Hi,
I've developped my own ENGINE with OpenSSL. I use that ENGINE to use the private keys of my root certificates. Those certificates are used to sign X509 certificates, CRLs and OCSP responses.
On the other part, one of my component that use the ENGINE must open a ssl connection, the private
Hi
I've been trying to edit and rebuild the ASN.1 database using objects.pl. I
am having problems understanding what is going on. As I understand it, the
file to edit is objects.txt, but if I change this file in any way, then
objects.pl no longer works. Can anybody please tell me what I should be
HiI
want to make a ca.crl file for my apache revocation. Now I executed
thefollowing commands:openssl ca -gencrl -out
CRL/crl.pemopenssl ca -revoke cert.pemSo, I think this is the
way to distribute the CRL to browsers (am I right?),what are the commands
for creating the ca.crl file on the
I *think* I understand it now, but any clarification etc. would still be
most appreciated.
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of steve thornton
Sent: 23 July 2003 10:09
To: [EMAIL PROTECTED]
Subject: Please help
Hi
I've been trying to
The openssl FAQ and INSTALL.W32 warn about a corruption
problem if an app does not use the multithreaded DLL
option /MD, given that the build of openssl uses it.
However, I am seeing the exact opposite of this problem.
This is a desperate appeal for help.
I build openssl using the following
(resend because it seems not to have arrived at the list, maybe because it is
subscribers only?)
Sorry if this has been asked before, but i have a few questions regarding creating a
ca root certificate:
I create the root certificate like this:
../openssl req -config ../ca.cnf -x509 -new -days
On Tue, Jul 22, 2003, 5468696A6D656E wrote:
(resend because it seems not to have arrived at the list, maybe because it
is subscribers only?)
Sorry if this has been asked before, but i have a few questions regarding
creating a ca root certificate: I create the root certificate like this:
On Wed, Jul 23, 2003, steve thornton wrote:
Hi
I've been trying to edit and rebuild the ASN.1 database using objects.pl. I
am having problems understanding what is going on. As I understand it, the
file to edit is objects.txt, but if I change this file in any way, then
objects.pl no longer
On Wed, Jul 23, 2003, Michiels Olivier wrote:
Hi,
I've developped my own ENGINE with OpenSSL. I use that ENGINE to use the
private keys of my root certificates. Those certificates are used to
sign X509 certificates, CRLs and OCSP responses.
On the other part, one of my component that use the
Hi,
I'm a newcomer to this crypto business and maybe I'm a little confused... I
don't want to hijack this conversation but surely somebody from evil.bar.com
could provide a certificate signed by a trusted party for example.foo.com.
After all, the certificate is public right? So something else,
I want to install the Perl module Net::SSLeay.pm, which requires
OpenSSL-0.9.6j or 0.9.7b or newer, but the installer script
complains that it cannot find my OpenSSL. I have tried supplying
various directories (/usr/bin, /etc/ssl, /usr/lib/ssl), but the
installer can't find OpenSSL in any of
On Wed, Jul 23, 2003, Dan Kendall wrote:
Hi,
I'm a newcomer to this crypto business and maybe I'm a little confused... I
don't want to hijack this conversation but surely somebody from evil.bar.com
could provide a certificate signed by a trusted party for example.foo.com.
After all, the
Yes I've noticed this. Basically I am making an embedded client, and am
looking for every way possible to reduce code size, and obj_dat is very big.
I've more or less concluded that it is not worth the trouble, but 24k is
24k.
It surely should be possible to parse the essential info (Issuer,
On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote:
I'm a newcomer to this crypto business and maybe I'm a little confused... I
don't want to hijack this conversation but surely somebody from evil.bar.com
could provide a certificate signed by a trusted party for example.foo.com.
After
Thank you, that makes more sense.
Regards,
Dan
-Original Message-
From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]
Sent: 23 July 2003 13:44
To: [EMAIL PROTECTED]
Subject: Re: FQDN
On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote:
I'm a newcomer to this crypto business
On Wed, Jul 23, 2003, steve thornton wrote:
Yes I've noticed this. Basically I am making an embedded client, and am
looking for every way possible to reduce code size, and obj_dat is very big.
I've more or less concluded that it is not worth the trouble, but 24k is
24k.
It surely should be
Check these pages:
http://www.mysql.com/doc/en/Secure_basics.html
http://www.mysql.com/doc/en/Secure_Create_Certs.html
http://www.mysql.com/doc/en/Secure_GRANT.html
You need to have a certificate for the server and the client signed by
the same CA.
Hope this helps
Bart...
-Original
Yes, Lutz. That's why I want to check peer's FQDN against which on its
certificate.
Actually, just like what Steve said before, even the hacker can spoof DNS,
he still needs peer's certificates and key to masquerade the owner of that
key.
Checking of the FQDN is an extra step to prevent this to
Thanks for that Steve, that was the conclusion I had just come to. Now I
need to convince by bosses. I wonder if they'll pay me to write things from
scratch?
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: 23 July 2003 13:52
I have been linking applications with both OpenSSL and ZLIB for many
years now without difficulties. My guess is that either your app is not
using
the MSVCRT.DLL or that your are linking to some other library which is
using an
alternative C Runtime library.
Jeffrey Altman
Andrew Marlow wrote:
Jue (Jacky) Shu wrote:
Yes, Lutz. That's why I want to check peer's FQDN against which on its
certificate.
Look at Lutz' list. You get already in step 1 the FQDN from the *user*,
so there is no need for further actions to find out the peer's FQDN.
Ciao,
Richard
--
Dr. Richard W. Könning
Fujitsu
Sorry, Richard.
Maybe I didn't put it clearly.
There r two names, one is from the certificate, another one is from DNS.
They must match.
Jacky
- Original Message -
From: Richard Koenning [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 23, 2003 9:43 AM
Subject: Re: FQDN
Jue (Jacky) Shu wrote:
Sorry, Richard.
Maybe I didn't put it clearly.
There r two names, one is from the certificate, another one is from DNS.
They must match.
The other one is *not* from DNS, but from the *user* (step 1 from Lutz'
list). The user wants to connect to a specific site, and the
Hi Richard,
In your case, it is the client want to check server.
I know it is common to check server's location.
But now I want to check client as well.
The server doesn't know where the client comes from,
so the server needs to get client's ip address and then its FQDN.
I think this problem is
24 matches
Mail list logo