Re: [openssl-users] Problem verifying a certificate chain

Here is serverCA.pem as a file and as text -BEGIN CERTIFICATE- MIICJTCCAY4CCQCS+4ZH1+sfwzANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDczMDEzWhcNMTcx

Re: [openssl-users] FIPS certification for openssl

On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote: > I agree with you, but a problem is that “safe and secure” changes over > time when new  crypto and other new features are added. And then users > get upset when their connections no longer work. Agreed, that's a tough trade-off. Still,

Re: [openssl-users] FIPS certification for openssl

> My number one complaint is that it seems like the defaults are generally set > up to do the wrong things, and the application has to either explicitly set > "yes, you should be secure" options or do stuff on its own. This seems to > have been getting better - gaining hostname validation, for

Re: [openssl-users] FIPS certification for openssl

On 11/29/2017 8:53 AM, Salz, Rich via openssl-users wrote: > I am biased, but I believe the project is better, by almost any > metric, then it used to be. If you have specific suggestions for how > you think it could be improved, it would be great to see them. My number one complaint is that it

Re: [openssl-users] FIPS certification for openssl

➢ It probably wouldn't hurt to post something to the lists when there's a blog post with news like this - items that subscribers would likely feel is important. Blog posts like the recent "OpenSSL in China" series probably don't need to be mentioned on the lists. But it's subjective, and I

Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Salz, Rich via openssl-users > Sent: Wednesday, November 29, 2017 11:54 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] FIPS certification for openssl > [I wrote:] > > That said, it wouldn't hurt for

Re: [openssl-users] Problem verifying a certificate chain

> On Nov 29, 2017, at 10:57 AM, Pascal Withopf wrote: > > $ openssl x509 -in serverCA.pem -noout -purpose > > ... > > If the purpose is incorrect how can I set it? > > 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni : > On Wed, Nov 29, 2017 at

Re: [openssl-users] FIPS certification for openssl

If you need a FIPS resource for the OpenSSL FIPS Object Module -- my business partner (Steve Weymann) and I worked with Steve Marquess when we were at a FIPS Testing Lab to achieve the FIPS 140-2 Cert. #1747 for the OpenSSL FIPS Object Module. We are now helping technology companies that need

Re: [openssl-users] FIPS certification for openssl

> That said, it wouldn't hurt for the OMC to post a message to the list stating > that business will continue as planned, since two very key figures have left > the project. I have two reactions, just my personal view. First, it’s premature to say anything, we’re still figuring things out.

Re: [openssl-users] FIPS certification for openssl

On 29/11/2017 14:58, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Sandeep Umesh Sent: Wednesday, November 29, 2017 07:30 To: openssl-users@openssl.org; i...@openssl.org As per this blog:

Re: [openssl-users] Problem verifying a certificate chain

$ openssl x509 -in serverCA.pem -noout -purpose gave me this Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption

Re: [openssl-users] Problem verifying a certificate chain

On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote: > Which means I have the following certificate chain: > root.pem -> serverCA.pem -> server.pem > > But when I try to make a connection I see following error at the client > side: > Error with certificate at depth: 1 > issuer =

[openssl-users] Problem verifying a certificate chain

Hi, I'm reading the book "Network Security with OpenSSL" published by O'Reilly at the moment. I'm following the example program and trying to establish a connection between a server and a client. I did the following to create my certificates: To create the root CA: $ openssl req -newkey rsa:1024

Re: [openssl-users] FIPS certification for openssl

We are no longer doing additional platforms for the existing certifications. We are working on a plan for future FIPS validation, based on the 1.1.x line. From: Sandeep Umesh Reply-To: openssl-users Date: Wednesday, November 29, 2017 at 7:30 AM

Re: [openssl-users] SSL alert number 48

On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovni wrote: > On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote: > > > Try adding this to the verify_callback > > > > > > static int verify_callback(int ok, X509_STORE_CTX *ctx) > > { > > X509

Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Sandeep Umesh > Sent: Wednesday, November 29, 2017 07:30 > To: openssl-users@openssl.org; i...@openssl.org > As per this blog: > https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Thanks for pointing that

Re: [openssl-users] SSL alert number 48

On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote: > Try adding this to the verify_callback > > > static int verify_callback(int ok, X509_STORE_CTX *ctx) > { >     X509   *cert = NULL; >     char   *cert_DN = NULL; > >     printf("ok = %d\n", ok); >     cert    =

Re: [openssl-users] SSL alert number 48

On Wed, Nov 29, 2017 at 01:44:01PM +, wizard2...@gmail.com wrote: > > > > int verify_callback (int ok, X509_STORE_CTX *ctx) > > > > { > > > > printf("Verification callback OK!\n"); > > > > return 1; > > > > } > > > > ... > > > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | > >

Re: [openssl-users] SSL alert number 48

On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni wrote: > On Tue, Nov 28, 2017 at 10:03:12AM +, wizard2...@gmail.com wrote: > > > I guess my problem is really related to verify callback > > on SSL_CTX_set_verify function. > > I just add to my code a dummy

Re: [openssl-users] SSL alert number 48

Hi JJK, I test you function and I've got this result: > ok = 0 > cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > ok = 1 > cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd Why I see this 2 time? When I create the certificates I didn't fill with any special information, just

[openssl-users] FIPS certification for openssl

Hello As per this blog: https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Steve who is instrumental in handling FIPS certification for openssl object module is no more associated with OSF. How can we proceed for future FIPS certification ? Is there any other contact person to perform

Re: [openssl-users] SSL alert number 48

Hi, On 28/11/17 11:03, wizard2...@gmail.com wrote: Hi there. I guess my problem is really related to verify callback on SSL_CTX_set_verify function. I just add to my code a dummy callback returning 1 and everything works properly. int verify_callback (int ok, X509_STORE_CTX *ctx);