Handshake split across multiple TCP connections

2010-11-29 Thread A. N. Alias
I've been using IE, Chrome and Firefox as clients for a test SSL/TLS server.  This works fine with Firefox, which uses a single TCP connection for the TLS handshake and subsequent communication.  However, IE and Chrome seem often to send different parts of the handshake on different TCP

Verifying self-signed certificate

2010-11-29 Thread iruvopenssl
Greetings, I guess this question must have been asked quite a lot over here, but I couldn't find any traces of it so I guess I'll repeat it. I can't seem to be able to verify (using 'openssl verify') - without openssl spitting a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - a server certificate

ECDSA signing problem in openssl-1.0.0 (was ok in 0.9.8)

2010-11-29 Thread Brian Warner
Hey folks, I'm tearing out some hair trying to figure out how to make progress on a problem I'm having. I've got a pure-python ECDSA library (http://github.com/warner/python-ecdsa) that includes some interoperability tests against OpenSSL. The first test uses OpenSSL to generate a keypair and

Re: ECDSA signing problem in openssl-1.0.0 (was ok in 0.9.8)

2010-11-29 Thread Brian Warner
openssl ecparam -name secp384r1 -genkey -out privkey.pem openssl dgst -sign privkey.pem -ecdsa-with-SHA1 -out data.sig data.txt These commands worked fine on openssl-0.9.8, but now when I run them against openssl-1.0.0a, the second one gives me the following error: Ah, figured it out.

Verifying self-signed certificate

2010-11-29 Thread iruvopenssl
Greetings, I guess this question must have been asked quite a lot over here, but I couldn't find any traces of it so I guess I'll repeat it. I can't seem to be able to verify (using 'openssl verify') - without openssl spitting a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - a server certificate

RE: TLS unknown_ca alert number 48

2010-11-29 Thread jason.ting
The server doesn't think so. Look at the server CertReq to see if it is asking for particular CA(s) and if so whether the cert your client is using is issued by that CA (or one of them). Also check whether it is directly under or chained; if the latter I don't think commandline s_client can do

multiple handshake messages in a single TLSPlaintext record

2010-11-29 Thread Yannay Alon-BAY004
Hi I want to use openssl to send several handshake messages in a single tls fragment. (e.g. serverhello + serverkeyexchange + serverhellodone in a PSK ciphersuite) In the words of rfc 4346 section 6.2.1: multiple client messages of the same ContentType MAY be coalesced into a single

Re: Handshake split across multiple TCP connections

2010-11-29 Thread Victor Duchovni
On Mon, Nov 29, 2010 at 02:34:29AM -0800, A. N. Alias wrote: As an example, IE may connect and send a ClientHello.? The server responds with a ServerHello on the same socket.? IE then replies with ClientExchange/ChangeCipherSpec/Finished, but not necessarily on the same socket.? This is

Re: Verifying self-signed certificate

2010-11-29 Thread Dr. Stephen Henson
On Mon, Nov 29, 2010, iruvopen...@hushmail.com wrote: Greetings, I guess this question must have been asked quite a lot over here, but I couldn't find any traces of it so I guess I'll repeat it. I can't seem to be able to verify (using 'openssl verify') - without openssl spitting a

Re: multiple handshake messages in a single TLSPlaintext record

2010-11-29 Thread Dr. Stephen Henson
On Mon, Nov 29, 2010, Yannay Alon-BAY004 wrote: Hi I want to use openssl to send several handshake messages in a single tls fragment. (e.g. serverhello + serverkeyexchange + serverhellodone in a PSK ciphersuite) In the words of rfc 4346 section 6.2.1: multiple client messages of the

Re: Handshake split across multiple TCP connections

2010-11-29 Thread David Schwartz
On 11/29/2010 2:34 AM, A. N. Alias wrote: I've been using IE, Chrome and Firefox as clients for a test SSL/TLS server. This works fine with Firefox, which uses a single TCP connection for the TLS handshake and subsequent communication. However, IE and Chrome seem often to send different parts

Re: Verifying self-signed certificate

2010-11-29 Thread iruvopenssl
On Mon, 29 Nov 2010 20:05:43 +0200 Dr. Stephen Henson st...@openssl.org wrote: On Mon, Nov 29, 2010, iruvopen...@hushmail.com wrote: Greetings, I guess this question must have been asked quite a lot over here, but I couldn't find any traces of it so I guess I'll repeat it. I can't

Re: Verifying self-signed certificate

2010-11-29 Thread Dr. Stephen Henson
On Tue, Nov 30, 2010, iruvopen...@hushmail.com wrote: On Mon, 29 Nov 2010 20:05:43 +0200 Dr. Stephen Henson st...@openssl.org wrote: Greetings! I'm doing nothing funky: $ openssl genrsa -des3 -out ca.key 4096 $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt $ openssl genrsa

(件名なし)

2010-11-29 Thread 江川 寛子
-- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org