Hello,
I have created a self signed root CA certificate, and two other CA
certificate, that I signed with this self signed root certificate;
and these SubCA certificates are used for signing requests;
with the root CA I signed also a certificate, with the purpose of
signing OCSP Responder;
Hello,
when using
openssl ocsp ...
in a CGI skript, you must use -noverify
because without, this creates the line
Response verify OK
neither /dev/null nor 21 file nor 21 /dev/null, let this line
disappear
so this shoots either a 500 page or an invalid OCSP response is sent,
which results
Dr. Stephen Henson wrote:
On Wed, Dec 12, 2012, Walter H. wrote:
Hello,
when using
openssl ocsp ...
in a CGI skript, you must use -noverify
because without, this creates the line
Response verify OK
neither /dev/null nor 21 file nor 21 /dev/null, let this line
disappear
so this shoots
Salz, Rich wrote:
neither /dev/null nor 21 file nor 21 /dev/null, let this line
disappear
Redirections happen left-to-right. So do this:
/dev/null 21
left-to-right? outer-to-inner, I understand;
Or the simpler
2/dev/nul
ok
Thanks,
Walter
Hallo,
https://pki-tutorial.readthedocs.org/en/latest/cadb.html
- Serial number files ...
what is the CRL number file?
where can I configure this?
Thanks,
Walter
On Mon, December 17, 2012 15:23, Stefan H. Holek wrote:
Hi All!
I have been working on an OpenSSL PKI tutorial, and the time has
Hello,
why does the following makefile not succeed?
all: pckdCRL.zip
.SUFFIXES:
.SUFFIXES: .text .pem .crl
.pem.crl:
openssl crl -in $ -outform der -out $@
.pem.text:
openssl crl -noout -text -in $ $@
pckdCRL.zip: rootCRL.pem rootCRL.crl rootCRL.text
zip -9 -j pckdCRL.zip
Hello,
is there an openssl RPM package with version 0.9.8 or better for CentOS 4.x?
(upgrade to CentOS 5.x or 6.x is impossible)
Thanks,
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
My config is :
OS : centos 6
OpenSSL : openssl-1.0.0-20.el6_2.5.x86_64
My commands are :
oppenssl smime -sign -in myfile -signer mycertif.pem -inkey mykey.pem |
openssl smime -out signedfile -from m...@me.me -to t...@to.to -subject
mysubject -encrypt -des3 myencryption.pem
sendmail
Hi
On 02.02.2013 23:55, Alexander Hollerith wrote:
The php openssl library implements a function named openssl_csr_sign() and
inside that function one can find the following line:
X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days);
This obviously provokes an
On Wed, February 6, 2013 23:47, Thomas Koeller wrote:
bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose
sslserver cacert/host_ca.pem
cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU =
K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller
Hello,
can someone please tell me the correct syntax and/or give me an example of
using NID id-pda-dateOfBirth
when requesting a certificate by calling
openssl req -config openssl.cnf -new -key cert.key -subj
/.../id-pda-dateOfBirth=? -out cert.csr
must there be something special in the
Hello,
can someone, please tell me, how to generate a certificate
that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739)
Thanks,
Walter
__
OpenSSL Project http://www.openssl.org
User
On Fri, February 15, 2013 07:07, Matthew Hall wrote:
On Fri, Feb 15, 2013 at 07:03:20AM +0100, Walter H. wrote:
Hello,
can someone, please tell me, how to generate a certificate
that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739)
Thanks,
Walter
Hi Walter,
We could help
On 15.02.2013 07:42, Walter H. wrote:
On Fri, February 15, 2013 07:07, Matthew Hall wrote:
On Fri, Feb 15, 2013 at 07:03:20AM +0100, Walter H. wrote:
Hello,
can someone, please tell me, how to generate a certificate
that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739)
Thanks
Hello,
I have the following:
---
name = ASN1:SEQUENCE:section
[ section ]
value.1 = XXX:text
---
what is possible to have instead of XXX?
Thanks,
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
Thanks,
Walter
On 28.02.2013 12:03, Erwann Abalea wrote:
man asn1parse
man ASN1_generate_nconf
That should give you some bootstrap information.
--
Erwann ABALEA
-
tridécatabulophobie: peur d'être treize à table
Le 28/02/2013 11:16, Walter H. a écrit :
Hello,
I have the following
Hello,
try this for generating the TSA-reply
openssl ts -reply -config openssl.cnf -section tsa_timestamp -queryfile
TSA-query -inkey ts.key -signer ts.crt -out TSA-reply
where ts.crt and ts.key are the timestamping certificate and private key
(without passphrase)
and TSA-query is the
Do you think OpenSSL is a game?
On 11.03.2013 22:02, kap...@mizera.cz wrote:
Thank you,
but this thread is about TS from real Certification Authority and
problem with attribute certificates.
--kapetr
Dne 11.3.2013 21:16, Walter H. napsal(a):
Hello,
try this for generating the TSA-reply
Hello,
I found the following:
http://tsa.postsignum.cz:444
produces the following error, when using this as time stamp server with
adobe standard/pro
BER decoding error
what software do they use?
my solution with OpenSSL works ...
Greetings,
Walter
smime.p7s
Description: S/MIME
Hello John,
I had the same problem; the solution is just:
UTF8String or UTF8 and not UTF8STRING
Walter
On 14.03.2013 17:06, rasmu...@us.ibm.com wrote:
I'm using the following configuration file section in an attempt to
create a CA with UTF8 characters in subject (and other) fields.
On 13.03.2013 01:19, kap...@mizera.cz wrote:
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
No.
if there is a need to have an account; then this page is not conforming
to any RFC - HTTP 400
On 16.03.2013 19:27, kap...@mizera.cz wrote:
Dne 16.3.2013 12:58, Walter H. napsal(a):
Unfortunately not, it is official paid service.
But You can make tests on testing TSA:
http://www.postsignum.cz/testovaci_casova_razitka.html
I don't understand this language; can you tell me the URL
On 17.03.2013 16:37, kap...@mizera.cz wrote:
Dne 16.3.2013 20:58, Walter H. napsal(a):
I tried this with my Adobe Acrobat,
and you wouldn't believe it; it doesn't work with Adobe Acrobat, too.
the error message - I use German version:
Fehler beim Erstellen der Unterschriftseigenschaften des
On 17.03.2013 18:48, kap...@mizera.cz wrote:
be verified - the same as you had ...
OpenSSL and Adobe conform to RFC 3161;
but not this TSA ...
correct, the error message means, that the received timestamp could not
But the discussed TSA postsignum would not exist at all if there would
be a
Hi,
thanks for your infos
can you please tell me, where I can find your postings to this topic,
you made in the past?
On 19.03.2013 20:07, Jakob Bohm wrote:
Won't work (as you saw), this function doesn't take the actual
ContentInfo structure as input, but data which it will (mis)treat
as
On 25.03.2013 18:05, Jakob Bohm wrote:
This one lacks the data part, it seems to have been generated without
the -nodetach option.
- myreply02cms-asn1.text
This one has the data part, but lacks the signingTime attribute which
is the whole point of this exercise.
how can I correct this?
the major features that 1.0.x supports are
openssl ts (http://www.openssl.org/docs/apps/ts.html)
openssl cms (http://www.openssl.org/docs/apps/cms.html)
Greetings,
Walter
On 26.03.2013 18:50, Gopakumar Pillai wrote:
Hi,
Can any one point me to a location where I can find the major
Hello,
look into the .DEF file, there is the information, which
type of dynamic library should be generated;
it is very probable, that
your .DEF file is for 32-bit only;
Walter
Am 08.07.2013 10:59,
schrieb Andrew MARLOW:
Hello gentlemen,
I am trying to build
openssl 1.0.1e on
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for posting
that request.
A self-signed certificate can't be revoked via a crl, because you won't be able
to successfully verify its signature.
keep in mind, that in case you detect a
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jakob, I don't
On 31.07.2013 16:47, Jakob Bohm wrote:
the only cert that can't be checked by OCSP is the root cert itself;
This is where I disagree, can you point me to an actual reason why
not, which is not refuted by my logical ABC argument above.
the Authority Information Access extension does not make
Hi,
this shouldn't be, because you marked this extension as critical;
what is your OpenSSL release?
and in case of Linux, which distro (version/release) are you using?
Walter
On 20.08.2013 20:18, Peter1234 wrote:
Hi all,
although I issued a certificate for an intermediate CA (CA2) with a
On 02.09.2013 10:33, deepak.kathuria wrote:
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform. OCSP
Requester sends the OCSP Request to OCSP Responder and if OCSP Responder
will not come, then what will be the expected behavior of OCSP Requester in
this case?
this can be
Hello,
can someone please tell me the difference between
OpenSSL x.x.x any date
and
OpenSSL x.x.x-fips any date
is there a difference in functionality?
is there a difference in legality?
what does it tell to me, when
openssl version
shows fips, and what does it tell, when
openssl version
Hello,
there exists a self signed root CA certificate (A)
one intermediate CA certificate (B)
and this intermedia certificate has signed a SSL certificate (C) of a
web server;
the SSL certificate has in its 'Authority Information Access' extension
the URL to the
intermediate CA certificate,
On 08.10.2013 15:00, Rahul Tolani wrote:
Actual Subject Property =
subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\x00
this is just a bug - the \x00 looks like the terminating \0 ...
Required Subject Property =
subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1
Greetings,
Walter
I thought similar, but it becomes more strange;
if the webserver uses a certificate that is signed from a CA with built
in token, then this needn't be;
and in case it is signed from my internediate certificate, this doesn't
help ...
Greetings,
Walter
On 07.10.2013 09:39, Mat Arge wrote:
Hello,
On 30.10.2013 18:17, Marcus Schmitt wrote:
I have one problem after I created a root-CA, intermediate-CA and a server
certificate. After I configured my apache with the server cert, key and
intermediate cert and importing the root-CA to firefox 24 I received the
following error when I
Hello Marcus
On 30.10.2013 19:26, Marcus Schmitt wrote:
nameopt = default_ca
certopt = default_ca
what do this lines should mean in your openssl.cnf?
can you do the following with each of your generated certificates:
openssl
Hello,
Which one of the following two is better (1) or (2)?
(1)
SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1
SSL_SECURE_RENEG=true
(2)
SSL_CIPHER=AES128-SHA256
Hello,
On 01.11.2013 22:34, Viktor Dukhovni wrote:
On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote:
Which one of the following two is better (1) or (2)?
(1)
SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA
$ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx
On 01.11.2013 23:12, Viktor Dukhovni wrote:
$ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256)
Mac=SHA1
$ openssl ciphers -v AES128-SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
On 03.11.2013 18:27, Viktor Dukhovni wrote:
On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote:
how would I define forward-secrecy on Apache webserver?
If the server negotiated both ciphers, it already supports
forward-secrecy (aka PFS) if the client does too.
What about a browser
On Tue, November 12, 2013 05:47, Alan Jakimiuk wrote:
Is there a way I can make all three linked?
this should be the default.
ie. Cert A-Cert B-Cert C in the certification path?
Any help would be appreciated
can you view the certificates?
openssl x509 -noout -text -in certfile
you should
Windows has its own System wide certificate store;
look at certmgr.msc
keep in mind, that some applications have their own store
e.g. Mozilla ThunderBird, Mozilla FireFox
and some other can use this system wide certificate store
e.g. Adobe Reader/Pro/Std
Walter
On 15.11.2013 09:57, Manoj
Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
X509v3 Extended Key Usage:
Trust Root
what is this strange?
'Trust Root' as Extended Key Usage?
__
OpenSSL Project
the ASN.1 dump of this certificate ...
0 470: SEQUENCE {
4 319: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 5: INTEGER 00 D6 2D F4 34
20 13: SEQUENCE {
22 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5)
33 0:
Hello,
can someone give me an example of the certificate, that is used here:
http_port 3128 ssl-bump cert=/etc/squid/cert/cert.pem
I'm using the latest CentOS release (6.5) with squid 3.1.10
I generated one with this:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj
/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/
I hope it helps.
Eliezer
On 08/12/13 22:34, Walter H. wrote:
Hello,
I have the ident problem as here:
http://comments.gmane.org/gmane.comp.web.squid.general/99601
SELinux=enforcing prevents running squid ...
my system: a CentOS
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been sent by the server.
The server is capable
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually
On 14.12.2013 00:00, Dr. Stephen Henson wrote:
How are you disabling RSA key exchange?
by setting all ciphers beginning with RSA to no in FF
If you disable RSA for authentication
too you'll hit problems if you don't have a non-RSA certificate. So for
example: ECDHE-ECDSA-3DES-EDE-SHA needs
On 09.01.2014 19:48, Watson, Patrick wrote:
I'd recommend using VerifyVersionInfo:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms725492(v=vs.85).aspx.
It's supported from Win2k onward and isn't deprecated as of Win 8.1. I don't
remember for sure if it's present in Windows CE and
On 07.02.2014 21:04, Tom Pfeifer wrote:
...which are required for Extended Validation (EV) certificates. I'm
currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs
specified in the [new_oids] section in openssl.cnf like this:
Hello,
it is already solved, but I just want to tell others;
I have two VMs, one with an older CentOS 4.x and one with a new CentOS 6.5
both run Postfix as MTA; both have configured a smarthost;
the smarthost allows STARTTLS and has a certificate, that is
issued by AlphaSSL; the
Authority
On 20.02.2014 17:57, Viktor Dukhovni wrote:
On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:
the older CentOS 4.x has in it's ca-bundle.crt a root certificate that
expired at the end of last month (on Jan. 28th, 2014), also attached
(rootexpired.txt), no other valid root certificate
On 09.03.2014 14:39, Michael Post wrote:
last year i created my keys, certs and so on with the following steps
for an openvpn server:
the only certificate that is still valid is your self signed ca
certificate;
# Serverside
openssl req -new -x509 -newkey rsa:2048 -keyout
Hello,
On Thu, March 27, 2014 10:47, Stefan H. Holek wrote:
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so on the Intermediate CA's?
Pathlen is not used on root CA certs.
On 10.04.2014 13:16, Rob Stradling wrote:
On 09/04/14 20:43, Salz, Rich wrote:
Can you please post a good and a bad server example. I have
tested a lot of servers, including 'akamai.com', and they all show
HEARTBEATING at the end:
Look at Victor's recent post about how to patch
On 26.04.2014 05:52, csa321 wrote:
We've generated our own CA for self-signing certificates.
The issue is that
we package up the openssl install for installation on multiple servers.
Therefore, the root CA we create is part of the package as well.
the private key of the root CA should
On 29.04.2014 20:15, Jakob Bohm wrote:
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
Hi,
could you please try to find this; I would be interested in such - a way
On 29.04.2014 21:38, d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions.
the serial number has maximum length ..., 256 bit is quite too big ..
smime.p7s
Description: S/MIME Cryptographic
On 30.04.2014 03:57, Nikolay Elenkov wrote:
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the root. Then there won't be a need to have the root key at multiple places and
not problems with serial. Additionally, clients will only have to
install and trust
the
On 29.04.2014 22:32, Tim Hudson wrote:
On 30/04/2014 6:05 AM, Walter H. wrote:
On 29.04.2014 21:38, d...@deadhat.com mailto:d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256
bit or
greater true random number. There will be no collisions.
the serial
Hello,
On Tue, May 27, 2014 15:44, Sven Reissmann wrote:
Hi,
I'm having a comprehension question on certificate verification.
Having a trustchain like this:
rootCA - subCA - subCA2
I can verify the subCA2 certificate using the command:
openssl verify -CAfile rootCA.pem -untrusted
Hello,
does anybody know what to write in the extension config to get this
X509v3 Name Constraints as the attached certificate (intel-ca.pem,
intel-ca.text)?
Thanks.
--
Greetings,
Walter
-BEGIN CERTIFICATE-
MIIJWTCCCEGgAwIBAgIQeRdKqRQXNv4Vp8qfLP9FiDANBgkqhkiG9w0BAQUFADBv
On 08.08.2014 02:11, Dr. Stephen Henson wrote:
Well maybe, maybe not. Just because a ciphersuite is included in the
cipherlist doesn't mean it is included or could be selected. For example if
you set a ciphersuite which uses ECDSA authentication it wont be selected if
the server doesn't include
haven't configured none of those ...
Is the second server on not-very-recent RedHat or CentOS?
Yes, it is a CentOS 6.5
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Walter H.
*Sent:* Sunday, August 10, 2014 02:39
*To:* openssl-users@openssl.org
Hello
On 15.08.2014 17:43, Salz, Rich wrote:
Does ANYONE think that case-sensitive cipher names are good idea?
this is a bad idea; or can you explain the difference between
tlsv1:rc4-md5 and TLSV1:RC4-MD5?
Someone who types TLSV1:RC4-MD5 will find things working, but is
likely to be
On 05.11.2014 18:47, neil carter wrote:
I'm trying to install the 1.0.1j version on a Windows 2003 server
(32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState
perl v5.16.3.
Steps involved include running the VCVARS21.BAT script, ' perl
Configure VC-WIN32
On 05.11.2014 19:27, neil carter wrote:
Sorry, typo - s/b 'VCVARS32.bat'
So are you implying that MS Visual Studio 6.0 might be the issue in
that it might not have built-in code with IPv6 headers?
yes, definitly
WINSOCK2.H contains this:
/*
* Constants and structures defined by the
On 05.12.2014 21:46, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
On 26/11/14 02:05, Salz, Rich wrote: We will soon be freezing the mailing
list memberships for a couple of days.
We are moving to a new server and upgrading the mail infrastructure
Are you aware that
On 05.12.2014 23:08, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 02:50:00PM -0700, Philip Prindeville wrote:
On Dec 5, 2014, at 1:57 PM, Walter H.walte...@mathemainzel.info wrote:
On 05.12.2014 21:46, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
On 26/11/14 02:05,
On 03.01.2015 18:16, Richard Moore wrote:
I've now got this working, though to do so I seem to have to take the
certificates supplied in the OCSP response directly out of the certs
field of the OCSP_BASICRESP and add these as intermediates for the
verification too. It feels bad to directly
the mentioned error above, when
activating this mentioned policy?
the question to squid specialists: was it a good idea signing the
SSL-bump CA certificate with the root certificate of my CA?
Thanks
--
Best regards,
Walter H.
smime.p7s
Description: S/MIME Cryptographic Signature
Hi,
before calling this function,
remove any whitespace;
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 18.03.2015 16:08, Prashant Bapat wrote:
printf(Base64 decoded string is : %s\n, b64_decode(str, strlen(str))); //
This should print binary for a ssh key.
not really, because the return of b64_decode is not a C string; and the
format specfier %s expects a C string;
smime.p7s
Description:
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be capable
of verifying such mails correctly?
this
openssl smime -verify -CAfile trusted.crt -in mail.eml
successfully verifies such an e-Mail;
Thanks,
Walter
--
On 05.07.2015 14:19, David Thompson wrote:
Quoting the man page for req(1) -- although depending on the packaging
which I don't know for CentOS it may be a different section like 1s or 1ssl --
and also on the web https://www.openssl.org/docs/apps/req.html
-x509
this option outputs a self
Hello,
I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid)
like this:
I havn't defined anything - everything is set default from the linux
distribution
openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump
CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout
Hello
On 22.05.2015 08:30, Jeffrey Walton wrote:
Or are you talking about server certificates with fixed DH parameters?
can you please tell me more about this?
how do I have to create the certificate request?
(using debian 7 latest updates installed: 'apt-get update apt-get
upgrade' has
On 29.06.2015 10:48, Jakob Bohm wrote:
On 26/06/2015 21:41, Walter H. wrote:
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be
capable of verifying such mails correctly?
I believe GlobalSign has a knowledge
Hello Jabob,
On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
> On 28/10/2015 21:58, Walter H. wrote:
>> On 28.10.2015 18:34, Jakob Bohm wrote:
>>> On 28/10/2015 17:36, Walter H. wrote:
>>>>>> OCSP must not be https ...
>>>>>> the same with
On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile
the code in Cygwin environment. My openssl version is 1.0.1h.
With HTTP based OCSP, the code works fine. But, with HTTPs, the code
gets
On 28.10.2015 17:27, Steve Marquess wrote:
There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.
-Steve M.
OCSP works through proxies; there is no reason for having such strange
setups ...
Walter
smime.p7s
Description: S/MIME
On 28.10.2015 16:44, Jakob Bohm wrote:
On 27/10/2015 21:21, Walter H. wrote:
On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile
the code in Cygwin environment. My openssl version is 1.0.1h
On 31.10.2015 23:23, Michael Ströder wrote:
Walter H. wrote:
give me a hint for finding S/MIME certificates, finding my own would be nice;
You claim that clear-text OCSP requests are not a privacy issue.
yes ..., a security problem I mentioned in connection with stupid CAs
some posts before
On 01.11.2015 10:25, Matt Caswell wrote:
CT is the answer to a big problem. I fail to see that CAs deploying CT
is a problem. I also don't see why only a CA can do this. There might be
some adversaries that are perfectly capable of building large databases
of certificates that they have
On 30.10.2015 21:42, Michael Ströder wrote:
Walter H. wrote:
On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
She (Eve) would know that the requesting party Alice
was talking to Bob at the very moment she sent Trent
the OCSP *request* for Bob's certificate.
[...] equivalent of having (almost
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to
On 04.11.2015 16:13, Ben Humpert wrote:
Oh crappy Gmail stop creating broken links ...
openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
On 03.11.2015 18:45, John Lewis wrote:
On 11/03/2015 12:04 PM, Walter H. wrote:
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
On 5.10.2015 17:11, Dr. Stephen Henson wrote:
On Mon, Oct 05, 2015, Walter H. wrote:
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves
Hello,
openssl verify -CAfile root.pem -untrusted issuer.pem srvr.pem
gives this output
srvr.pem: OK
but
openssl verify -CAfile root.pem -crl_check -untrusted issuer.pem srvr.pem
gives this:
srvr.pem: C = US, OU = Domain Control Validated, CN = revoked.grc.com
error 3 at 0 depth lookup:unable
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves the following:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Hello,
my website has an official SSL certificate, which I renewed this year to
have a SHA-256 certificate;
when I test my site with SSLLabs.com, I'm shows two certificate paths:
the first one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint:
0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)
On 05.12.2015 20:20, Viktor Dukhovni wrote:
On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote:
my website has an official SSL certificate, which I renewed this year to
have a SHA-256 certificate;
when I test my site with SSLLabs.com, I'm shows two certificate paths:
the first one:
my
On 13.12.2015 11:34, Ben Humpert wrote:
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni:
In other words, you can concatenate all the trusted root CA
certs into the "cert.pem" file in that directory, but this
has a performance cost, as all the certificates are loaded
into
Hi Dan,
On 10.12.2015 16:27, daniel bryan wrote:
*TEST #2: *Next test was using OCSP:
[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
/Response verify
On 26.05.2016 18:33, R-D intern wrote:
Hello,
I have implemented ssl for my internal server that listens over a
private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys
test shows the amount of ssl implementation of a server listening over
public ip and even checks
1 - 100 of 118 matches
Mail list logo