On Fri, Mar 11, 2022 at 04:40:24PM -0800, Edward Tsang via openssl-users wrote:
> Does verify_ip supports leftmost wildcard?
I am not aware of any RFC specifying wildcard matching in iPAddress
X.509 SANs, and no such feature is implemented in OpenSSL.
The SAN syntax is raw binary data in network
Hi
Does verify_ip supports leftmost wildcard?
I know that hostname does for SAN and CN. But ip address seems to only
support exact match including the port?
Is that observation correct?
What does it take for verify_ip to support leftmost wildcard matching just
like DNS hostname?
Thanks
Hi
I recently migrated an application from OpenSSL 1.1.1 to OpenSSL 3.0, and
I'm wondering how best to handle DSA signatures - specifically, the 'r' and
's' values - in OpenSSL 3.0.
In OpenSSL 1.1.1, it was pretty easy:
DSA_do_sign() - gets you a DSA_SIG
DSA_SIG_get0() - gets you the 'r' and 's'
> From: edr
> Sent: Friday, 11 March, 2022 03:59
>
> On 10.03.2022 20:27, Michael Wojcik wrote:
> > Personally, I'd be leery of using openssl ca for anything other than
> dev/test purposes, in which case frequent CRL generation seems unlikely to
> be a requirement. AIUI, openssl ca isn't really i
Hi,
I have hard time figuring how to use --api=x.y.z regarding
OPENSSL_API_COMPAT define.
https://github.com/openssl/openssl/blob/openssl-3.0.1/INSTALL.md#api-level
https://www.openssl.org/docs/man3.0/man7/OPENSSL_API_COMPAT.html
Say I have #define OPENSSL_API_COMPAT 0x010101000L in one fi
> On 11 Mar 2022, at 8:49 am, Tomas Mraz wrote:
>
> Yes, this is a fully supported scenario.
>
> You can even test it with the openssl s_server command - use -cert, -
> key, and -cert_chain for the first certificate and -dcert, -dkey, and -
> dcert_chain with the second one.
Note that with e.g.
Yes, this is a fully supported scenario.
You can even test it with the openssl s_server command - use -cert, -
key, and -cert_chain for the first certificate and -dcert, -dkey, and -
dcert_chain with the second one.
Tomas Mraz
On Fri, 2022-03-11 at 13:19 +, Kris Kwiatkowski wrote:
> Hello,
>
Hello,
On my server, I would like to support 2 certificate chains. One chain
would be signed with RSA and the other with EdDSA (so 2 complatelly different
chains with 2 root certificates). Then, let say, new clients that support
EdDSA will choose to use it, otherwise I'll serve RSA for everybody
On 10.03.2022 20:17, Michael Ströder via openssl-users wrote:
>
> Are you 100% sure all the software used by your relying participants is
> capable of handling the X509v3 extensions involved?
>
> In practice I saw software miserably fail validating such certs and CRLs. Or
> also CAs failed to gen