Re: [openssl-users] Trusting certificates with the same subject name and overlapping validity periods
On 20.09.2017 18:33, Jordan Brown wrote: Q: Does OpenSSL's trust-list verification support trusting multiple certificates with the same subject name and overlapping validity periods? do these replacement certificates have the same serial number and the same private key? smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Question RE certificate chain verification
On Tue, February 21, 2017 12:16, Jakob Curdes wrote: > Hi, I am new to the list and have a question where it seems I cannot find > the answer in archives here or in other sources. > > We want to verify the certificate chain of an "official" certificate, but > including the revocation status of the intermediate certs, via CRL or > OCSP. > (The chain verification itself is easy and solved, our problems lie just > with getting the revocation status of an arbitrary certificate). > > It seems to turn out that a) this is seldom done completely (otherwise I > think there would be more "working recipes") and it is not easy to do it > in a generic way as we keep getting various errors at different steps. > > Wtihout making it too long, we want to do the following: > a) retrieve and save certificate from server via URL > b)retrieve and save certificate chain from server > c) determine OCSP URL or CRL list URL > d1) verify cert against OCSP source OR > d2) download CRL; then verify cert against CRL > > Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from > current CentOS 7. try this: CAFILE=/etc/pki/certs/ca-bundle.trust.crt CERT=/tmp/cert.crt <-- cert to validate ISSUER=/tmp/issuer.crt <-- issuing ca cert OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri) OCSPHOST=$(echo "$OCSPURL" |gawk --field-separator=\/ '{ print $3 }' -) OCSPRESULT=$(openssl ocsp -CAfile $CAFILE -no_nonce -noverify -issuer $ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST |grep "$CERT") -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl s_client
Hello, openssl s_client -connect mailhost:25 -starttls smtp displays this: CONNECTED(0003) depth=0 OU = Domain Control Validated, CN = ... verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, CN = ... verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, CN = ... verify error:num=21:unable to verify the first certificate verify return:1 the question: is this caused by a config problem on the serverside or on the client side (host running openssl)? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] big endian vs little endian
On 18.12.2016 17:21, sahorwitz wrote: I am obviosly a newbie and missing something. How then do I encrypt the file on one machine (little endian), transmit it to another machine (big endian) and decrypt it there? similar to this: encrypt openssl enc -e -in file -out encryptfile -aes-256-gcm decrypt openssl enc -d -in encryptfile -out file -aes-256-gcm can someone explain why I get the following output enter aes-256-gcm decryption password: bad decrypt but the file is correctly decrypted I'm using latest openssl rpm package from CentOS 6 smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users