Re: Is OpenSSL Production Ready?
On 02-04-03 23:04:29 CEST, Harald Koch wrote: dbm: style session caching does not work *WITH CLIENT CERTIFICATES*. The client certificate is mangled when it is loaded from the cached session. it works for me. i've got a web server Server: Apache/1.3.17 (Unix) mod_jk mod_ssl/2.8.0 OpenSSL/0.9.6 that requires client certificates and it uses SSLSessionCache dbm:/usr/local/apache-1.3.17/logs/ssl_scache and i can navigate around for as long as the SSLSessionCacheTimeout allows. but i remember that i had to compile it myself and had use --enable-rule=SSL_SDBM because of the standard dbm implementation's limitation. rj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with string type for CN when trying to sign csr
On 02-03-27 11:15:51 CET, Gerd Schering wrote: Hi, I have the following problem: I want to sign a request which contains as CN a string like CN=SomeTest@SomeTeam@[EMAIL PROTECTED] When trying to sign the csr, i get: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows [...] commonName:PRINTABLE:' The string contains characters that are illegal for the ASN.1 type unable to load certificate The csr was NOT generated with openssl. When I generate a csr with openssl containing a CN like CN=gerd@home@berlin@tu no problem when signing it: [...] commonName:T61STRING:'gerd@home@berlin@tu' Certificate is to be certified until Mar 27 09:42:31 2003 GMT (365 days) Sign the certificate? [y/n]:y But now the string is recognized not as PRINTABLE but as T61STRING. PrintableString and TeletexString (T61String) are ASN.1 types. PrintableString does *not* contain the @ character, whereas T.61 does. rj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A question!
On 02-03-26 14:29:47 CET, chenhaiyong wrote: Dear webmaster: who? When I use the openssl command: openssl req -config filename -new -x509 -days 365 -key ca.key -out ca.crt to create a self signed certificate(ca.key is the file where the CA's private key is put),what puzzles me so much is that where is the CA's public key?I can't find any information about it. it's inside the ca.key file. if you look at e.g. a RSA private key file, you see the modulus, the public exponent, the private exponent, prime1, prime2, exponent1, exponent2 and coefficient. the public key you can see in the certificate is the first of those two parts. 汽车 -- 永不厌倦的话题 this is interesting. in my xterm i see half of those characters. is there any difference you can think of why 汽 永不 倦的 get displayed properly and 车 厌 话题 are only hollow boxes? rj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SPKAC file and non-ASCII DNs
when i create a client certificate using a mozilla browser, a CGI script generates an SPKAC file for use with `openssl ca -spkac infile`. the DN then becomes of ASN.1 type T61STRING which is encoded illegally, which the openssl documentation admits: quote src=http://www.openssl.org/docs/apps/req.html; BUGS OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren't available in PrintableStrings and you don't want to or can't use BMPStrings. As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. /quote what does an SPKAC file have to look like so that the DN turns up encoded as ASN.1 BMPString? the req command has a -utf8 option, but it doesn't read SPKAC files, so i can't use it to turn the SPKAC file into PKCS#10. the spkac command hasn't got any -utf8 option. is there any other way to generate a correctly encoded non-ASCII DN for a mozilla client? rj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]