On 11/23/2016 02:33 PM, David Woodhouse wrote:
> If I make a new object type which looks like a PKCS#1 RSA key but is
> actually something completely different, it's *already* likely that
> OpenSSL will load that new object as if it was an RSA key in some
> cases.
>
An exemple used by the 'gem'
There is at least one real life HSM engine, that encodes numerical identifiers
as "pseudo prime
numbers", you end up with a
RSA private key that has 1 and 2 prime numbers?
No new ASN.1
Best
On 11/23/2016 11:47 AM, Richard Levitte wrote:
> In message <1479894913.8937.58.ca...@infradead.org>
On 06/02/2016 15:50, Rich Salz via RT wrote:
> Is this still a bug?
> --
> Rich Salz, OpenSSL dev team; rs...@openssl.org
>
>
I don't know, there have been many changes to the extension treatment.
I have not followed the stuff since 5 years.
The extension handling is not what I had in the
Hi,
when a single -nameopt utf8 or others is used in openss x509 or others, the
separator mask is 0. This preempts the command as soon as the Issuer
is formatted.
It seems that the case 0 should be treated lin the same
ways as XN_FLAG_SEP_CPLUS_SPC
Best
Peter Sylvester
Hi,
when a single -nameopt utf8 or others is used in openss x509 or others, the
separator mask is 0. This preempts the command as soon as the Issuer
is formatted.
It seems that the case 0 should be treated lin the same
ways as XN_FLAG_SEP_CPLUS_SPC
Best
Peter Sylvester
In crypto/asn1/a_strex.c routine do_name_ex does not handle case 0 for
separators, this can occur if
one specifies a -nameopt utf8.
Suggested fix: Treat 0 in the same way as XN_FLAG_SEP_CPLUS_SP
___
openssl-dev mailing list
To unsubscribe:
On 07/05/2014 12:00 PM, Ben Laurie wrote:
I've been experimenting with more type correctness and less casting.
Some of the big casting culprits are the various _ctrl() functions,
e.g. SSL_ctrl().
Does anyone have any clue why these exist?
I think the model is to have only one function to
Hi,
I have weakend the Esscertid logic a bit. Only the signer certficate is
checked and it must be in the first Esscertid.
This resolves issues when TSAs add attribute certs etc.
Since RFC 3161 does not require a client to check anything
else than the presence of the signer cert (and even is is
On 08/27/2012 04:17 PM, Michel wrote:
Hi,
Shouldn't there be a SRP_VBASE_free() call somewhere in s_server.c ?
Yes, there is a small leak in s_server.c.
At least for freeing the data allocated by the SRP_VBASE_new() call :
An implementation remark
The VBASE stuff is a quick and dirty
On 07/12/2012 10:00 PM, David Woodhouse wrote:
If it has the same name, then it's the same CA. Has it been rekeyed?
It has a different X509v3 Subject Key Identifier.
The Subject Key Identifier of the second cert in the list does not match
the Authority Key Identifier of the first cert. It's a
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote:
Team,
Had a query in the certs that we load,
The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL
structure during initialization.
On converting to .pem, it is in the following format, Private
On 04/03/2012 11:34 AM, Tamir Khason via RT wrote:
It seemed that we are speaking about different things.
In certificate i pasted, integers used for exponent1, exponent2 and
coefficient encoded with different lengths. In chapter 8.3 of ISO 8825
there is clear statement of how integer values
On 04/03/2012 11:34 AM, Tamir Khason via RT wrote:
It seemed that we are speaking about different things.
In certificate i pasted, integers used for exponent1, exponent2 and
coefficient encoded with different lengths. In chapter 8.3 of ISO 8825
there is clear statement of how integer values
On 04/02/2012 03:28 PM, Tamir Khason via RT wrote:
Hello, Erwann
This is not related to .NET. Integer is not only value, but also size.
Both exponents and its coefficients should be the same length
(according RSA definition, both integers) so those numbers should be
serialized into ASN1_INTEGER.
On 04/02/2012 03:28 PM, Tamir Khason via RT wrote:
Hello, Erwann
This is not related to .NET. Integer is not only value, but also size.
Both exponents and its coefficients should be the same length
(according RSA definition, both integers) so those numbers should be
serialized into
On 04/02/2012 06:34 PM, Tamir Khason via RT wrote:
maybe i am failed to explain myself.
DER encoding says how to encode numbers, RSA key elements define what
are those number. So integers from RSA key, should be encoded
according ANS1 DER encoding, which means should be have either length
octets
On 04/02/2012 06:34 PM, Tamir Khason via RT wrote:
maybe i am failed to explain myself.
DER encoding says how to encode numbers, RSA key elements define what
are those number. So integers from RSA key, should be encoded
according ANS1 DER encoding, which means should be have either length
apps/s_cb.c does not list all known tls extension types when
tlsextdebug is used (not even all supported one).
this patch adds missing extension types currently defined by
iana to ssl/tls1 and sapps/s_cb.c
the definitions are reordered.
the patch work for 1.0.1-beta3 and the two snapshots of
On 02/07/2012 09:25 PM, Trevor Perrin via RT wrote:
Hello,
I think the srp ClientHello extension is being sent incorrectly in
1.0.1 beta 2.
trevor's patch corrects an immediate problem but there were others:
- the length fields are not correctly assured to be within 1 an 255
- receiving two
15:43:45.509319433 +0100
***
*** 4,9
--- 4,13
Changes between 1.0.0f and 1.0.1 [xx XXX ]
+ *) Make TLS-SRP code conformant with RFC 5054
+ API cleanup (removal of unnecessary code)
+ [Peter Sylvester peter.sylves...@edelweb.fr]
+
*) Add TLS key
On 12/14/2011 11:18 PM, Stephen Henson via RT wrote:
[peter.sylves...@edelweb.fr - Sun Dec 11 17:51:10 2011]:
Enclosed two patches for head and stable to remove unnecessary code
for srp and to add some comments to s_client.
Applied.
Steve.
Thanks for the feedback.
hi,
since a few days the current snapshots seem to provoke a
tar: A lone zero block at
has there been any change in producing the tar.gz?
/P
__
OpenSSL Project http://www.openssl.org
:51:41.665775046 +0100
--- openssl-1.0.1-stable-SNAP-20111211PS/ssl/tls_srp.c 2011-12-11 11:14:08.700822391 +0100
***
*** 2,12
/* Written by Christophe Renou (christophe.re...@edelweb.fr) with
* the precious help of Peter Sylvester (peter.sylves...@edelweb.fr
Hello,
I am actually makeing corrections to the SRP/TLS code. One of them
removes an unnecessary callback. There is a pointer in a SRP_CTX that
is no longer necessary.
I wonder what is the current policy concerning a stable branch and
the head? It seems that one simply would leave the useless
On 12/08/2011 03:34 PM, Dr. Stephen Henson wrote:
On Thu, Dec 08, 2011, Peter Sylvester wrote:
Hello,
I am actually makeing corrections to the SRP/TLS code. One of them
removes an unnecessary callback. There is a pointer in a SRP_CTX that
is no longer necessary.
I wonder what is the current
Enclosed a revised patch to make ssl conformant to the RFC 5054.
The two patches are for the head and the stable release since
the code parts differ too much.
diff -r -c openssl-SNAP-2023/ssl/s3_clnt.c openssl-SNAP-2023PS/ssl/s3_clnt.c
*** openssl-SNAP-2023/ssl/s3_clnt.c 2011-09-05
Enclosed a second patch to make ssl conformant to rfc 5054.
patch is to the stable snapshot of 11/14
Changes are:
- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
-
Hello,
enclosed please find a patch to documentand recognize
the unknown_psk_identity alert:
- In the s_cb.c callback
- in the documentation of SSL_alert_type_string
In addition, it removes a pre-RFC 5054 string from ssl_stat.c
regards
Peter
diff -r -p -c openssl-SNAP-20111031/apps/s_cb.c
Hello,
enclosed please find a patch to documentand recognize
the unknown_psk_identity alert:
- In the s_cb.c callback
- in the documentation of SSL_alert_type_string
In addition, it removes a pre-RFC 5054 string from ssl_stat.c
regards
Peter
diff -r -p -c openssl-SNAP-20111031/apps/s_cb.c
' ', '', '#', '+', ',', ';', '', '=','', or '\'
The textual representations
CN= jAmes bonD
CN=James Bond
designate different encodings that match, i.e.
only one could be in a directory.
have fun
Peter Sylvester
. It is not an input parameter for an engine. ???
Your engine should just enumerate the keys in its internal storage, or
use a hash, or.. you can communicate via engine commands in
a configuration file. (cf the doc of config).
*Peter Sylvester peter.sylves...@edelweb.fr*
Gesendet von: owner-openssl
On 08/18/2011 09:06 AM, Andreas Gruener wrote:
Hello,
I write an engine which shifts private key operations to a hardware security
module.
I face a problem concerning the key generation process. The keys are stored in
the hsm but
there exists an external reference file, like an keystore, which
On 06/26/2011 08:05 PM, Peter Sylvester wrote:
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one
On 06/26/2011 08:05 PM, Peter Sylvester wrote:
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
Currently, openssl s_client supports the -servername parameter to pass
an SNI hostname.
However, wouldn't it be useful to have s_client automatically use the
host name specified for -connect as the SNI service name as well?
So instead
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one of the subjectAltNames)
Without such verification any
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
Currently, openssl s_client supports the -servername parameter to pass
an SNI hostname.
However, wouldn't it be useful to have s_client automatically use the
host name specified for -connect as the SNI service name as well?
So
.
and a missing -certopt in synopsis for x509 doc
Peter Sylvester
diff -r -p openssl-SNAP-20110119/apps/pkcs12.c openssl-SNAP-20110119mod/apps/pkcs12.c
*** openssl-SNAP-20110119/apps/pkcs12.c 2010-05-15 03:00:07.0 +0200
--- openssl-SNAP-20110119mod/apps/pkcs12.c 2011-01-19 12:15:44.0
The encoding is invalid BER.
The openssl is tolerant but also destructive in copy.
whenever you use openssl x509 -in -out ... you remove one leading 0 octet.
IMHO openssl should reject the cert because of invalid encoding.
On 08/29/2010 04:17 AM, Mounir IDRASSI wrote:
Hi,
The problem you
On 08/29/2010 01:20 PM, Mounir IDRASSI wrote:
Hi Peter,
Although the certificate's encoding of the serial number field breaks the
BER specification about the minimal bytes representation, it is known that
many CA's and libraries treat this field as a blob and usually encode it
on a fixed length
On 08/29/2010 07:38 PM, Mounir IDRASSI wrote:
Hi Peter,
Thank you for your comments.
As I said, this kind of debates can be very heated and going down this
road don't lead usually to any results.
The debate may be whether and how something should be
done in openssl, I admit I had started
Creating a CRL using openssl does nothing else than reading
the certificatedatabase and creating an entry for all serialnumbers
that have a R.
You can create such a file by hand.
__
OpenSSL Project
Zhongxing Xu wrote:
openssl-1.0.0-stable-SNAP-20091026/ssl/t1_lib.c:657
case TLSEXT_NAMETYPE_host_name:
if (s-session-tlsext_hostname == NULL)
{
if (len
hi,
the implementation of sni in openssl probaly does not
correspond to the rfc. The rfc seems to allow to
change the servername at any time in a client hello,
and the servernamehello extension is wrong when
the client has changed the servername (the name is
not acknoledged but no client actually
/There seems to be a bug here indeed. One must be careful
to make a desirable behaviour without breaking mod_ssl.
/
__
OpenSSL Project http://www.openssl.org
Development Mailing List
In routine ASN1_GENERALIZEDTIME_print the line
/* Check for fractions of seconds. */
if (i = 15 v[14] == '.')
uses the variable i which no longer has the
value of tm-length but 12. Shouldn't the code
be:
/* Check for fractions of seconds. */
if (i = tm-length
Hi;
- verifying a self signed cert is strange. How would you trust it.
the standard way is to have your own CA, and then issuev a cert
for your server, and then use the CA cert as trust anchor in your
client.
Anyway your code for is false for at
least three reasons:
- The get by nid return
validation,
i.e. require explicit policy, inhibitmapping, no mapping for
anypolicy and the initial policy set.
As a side effect this would allow to have different settings for different
trustanchors.
Any thoughts?
Peter Sylvester
/PS
:§IÏ®ÞrØm¶ÿÃ�
(¥éì²Z+7¯zZ)éí1¨¥x�Ëh¥éì²W^¾^Ë%¢¸�ºÚj×.+-1©Ú
OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.0 Beta 1
Please download and test them as soon as possible. This new OpenSSL
version incorporates 107 documented changes and bugfixes to the
toolkit (for a complete list
hi
When creating asn1 structure using the configuration file, it actually
necessary to encode conplicated sequences/sets using the configuration
syntax.
asn1_gen allows on the other hand to 'retag' any object using the IMP
directive. Even universal type can be changed,
but with universal 16/17
enclosed pleas find a patch that adds support for the freshestCRL extension.
Have fun.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
diff -rpc
hi
When creating asn1 structure using the configuration file, it actually
necessary to encode conplicated sequences/sets using the configuration
syntax.
asn1_gen allows on the other hand to 'retag' any object using the IMP
directive. Even universal type can be changed,
but with universal 16/17
enclosed pleas find a patch that adds support for the freshestCRL extension.
Have fun.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
diff -rpc
While reading the code in sess_asn.c it seems that
the PSK values are encoded and decoded using
different tags.
smime.p7s
Description: S/MIME cryptographic signature
in ssl/ssl_lib.c in line 1371 there is a
#ifndef OPENSSL_TLSEXT
this should be
#ifndef OPENSSL_NO_TLSEXT
smime.p7s
Description: S/MIME cryptographic signature
One can omit the SSL_CTX_free but in oder to be clean, someone must call
it, and this may unfortunately not necessarily be the same instance who
created
it.
I think you are kind of right, but there's another possibility.
Does the other instance call SSL_free as well? Note that SSL_free
Hi,
A call to SSL_new increments the reference count of the SSL_CTX object.
In some application contexts one would like to pass around an SSL_CTX object
and share it.
If sharing occurs before an SSL_new is called and another
instance does SSL_new and SSL_CTX_free, the SSL_CTX is freed.
In
[EMAIL PROTECTED] wrote:
I found this in the OpenCA-Users mailinglist.
Any ideas or suggestions?
use the 'openssl ca' command with an empty index.txt file for each new
certificate.
and then manages the files differently, i.e. copy the content into a
database.
Or don't use the ca at all
isn't ssl_test.c a sufficient starting point?
smime.p7s
Description: S/MIME Cryptographic Signature
The openssl ca command has a switch -create_serial. This switch allows the
creation of a serialnumber file for certificates. I think it is useful also
for the creation of a crl number file.
Furthemore, if crlnumbers are used then similar to certificates, it
seems useful
to me to have all crls
The problem is that a backslash may be followed by a \r
I have send a patch to openssl-users which I attach. Of course, instead
of \s* one
can use an optional \r.
Andy Polyakov via RT wrote:
my previous messaqge about mkdef.pl is wrong. Although the indicated code
can still loop, the read
The mkfiles.pl tools seems to need the chop replaced by chomp
in order to correctly find the \ at the end of a line.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da
In the 0.9.8b version
mkdef.pl loops in th following while.
# Reduce argument lists to empty ()
# fold round brackets recursively: (t(*v)(t),t) - (t{}{},t)
- {}
while(/\(.*\)/s) {
s/\([^\(\)]+\)/\{\}/gs;
my previous messaqge about mkdef.pl is wrong. Although the indicated code
can still loop, the read error seems to be this one
while(IN) {
if (/\/\* Error codes for the \w+ functions\. \*\//)
{
undef @tag;
last;
testtsa has a line
test $? == 0 error
shouldn't this be
test $? = 0 error
or
test $? -eq 0 error
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
The #define _POSIX_C_SOURCE 2 at the beginning of apps/apps.c causes
string.h on Solaris not to declare strcascmp.
Shouldn't #define be protexct by an #ifdef for VMS?
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die
The opensslx509 and ca commands
may create v3 certificates even if no extensions are present.
The code in apps/x509.c and apps/ca.c that sets the version of a
certificate
is not quite correct. It is basically set when the code thinks that some
extensions are going to be added and not after
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
I looked a bit in detail into the ecpoint format extension stuff.
- Currently, as I said yesterday, one cannot compile openssl
with OPENSSL_NO_EC.
- I am not sure but it seems to me that the tlsext_ecpointformat_list in
the SSL is not freed together with an SSL object, so you have
a mem
if openssl has OPENSSL_NO_EC there is a small problem in t1_lib.c
Besides that I have the feeling that part of the point list code could
be simplified.
The lists supported are constant, so making an malloc etc and filling
this with
constant data looks a bit heavy.
regards
--
To verify the
A little bit of nit picking, but since a comment is supposed to be
correct. :-)
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
---
You ask for two things:
- creation of a file: Just put all the certs together in pem format
starting with the entity cert, and use this as -in parameter.
- parsing: There can be multiple chains. You have to find one yourself
in the
CA list that goes up to a desired trust anchor and through
Hello,
I just have put together the small patch for apache 2.2.0 which allows
to use the sernername extension
logic in the development snapshot in order to select a different ssl
context, and also to
renegotiate if the vhost indicated by Host: has a different SSL_ctx
(e.g. certificate).
The
about the API.
Oden Eriksson wrote:
måndagen den 6 februari 2006 18.13 skrev Peter Sylvester:
Hello,
I just have put together the small patch for apache 2.2.0 which allows
to use the sernername extension
logic in the development snapshot in order to select a different ssl
context, and also
Hello,
Since I was pretty active in providing the current code, here are some
of our thoughts which may or may not be compatible with the core team.
In 2004, we had developped some extensions for the 0.9.7d version concerning
servername and srp. We initially also had the idea and a logic where
Kyle Hamilton wrote:
I'd like to see a generic callback mechanism in that I want to be able
to write my own dispatcher for TLS extensions.
You already have this, you can intercept all messages.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le
The reverse may not be true in real life. One way this comparison might
bite you is when the issue issues certificate with encoding violating
the DER requirements. For example, the ASN1_INTEGERs with octet
encodings 02 and 00 02 contain the same value 2, but these encodings
will in fact be
Some openssl does not necessarily display DNs in the same textual order
as other tools
or as other tools like it as input.
try
openssl x509 -in yourcert -text -noout -nameopt RFC2253
for example and another without the -nameopt parameter
It has happened several times that people create
in util/mkerr.pl there is a loop that replaces __attribute__. in
crypto/bio/bio.h a recent change
created an infinite loop there. replacing the __attribute_ by
__bio_h_attr__ in mkerr.pl fixes it.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le
I saw in the lastest snapshots that in the ssl library the fundction
time has been casted to an unsigned long.
This seems to be some hack to cover the 2038 problem on 32 bit machines.
I am not sure
whether the attempted solution is good:
As far as I see the only usage is to determine whether
Bodo Moeller wrote:
On Fri, Oct 07, 2005 at 11:17:47AM +0200, Peter Sylvester wrote:
In s23_srvr.c there is a length test
if ((csl+sil+cl+11) != s-packet_length)
{
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH)
in case that the record contains a SSLV3
Bodo Moeller wrote:
On Mon, Oct 24, 2005 at 04:08:19PM +0200, Peter Sylvester wrote:
[...] I.e., a client that connects to a
server can *either* support SSL 2.0 servers *or* use TLS extensions,
but not both.
The SSL 3.0 and TLS 1.0 specifications have
Dear core developpers,
In ssl/ssl_lib.c there is a lot of functionality of get/set implemented
through a SSL_ctrl or SSL_CTX_ctrl, but some are implemented
directly as functions.
There may be some logic behind that but I am not sure which one.
One thing seems to be that the get function which
Dear OpenSSL developpers,
I have put a version of openssl that supports the TLS servername extension
into our web server. It is based on a openssl development snapshot of
last week.
We have split of and simplified the code that was done together with SRP
last year, an,d corrected known bugs.
In s23_srvr.c there is a length test
if ((csl+sil+cl+11) != s-packet_length)
{
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH)
in case that the record contains a SSLV3 or TLSv1 header.
IMO the != should be a since tls allows additional
data in extensions.
It seems to me that the behaviour of the s_server has changed in 0.9.8
concerning the interpretation of the nocert parameter.
When nocert is specified or when no appropriate alga was
compiled with, the variables for the key/cert file names were set to
NULL loading the files before any attempt
One of the reasons that I see that some USERS, i.e. relying parties
want that, is that it is a bit difficult to get the subject altname
email in a CGI under apache, whilst the DN attribute is simply
in an environment variable.
What happens when you add multiple emails, is
either as subject
The current snapshot contains a test/Makefile
with an unconditional LD_PRELOAD which doesn't
seem to work when there is no ib{crypto|ssl}.so
e.g. for a no-shared build
environment is solaris 5.8 with gcc 3.2.3
__
OpenSSL
Did you 'perform' ...\Bin/Vcvars32.bat ?
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
The following point is unclear to me:
a) CRL is valid (regarding issuance time)
if thisUpdate = checkTime and thisUpdate = now.
As far as I understand;
The X509 and 3280 validation algorithm only have ONE
point in time, which is consider either as 'now'
or 'time to check' according you
--
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 56
I thought SRP6 was patented. Isn't SRP6 patented?
Yes, here an excerpt from http://srp.stanford.edu/licence.txt
SRP is royalty-free worldwide for commercial
Hi, ho:
I just made available the second beta release of our patch for
OpenSSL 0.9.7d implemeting the SRP6 TLS protocol.
In addition, a first beta release of a patch for mod_ssl
allowing to use the new protocol in an Apache Web Server
is provided.
More info and downloads are available here:
hello,
it seems to me that the file progs.h in current versions (0.9.7d
and snapshot) had not been generated by progs.pl
The progs.h has an ifndef for OPENSSL_NO_ENGINE
which doesn't seem necessary to me if the two lines
elsif ( ($_ =~ /^ocsp$/))
{ print #ifndef
in X509 and RFC3280 Critical means that if you don't know how to handle an
entension, you can ignore it. if you know how to handle it, you treat it
X
independantly of critical or not.
I was mildly shaked to wake up :
Obviously, I missed the half sentence at
I've come across an issue with extensions. I have a S/MIME signed
message, where the signing cert has signing + encrypting Key Usage flags,
and SSL server Extended Key Usage flags.
Because there is a Ext. Key Usage flags set, but not the S/MIME one then
the cert validation procedure
in X509 and RFC3280 Critical means that if you don't know how to handle an
entension, you can ignore it. if you know how to handle it, you treat it
X
independantly of critical or not.
I was mildly shaked to wake up :
Obviously, I missed the half sentence
Hi:
In crypto/asn1/v3_crld.c there is:
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
Shouldn't this be
ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
Following a hint from Steve, here a request
fro an enhancement:
an additional escaping mechanism for the print_ex
routines simplifying xml. e.g. the characters
and would be escaped.
Thanks for consideration
__
OpenSSL
Following a hint from Steve, here a request
fro an enhancement:
an additional escaping mechanism for the print_ex
routines simplifying xml. e.g. the characters
and would be escaped.
Thanks for consideration
__
OpenSSL
Uhmm, which OpenSSL version are you talking about? I can't find
des_enc-sparc.S anywhere in my copy of the 0.9.7 branch...
[EMAIL PROTECTED] - Tue Jul 29 17:06:13 2003]:
It is in the latest branch in crypto/des/asm (at least after make).
It seems that my problem went away with an
1 - 100 of 129 matches
Mail list logo
