Re: [openssl-users] How many SAN entries...?

On Wed, Apr 26, 2017 at 1:03 PM, Blumenthal, Uri - 0553 - MITLL wrote: > A naïve question. A certificate that contains SAN attribute(s) – is there a > limit on how many, say, RFC822 SAN attributes can a valid certificate have? > > > > It’s been my understanding that a cert can

Re: [openssl-users] How many SAN entries...?

confirmed, i've seen dozens on one cert - far more preferable to do that and have such numbers than a single wildcard cert (which has issues on all sorts of platforms for various purposes). alan On 26 April 2017 at 18:24, Blumenthal, Uri - 0553 - MITLL wrote: > > It’s been

Re: [openssl-users] How many SAN entries...?

> It’s been my understanding that a cert can contain as many SAN attributes as needed, > but it appears that Apple believes it has to be only one (because certificates with > more than one are not processed properly). Perhaps CAs have rarely issued email certificates with

Re: [openssl-users] How many SAN entries...?

> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > A naïve question. A certificate that contains SAN attribute(s) – is there a > limit > on how many, say, RFC822 SAN attributes can a valid certificate have? None of the standard SAN types (DNS, Email,

Re: [openssl-users] How many SAN entries...?

> A naïve question. A certificate that contains SAN attribute(s) – is there a > limit on how many, say, RFC822 SAN attributes can a valid certificate have? No. > It’s been my understanding that a cert can contain as many SAN attributes as > needed, but it appears that Apple believes it has to

[openssl-users] How many SAN entries...?

A naïve question. A certificate that contains SAN attribute(s) – is there a limit on how many, say, RFC822 SAN attributes can a valid certificate have? It’s been my understanding that a cert can contain as many SAN attributes as needed, but it appears that Apple believes it has to be only

Re: [openssl-users] RFC2818 and subjectAltName

yes Sent from Mail for Windows 10 From: Murray, Ronald-1 (ANF) Sent: Wednesday, April 26, 2017 1:25 PM To: 'openssl-users@openssl.org' Subject: [openssl-users] RFC2818 and subjectAltName We had an issue a few days ago when people with the newest version of Chrome were seeing security errors on

Re: [openssl-users] RFC2818 and subjectAltName

If you are asking me, by all means yes. Thanks for asking, I respect the value of honesty in world that has so very few people left. Sent from Mail for Windows 10 From: Viktor Dukhovni Sent: Wednesday, April 26, 2017 1:55 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] RFC2818 and

Re: [openssl-users] RFC2818 and subjectAltName

> On Apr 26, 2017, at 11:55 AM, Murray, Ronald-1 (ANF) > wrote: > > Our certificates, of course, only contained the Common Name (CN), with no > subjectAltName (SAN). I solved the problem by creating new certificates and > hacking openssl.cnf to request a SAN in the

[openssl-users] RFC2818 and subjectAltName

We had an issue a few days ago when people with the newest version of Chrome were seeing security errors on our internal sites which were using SSL certificates signed with our internal CA. This turned out to be caused by Google adhering to RFC2818, which says: If a subjectAltName extension of

Re: [openssl-users] QcStatements with OpenSSL (C++)?

On 04/17/2017 06:40 PM, Matthias Ballreich wrote: Hi there, can OpenSSL pasre QcStatement X509v3 Extension btw. Did OpenSSL Support these? Any Piece of example Code of how can i parse the data? To my knowledge, there is direct support for the qcStatements, you must parse it yourself. I

Re: [openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

> On Apr 26, 2017, at 3:39 AM, Matt Caswell wrote: > > I'd start by looking at the end-to-end pipe between the client SSL/TLS > stack and the server stack and validating that the records look sane and > unchanged at each step. Well before that, I'd try to find out what's

Re: [openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

On 25/04/17 22:37, craig_we...@trendmicro.com wrote: > We have recently upgraded our product to 1.0.2k. We are getting this > error on a packet sent to us from our browser-based user interface. I > really need some suggestions as to how to debug this problem. I know it > is in our code rather