, October 29, 2015 11:07, Jakob Bohm wrote: She (Eve) would know that the requesting party Alice was talking to Bob at the very moment she sent Trent the OCSP *request* for Bob's certificate. [...] equivalent of having (almost

Re: [openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

On 03.11.2015 14:46, John Lewis wrote: I created a local certification authority using this tutorial https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian and made a certification request using this tutorial and I use this tutorial to

Re: [openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

On 04.11.2015 16:13, Ben Humpert wrote: Oh crappy Gmail stop creating broken links ... openssl.cnf is at https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing reqs/client_sample.cnf is at https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing

Re: [openssl-users] How do I configure my Certification Authority to pay attention to Subject Alternate Names

On 03.11.2015 18:45, John Lewis wrote: On 11/03/2015 12:04 PM, Walter H. wrote: On 03.11.2015 14:46, John Lewis wrote: I created a local certification authority using this tutorial https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian

Re: [openssl-users] Problem checking certificate with OCSP

On 5.10.2015 17:11, Dr. Stephen Henson wrote: On Mon, Oct 05, 2015, Walter H. wrote: Hello, attached is the certificate and its chain of https://revoked.grc.com/ doing this: openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url http://ocsp2.globalsign.com/gsdomainvalg2 goves

[openssl-users] Problems with openssl verify -crl_check ...

Hello, openssl verify -CAfile root.pem -untrusted issuer.pem srvr.pem gives this output srvr.pem: OK but openssl verify -CAfile root.pem -crl_check -untrusted issuer.pem srvr.pem gives this: srvr.pem: C = US, OU = Domain Control Validated, CN = revoked.grc.com error 3 at 0 depth lookup:unable

[openssl-users] Problem checking certificate with OCSP

Hello, attached is the certificate and its chain of https://revoked.grc.com/ doing this: openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url http://ocsp2.globalsign.com/gsdomainvalg2 goves the following: OCSP Request Data: Version: 1 (0x0) Requestor List:

[openssl-users] CA design question?

Hello, my website has an official SSL certificate, which I renewed this year to have a SHA-256 certificate; when I test my site with SSLLabs.com, I'm shows two certificate paths: the first one: my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)

Re: [openssl-users] CA design question?

On 05.12.2015 20:20, Viktor Dukhovni wrote: On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote: my website has an official SSL certificate, which I renewed this year to have a SHA-256 certificate; when I test my site with SSLLabs.com, I'm shows two certificate paths: the first one: my

Re: [openssl-users] How can I set up a bundle of commercial root CA certificates? (FAQ 16)

On 13.12.2015 11:34, Ben Humpert wrote: 2015-12-13 3:53 GMT+01:00 Viktor Dukhovni: In other words, you can concatenate all the trusted root CA certs into the "cert.pem" file in that directory, but this has a performance cost, as all the certificates are loaded into

Re: [openssl-users] OCSP service dependant on time valid CRLs

Hi Dan, On 10.12.2015 16:27, daniel bryan wrote: *TEST #2: *Next test was using OCSP: [dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080 /Response verify

Re: [openssl-users] regarding ssl_server test

On 26.05.2016 18:33, R-D intern wrote: Hello, I have implemented ssl for my internal server that listens over a private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys test shows the amount of ssl implementation of a server listening over public ip and even checks

  1   2   >