On 05/04/15 23:42, Matt Caswell wrote:
On 05/04/15 22:04, David Rufino wrote:
Hello,
It's possible I'm doing something wrong here, but I can't seem to
negotiate ecdhe with an elliptic curve other than P-256. To reproduce
the issue, using openssl 1.0.2
openssl s_server -key
Hello,
We are porting our products to Linux-aarch64. Our products are using OpenSSL
with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but
our products need OpenSSL FIPS as well.
My question is when OpenSSL FIPS will be supported on Linux-aarch64?
Thanks in advance,
Hi, when I verify an X509 cert against a ca certificate, I found that the
cert can pass validation even if it has two instances of X509v3 Basic
Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some
issues are not important in verification. (I guess one reason is that one
On 05/04/15 22:04, David Rufino wrote:
Hello,
It's possible I'm doing something wrong here, but I can't seem to
negotiate ecdhe with an elliptic curve other than P-256. To reproduce
the issue, using openssl 1.0.2
openssl s_server -key server.key -cert server.crt -msg -debug -dhparam
Hello,
It's possible I'm doing something wrong here, but I can't seem to negotiate
ecdhe with an elliptic curve other than P-256. To reproduce the issue,
using openssl 1.0.2
openssl s_server -key server.key -cert server.crt -msg -debug -dhparam
dhparam.pem -cipher ECDHE-RSA-AES128-SHA -tls1_2
On Sun, Apr 5, 2015 at 5:26 PM, Yuting Chen che...@cs.sjtu.edu.cn wrote:
I checked some other certificates, and found that some non self-signed
certificates having duplicate extension instances can be verified by
openssl. I guess openssl is quite gentle when validating these malformed
I completely agree with Jeffrey's comments,
Applications are not required to verify that
key identifiers match when performing
certification path validation. (RFC5280)
But when the certificate has two authority
key ids, openssl may take it as a certificate
having no authority key ids (I think the
I checked some other certificates, and found that some non self-signed
certificates having duplicate extension instances can be verified by
openssl. I guess openssl is quite gentle when validating these malformed
certificates.
On Sun, Apr 5, 2015 at 1:55 PM, Yuting Chen che...@cs.sjtu.edu.cn
Read a little code of openssl, and found that in
the function
X509_check_issued(X509 *issuer, X509 *subject),
The statement
x509v3_cache_extensions(subject);
is called for four times, but one certificate did not
get the subject keyid (as the block of if(subject-akid) is
called for three times).
