I think verify depth of 1 will work only for self signed certificates,
in this case it wont work, you should override the default certificate
checking functions by registering ur own callback for this function
pointer in ssl_st.
int (*verify_callback)(int ok,X509_STORE_CTX *ctx)
as you already kn
How can hmac.c(openssl/crypto/hmac) be used as pseudo random generator
(to generate keys) and mac calculation?
For both purpose i.e to generate keys and mac hmac.c is used. During keys
4th parameter of HMAC() is passed 0.AND During mac 4th parameter is message.
prf= HMAC( md, key, keylen,(void *
When you want to operate in this special "CA filtering" mode, you
could hook the OpenSSL certificate validation logic. Your callback
could then implement it's only validation logic and return a "reject"
when you see a certificate you want to deny (even though it's valid).
Randy
On Mar 7
Samy Thiyagarajan wrote:
>
> Hi,
> May be changing the verification of the depth level solve this issue. (
> I mean check the chain only upto User CA 1 and not upto the Root CA )
> In this case it should not report about missing valid root.
>
> Im not sure. this is just an idea.
Good idea. But
王 振江 wrote:
> Excuse me:
> When I create an certificate, encounter this error:Unable to load
> config file.
> The ditails below:
> My system enviroment:FC3 core + apache-1.3.33 +openssl-0.9.8 +
> mod_ssl-2.8.28 Install Mode :DSO
> when i excute command in shell:
> #openssl req -new -x509 -days 3650
Hi,
May be changing the verification of
the depth level solve this issue. ( I mean check the chain only upto
User CA 1 and not upto the Root CA ) In this case it should not report
about missing valid root.
Im not sure. this is just an idea.
Regards,
Samy
Olaf Gellert <[EMAIL PROTECTE
Gayathri Sundar wrote:
> you can put CA2 as part of the revocation list?
> if CA2 is part of the client's CRL, then it will automatically
> be rejected..is this what you want?
Nothing about revocation, both CAs are valid
and should stay valid. I do have a User CA 1
for one type of service (or one
Excuse me:
When I create an certificate, encounter this error:Unable to load config
file.
The ditails below:
My system enviroment:FC3 core + apache-1.3.33 +openssl-0.9.8 +
mod_ssl-2.8.28
Install Mode :DSO
when i excute command in shell:
#openssl req -new -x509 -days 3650 -key ca.key -out ca.c
you can put CA2 as part of the revocation list?
if CA2 is part of the client's CRL, then it will automatically
be rejected..is this what you want?
Thanks
--G3
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Olaf Gellert
Sent: Tuesday, March 07, 2006 5:26 PM
Hi,
I came across the following problem: I do have
two user CAs under the same root CA:
Root CA
|-> User CA 1 -> User Certificate 1
|-> User CA 2 -> User Certificate 2
I want to tell a webserver to accept certificates
from User CA 1 but not from User CA 2. But: In
openssl s_server
kloomis wrote:
At 11:17 PM 3/6/2006 -0700, you wrote:
The practical upshot of this is, yes, your apache configuration needs
the privkey.pem file in order to do SSL/TLS at all.
I have myServer.csr, myServer.cert and myServer.key located in
ssl.csr, ssl.crt, and ssl.key respectively. The ssl.c
11 matches
Mail list logo