Here is serverCA.pem as a file and as text
-BEGIN CERTIFICATE-
MIICJTCCAY4CCQCS+4ZH1+sfwzANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY
WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh
bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDczMDEzWhcNMTcx
On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote:
> I agree with you, but a problem is that “safe and secure” changes over
> time when new crypto and other new features are added. And then users
> get upset when their connections no longer work.
Agreed, that's a tough trade-off.
Still,
> My number one complaint is that it seems like the defaults are generally set
> up to do the wrong things, and the application has to either explicitly set
> "yes, you should be secure" options or do stuff on its own. This seems to
> have been getting better - gaining hostname validation, for
On 11/29/2017 8:53 AM, Salz, Rich via openssl-users wrote:
> I am biased, but I believe the project is better, by almost any
> metric, then it used to be. If you have specific suggestions for how
> you think it could be improved, it would be great to see them.
My number one complaint is that it
➢ It probably wouldn't hurt to post something to the lists when there's a blog
post with news like this - items that subscribers would likely feel is
important. Blog posts like the recent "OpenSSL in China" series probably don't
need to be mentioned on the lists. But it's subjective, and I
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Salz, Rich via openssl-users
> Sent: Wednesday, November 29, 2017 11:54
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] FIPS certification for openssl
>
[I wrote:]
> > That said, it wouldn't hurt for
> On Nov 29, 2017, at 10:57 AM, Pascal Withopf wrote:
>
> $ openssl x509 -in serverCA.pem -noout -purpose
>
> ...
>
> If the purpose is incorrect how can I set it?
>
> 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni :
> On Wed, Nov 29, 2017 at
If you need a FIPS resource for the OpenSSL FIPS Object Module -- my
business partner (Steve Weymann) and I worked with Steve Marquess when we
were at a FIPS Testing Lab to achieve the FIPS 140-2 Cert. #1747 for the
OpenSSL FIPS Object Module.
We are now helping technology companies that need
> That said, it wouldn't hurt for the OMC to post a message to the list stating
> that business will continue as planned, since two very key figures have left
> the project.
I have two reactions, just my personal view. First, it’s premature to say
anything, we’re still figuring things out.
On 29/11/2017 14:58, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Sandeep Umesh
Sent: Wednesday, November 29, 2017 07:30
To: openssl-users@openssl.org; i...@openssl.org
As per this blog:
$ openssl x509 -in serverCA.pem -noout -purpose
gave me this
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption
On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
> Which means I have the following certificate chain:
> root.pem -> serverCA.pem -> server.pem
>
> But when I try to make a connection I see following error at the client
> side:
> Error with certificate at depth: 1
> issuer =
Hi,
I'm reading the book "Network Security with OpenSSL" published by O'Reilly
at the moment.
I'm following the example program and trying to establish a connection
between a server and a client.
I did the following to create my certificates:
To create the root CA:
$ openssl req -newkey rsa:1024
We are no longer doing additional platforms for the existing certifications.
We are working on a plan for future FIPS validation, based on the 1.1.x line.
From: Sandeep Umesh
Reply-To: openssl-users
Date: Wednesday, November 29, 2017 at 7:30 AM
On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovni wrote:
> On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:
>
> > Try adding this to the verify_callback
> >
> >
> > static int verify_callback(int ok, X509_STORE_CTX *ctx)
> > {
> > X509
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Sandeep Umesh
> Sent: Wednesday, November 29, 2017 07:30
> To: openssl-users@openssl.org; i...@openssl.org
> As per this blog:
> https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/
Thanks for pointing that
On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:
> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> X509 *cert = NULL;
> char *cert_DN = NULL;
>
> printf("ok = %d\n", ok);
> cert =
On Wed, Nov 29, 2017 at 01:44:01PM +, wizard2...@gmail.com wrote:
> > > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > > {
> > > > printf("Verification callback OK!\n");
> > > > return 1;
> > > > }
> > > > ...
> > > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> >
On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni wrote:
> On Tue, Nov 28, 2017 at 10:03:12AM +, wizard2...@gmail.com wrote:
>
> > I guess my problem is really related to verify callback
> > on SSL_CTX_set_verify function.
> > I just add to my code a dummy
Hi JJK,
I test you function and I've got this result:
> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> ok = 1
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Why I see this 2 time?
When I create the certificates I didn't fill with any special information,
just
Hello
As per this blog:
https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/
Steve who is instrumental in handling FIPS certification for openssl object
module is no more associated with OSF.
How can we proceed for future FIPS certification ? Is there any other
contact person to perform
Hi,
On 28/11/17 11:03, wizard2...@gmail.com wrote:
Hi there.
I guess my problem is really related to verify callback on SSL_CTX_set_verify
function.
I just add to my code a dummy callback returning 1 and everything works
properly.
int verify_callback (int ok, X509_STORE_CTX *ctx);
22 matches
Mail list logo