, issues a HTTP
CONNECT call.
4) We now need to do a SSL handshake inside the first tunnel
The application is an HTTPS proxy server with support for transparent
decryption of HTTP connect calls.
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
*Email:* hin
Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
*Email:* hin...@cipafilter.com
*Hours:* Mon-Fri 8:00AM-5:00PM (CT)
? Or am I wrong and this shouldn't be happening?
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
*Email:* hin...@cipafilter.com
*Hours:* Mon-Fri 8:00AM-5:00PM (CT)
, suboptimal and you have to do this. A patch to update the doc (where
should we put it?) would be appreciated.
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
Just so I make sure I understand, I just need to do something like:
while ((err = ERR_get_error()));
When I switch work and everything will be ok?
On Thu, Aug 14, 2014 at 4:44 PM, David Hinkle hin...@cipafilter.com wrote:
This is where I would have expected to find it:
https
-ssl-wbio
$7 = {method = 0x7f136db8a5e0, callback = 0, cb_arg = 0x0, init = 1,
shutdown = 0, flags = 9, retry_reason = 0, num = 91, ptr = 0x0, next_bio =
0x0, prev_bio = 0x0, references = 1, num_read = 7752, num_write = 2188,
ex_data = {sk = 0x0, dummy = 862740789}}
--
*David Hinkle*
*Senior
of this communication is prohibited. If you
have received this communication in error, please erase all copies of the
message and its attachments and notify us immediately
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
*Email:* hin...@cipafilter.com
*Hours:* Mon-Fri
the scene?
For example, I need to break a long string into blocks to use
EVP_EncryptUpdate but I only need to feed the ciphertext into
EVP_DecryptUpdate once.
David
On Fri, Aug 1, 2014 at 8:36 PM, Salz, Rich rs...@akamai.com wrote:
Just wanted to say that Thulasi’s explanations and advice
but the finalization added 11 more bytes. So the total
decrypted len is 43.
Can you explain where the 11 more bytes are coming from after finalization?
Also It seems OK even if I don't use finalization,
David
On Thu, Jul 31, 2014 at 8:22 PM, Thulasi Goriparthi
thulasi.goripar...@gmail.com wrote:
On Fri
)) == 0) {
printf ( Finalization error: %d\n, rc);
return -1;
}
Can anyone explain why?
David
I am developing an application similar to a VPN which uses OpenSSL for DTLS
and am trying to sort out path MTU discovery. The first issue I am having
is that the man pages for SSL_write and SSL_read provide the following
warning:
When an SSL_write() [or SSL_read()] operation has to be repeated
APIs might have
internally picked the ones they need and ignore the rest in the file. Maybe
it's just a convenient way to use a single file for both.
David
printed out but only:Segmentation fault
(core dumped)
I searched the old mailing list and on the web but found no clues so far.
Can anyone suggest how to debug this issue?
Thanks.
David
a concatenated chain of certificates: server cert -
server key - CA cert (self signed). It's strange to me that
openssl s_server command can load the same cert chain no problem. So I am
leaning towards that it's in my code not the cert chain problem.
David
On Tue, May 20, 2014 at 11:07 AM
:error:140A90A1:SSL
routines:SSL_CTX_new:library has no ciphers:ssl_lib.c:1770:
So obviously my SSL_CTX object wasn't created properly. Now I have to
figure out what it means by library has no ciphers.
David
On Tue, May 20, 2014 at 11:47 AM, Dave Thompson dthomp...@prinpay.comwrote:
From
Rich,
I did the following calls:
OpenSSL_add_all_algorithms();
OPENSSL_init_library();
SSL_load_error_strings();
Are these enough?
On Tue, May 20, 2014 at 1:32 PM, Richard Moore richmoor...@gmail.comwrote:
On 20 May 2014 20:13, David Li dlipub...@gmail.com wrote:
So obviously my
Oh, I see,
I should have used SSL_library_init() rather than OPENSSL_init_library().
Thanks everyone! Great help!
David
On Tue, May 20, 2014 at 1:38 PM, David Li dlipub...@gmail.com wrote:
Rich,
I did the following calls:
OpenSSL_add_all_algorithms();
OPENSSL_init_library
Hi,
is anyone out there developing or planning an implementation of EST
(Enrollment over Secure Transport) in C/C++, making use of OpenSSL?
Best,
David
__
OpenSSL Project http
);
if ((rc = EVP_DecryptFinal_ex(ctx, debuf, datalen)) == 0) {
printf ( Finalization error: %d\n, rc); // This is the failure! rc = 0
return -1;
}
David Li
On 9/24/2013 11:58 AM, Roberto Spadim wrote:
There's space to create a new random device at /dev if you want too =)
/dev/nbrandom ? no block random? :)
2013/9/24 Richard Könning richard.koenn...@ts.fujitsu.com:
Am 24.09.2013 02:05, schrieb starlight.201...@binnacle.cx:
At 12:59 9/23/2013
On 9/25/2013 2:19 PM, Roberto Spadim wrote:
hi david!
do you have a patch about this hack?
Actually Fedora 18 fixes the primary problems. It has an update to rngd
so that it uses RdRand and it gets invoked properly. I passed
information on to RedHat about the problems and they fixed
Hello,
I'm interested in having 'openssl' version 1.0.1e
make use, by default, of hardware generated
true random numbers for creating session keys.
So far I've configured a STElectronics ST33
TPM as the majority source of /dev/random
entropy by configuring and starting the
'rngd' daemon from
A
--
David McCullough, dav...@spottygum.com, Ph: 0410 560 763
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
I am trying to implement functionality similar to what ssh does with
authorized_keys. I have a list of valid public keys (really public key
fingerprints in my case) and I want to verify whether the peer has one of
the valid keys.
My attempt to do this is to use SSL_CTX_set_cert_verify_callback to
)
If you are using a HW accelerator then even if it is slower to do the
crypto there can be benefits in CPU offloading.
What you are seeing is quite likely correct. So the best answer is,
choose the solution that solves your problem the best :-)
Cheers,
Davidm
--
David McCullough, dav
algorithm:pmeth_lib.c:164:
Has there been an incompatible change in the engine interface, such that
engine_pkcs11 needs an update?
regards, David Lamkin
__
OpenSSL Project http
Careful about this. The technically correct answer is misleading.
Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at
least the strength of stronger of the two.
--David Jacobson
On 4/23/13 3:31 AM, Erwann Abalea wrote:
MD5 is used in TLS1.0 for RSA signing and random
hi all..
I've been able to build the FIPS Object Module according to the directions
starting in Appendix E.2 Apple iOS Support of the Jan. 25 2013 version of the
User Guide with one small change:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk
be careful not to give the impression that DTLS
will magically give you an in-order, guaranteed-delivery data stream.
It won't; it's still a datagram protocol at heart.
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com
You can't use strerror for OpenSSL errors. Look into ERR_get_error() and
ERR_error_string().
I think what's happening with your code is that you set a recv timeout on
the listen socket, so you listen for one second and then hit the timeout
and the socket returns EWOULDBLOCK/EAGAIN to OpenSSL
to improperly conclude that there was an option I was missing in the
code.
So, thanks very much for you time and effort in helping to dispel my
confusion.
- David
On Tue, Jan 22, 2013 at 3:39 PM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of David Hinkle
:7b:fc:ee:7f:
a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:
77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:
65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:
77:38
--
*David Hinkle*
*Senior Software Developer*
*Phone:* 800.243.3729x3000
hello, and from
there decide if I want to engage the openssl library on the connection.
Any recommendations for how I can stuff the client hello that I've
previously read into the SSL object so that when I call SSL_accept
everything is cool?
--
*David Hinkle*
*Senior Software Developer*
*Phone
Hi Dave,
Thank you very much.
You just answered all my questions.
That helped a lot!!
Regards,
David William
On Tue, Sep 25, 2012 at 9:15 PM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of David William
Sent: Tuesday, 25 September, 2012 07:07
with a self signed certificate?
Thanks,
David William
Hi, I have an RSA key { D, E, N } generated by another library. I can
use OpenSSL to encrypt decrypt interoperably, but I would like to
extend the key with the other factors OpenSSL uses to work faster
(factors P, Q, DMP1, DMQ1, IQMP). Is there a library function that
computes these other
On 8/9/2012 14:54, Erik Tkal wrote:
I don't believe OpenSSL has any mechanism to directly calculate P and
Q; this requires an iterative process. Once you have those, however,
calculating the rest are simple calculations using the BN library.
Thanks, Erik.
I wrote the following code to
Hi,
I am trying to sign a file using dgst but not sure why I got this unable to
load key file. Here is the original command:
openssl dgst -sha384 -out xyz.sig -sign $PWD/keys/my_private.pem
xyz.to-be-signed
The private key file my_private.pem DOES exist in the directory.
The openssl
Dave,
Sorry I forgot. I do also have the EC public key (the point Qx and Qy) in hex.
I also know the curve P-384.
So the only step I am not sure is how to convert the EC private and public keys
into the DER format, i.e., step 2.
- David
From: owner
Hi,
How does openssl dgst know which signing algorithm it's supposed to use in
openssl dgst? For example how does it figure out if this signing private key is
a ECDSA key or RSA key? Is this information hidden in the priv_key.pem of
the option -sign priv_key.pem ?
David
steps:
1. convert it to a binary key
2. convert the binary key into DER format (which openssl cmd?)
3. use openssl ec to convert the key in DER format to PEM format
4. use open dgst to sign the message.
Does this make sense?
David
-Original Message-
From: owner-openssl-us...@openssl.org
Obviously my-priv-key should be the d in the test vector. The questions
are:
How should I use d in openssl dgst command line? Should it be converted to
PEM format? If so how do I do that?
Thanks in advance.
David
I am getting individual messages. Is it possible to subscribe in batch
(diagest) mode?
David
,
EVP_aes_128_ecb(), //can't find
EVP_aes_256_gcm
- David
-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Matt Caswell (fr...@baggins.org)
Sent: Tuesday, May 22, 2012 10:49 AM
To: openssl-users@openssl.org
That's good news.
Where can I find a simple example how to use AES-GCM using EVP-* apis?
David
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, May 23, 2012 12:05 PM
To: openssl-users
Hi All,
I can't find this function in the source tree? It seems pointing to
FIPS_aes_256_gcm. All I see is:
grep -r FIPS_evp_aes_256_gcm .
./crypto/evp/evp_fips.c:const EVP_CIPHER *EVP_aes_256_gcm(void) { return
FIPS_evp_aes_256_gcm(); }
Anyone know where it is?
David
Dr. Hensen,
If, for instance, a key in the NIST test vector is:
Key = 84ff9a8772815b929d55f6052c0354cf3e02bcc8336fcfe5794952b4c45d5d96
What byte is the LSB (0x96?) and which is the MSB (0x84?)?
- David
From: owner-openssl-us...@openssl.org [owner
from NIST
vector but tag value didn't. I obtained the tag value by:
Unsigned char tag[16];
memcpy(tag, ctx.Xi.c, 16);
Anyone can think of a reason what might have gone wrong?
- David
The test vectors from NIST look like:
[Keylen = 256]
[IVlen = 128
On 04/27/12 02:29 AM, Dr. Stephen Henson wrote:
Hmm never seen any error messages myself, using GNU tar 1.25.
The distribution tarballs are always created by doing:
make -f Makefile.org dist
from any source tree. As you can see from the files this makes use of tar
and tardy. The tar version
on the server and using
OpenSSL directly on the terminals.
Anyone who has some experience with this kind application?
David Kong
This communication is confidential and may be legally privileged. If you are
not the intended recipient, (i) please do not read
.127.0.0.1
ERROR
4150167176:error:14094456:SSL routines:SSL3_READ_BYTES:tlsv1 unsupported
extension:s3_pkt.c:1240:SSL alert number 110
shutting down SSL
CONNECTION CLOSED
ACCEPT
David Holmes | Technical Marketing Manager - Security
F5 Networks
P 206.272.
F 206.272.5556
www.f5.com
D
From: cam c...@xtremelabs.com
I'm having a problem generating a signed SMIME message.
I have to interface with a CAC card reader that implements a subset of the
pkcs11 standard. I pass the message to the card API and it returns a
signed
digest and now I need to pass this signed digest to
I finally figured this out:
./config set the platform as debug-linux-elf
I ran a Configure linux-elf shared and that solved the problem, no electric
fence debug messages.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of David Booher
Sent: Wednesday
Personally, I find sslscan (http://sourceforge.net/projects/sslscan/) an
invaluable tool to see just what the server accepts and what it does not
Dave
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jakob Bohm
Sent:
Hi all,
I'm a newbie, so please be kind :)
I just did a make on the new 1.0 beta and configured for shared libraries. I
noticed that during a make test there are several debug messages coming from
Electric Fence. I also see this just doing a openssl version...
I'm wondering how to compile
for replacement
and extension of supported algorithms. Why couldn't the fips canister be
incorporated into a kernel module?
Appreciate any wisdom that anyone is willing to share!
Thanks
David
__
OpenSSL Project
for replacement
and extension of supported algorithms. Why couldn't the fips canister be
incorporated into a kernel module?
Appreciate any wisdom that anyone is willing to share!
Thanks
David
__
OpenSSL Project
Looks like there is a relevant discussion here
http://groups.google.com/group/mailing.openssl.users/msg/fa55b6bac4f91d8f
_
_
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On
Behalf Of David Weidenkopf [dweidenk...@cococorp.com]
Sent
On Thu, Oct 27, 2011 at 4:55 PM, Dave Thompson dthomp...@prinpay.com wrote:
If you just want confidentiality with truly no authentication,
SSL/TLS (and OpenSSL) can do that with the anonymous-DH and
anonymous-ECDH suites. I assume you understand and accept the
vulnerabilities you are creating
On Fri, Oct 28, 2011 at 12:26 PM, David Durham
david.durham...@gmail.com wrote:
I'm just sending the message to cout. If you can point me to
information on outputting the full OpenSSL error stack, I'd appreciate
it.
replied too soon, looks like this is what I want:
ERR_print_errors(sbio
Hi all,
I'm new to C++ and libssl, but nevertheless trying to write an SSH
server. I have gone through tutorials and believe I have a working
server that initializes and SSL context, binds and listens on a TCP
socket, and accepts a connection. Using a debugger I see that if I
try to ssh
On Thu, Oct 27, 2011 at 4:09 PM, Eric S. Eberhard fl...@vicsmba.com wrote:
I believe the last function, the write, is missing a return false with the
error message?
Doesn't matter though, it's not an issue. Thanks.
__
OpenSSL
On 8/25/2011 6:04 AM, Arjan Filius wrote:
Hello,
today i ran into a situation, where i notice firefox/chrome and
gnutls-cli use 3 tcp sessions to get a single ssl session, where openssl
s_client takes only one.
one tcp session is what i expect, and i hope someone may have an
explanation.
On 7/26/2011 10:16 PM, Katif wrote:
Can you tell me what are the application dependency factor here so we'll be
able to chase a limit?
It is used as an RSA key exchange certification/private key pairing.
Thanks...
Maximum RSA key size supported.
Extensions supported.
DS
On 7/26/2011 4:38 AM, Katif wrote:
I need to know in advance the maximum length of the following three PEM
formatted files (excluding the -BEGIN/END lines):
It's application-dependent. There is no answer in general.
DS
On 7/14/2011 6:17 AM, Amit Kumar wrote:
Hi team,
I am using SSL_Connect() in one of my projects and this SSL_connect
is returning a value of -1.
With SSL_get_error() i can see it is *SSL_ERROR_WANT_READ ?*
*
*
* Now i am not understanding why this can come and if this is there
then
On 7/11/2011 3:18 PM, Carla Strembicke wrote:
The server recieves the encrypted data and sends to the lower level
and where it is pumped into the SSL structure ( which is using these
memory buffers) using the BIO_write call ( I acutally see that bytes are
written into it) and the buffer looks
On 6/21/2011 2:40 AM, ml.vladimbe...@gmail.com wrote:
The fourth function is SSL_EncryptUserData, which encrypt our own
application data before we can send their to secure channel:
int SSL_EncryptApplicationData(char *buf_in, int buf_in_len, char
buf_out, int buf_out_len, int
On 6/21/2011 2:53 AM, ml.vladimbe...@gmail.com wrote:
Jim, for me the main goal to replace functions that operate with sockets
is performance. I want to use OpenSSL with Windows IO Completion ports.
The method that you suggest is very interesting but the main is not
achieved - OpenSSL is still
on how to make it use the right one?
Thanks,
David
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
On 6/22/2011 3:20 AM, ml.vladimbe...@gmail.com wrote:
Where can I find this example with BIO pairs? I can't understand only
with openssl's documentation how to work with BIO pairs.
I will be grateful for the help.
Look in ssl/ssltest.c, in the doit_biopair function.
DS
On 6/15/2011 11:57 AM, ml.vladimbe...@gmail.com wrote:
Hello.
By default OpenSSL itself works with sockets. I would want to implement
operation with sockets without admitting it to OpenSSL. I.e. for
example, when OpenSSL wants to write down something in a socket, it
should cause my function and
On 6/11/2011 8:52 AM, kali muthu wrote:
I have Linux Server which has been connected with a Windows XP client
using SSL Sockets. I am able to read and write through those sockets.
Good.
Recently my calls to SSL_Connect() waits for long time. And yes I am
using in Blocking mode. My search on
On 05/31/2011 03:02 PM, David Mitchell wrote:
On May 31, 2011, at 2:32 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of David Mitchell
Sent: Friday, 27 May, 2011 12:35
I'm having some problems with EAP-TLS in FreeRadius 2.1.10. I
have a client
where
: Error: SSL: SSL_read failed inside of TLS (-1), TLS
session fails.
Fri May 27 10:17:51 2011 : Debug: TLS receive handshake failed during operation
-
| David Mitchell (mitch...@ucar.edu) Network Engineer IV |
| Tel: (303) 497-1845
On 5/23/2011 1:59 AM, Harshvir Sidhu wrote:
David,
So are you suggesting that i change the approach in my Code.
Hard for me to give you a useful answer without seeing your code. If
your code tries to treat OpenSSL as a filter, expecting input and output
to correlate, then yes. If your
On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:
Previously I have used SSL_XXX functions for performing SSL
operations. Now i have am working on an application which is written in
Managed C++ using callback functions(BeginReceive and EndReceive), and
SSL_Read function is not working for that.
On 5/18/2011 3:27 AM, G S wrote:
I'm probably being obtuse here, but I don't see how encrypting your
request with a public key would help you with your original problem.
What stops a rogue app from doing the same encryption?
They can't see what the parameters are. So what are
On 5/9/2011 1:45 PM, Eric S. Eberhard wrote:
int setblock(fd, mode)
int fd;
int mode; /* True - blocking, False - non blocking */
{
int flags;
int prevmode;
flags = fcntl(fd, F_GETFL, 0);
prevmode = !(flags O_NDELAY);
if (mode)
flags = ~O_NDELAY; /* turn blocking on */
else
flags
On 5/10/2011 2:10 AM, John Hollingum wrote:
I have a service written in Perl, running on Linux that presents a very
simple SSL listener. When this service is hit, it identifies the
connecting node from its certificate/peer address and just sends some
xml to them containing data from some files
On 5/9/2011 6:27 AM, Harshvir Sidhu wrote:
Also i suspect, that if i change the socket to non blocking, then
my current read write code will not work. i mean the one in which i use
FD_SET and select to perform operations.
Thanks.
It's very easy to get things wrong and it won't work
On 5/5/2011 10:01 AM, Chris Dodd wrote:
Is the OpenSSL library supposed to be at all reentrant? I've had odd
problems (intermittent errors) when trying to use OpenSSL in a
multithreaded
program (multiple threads each dealing with independent SSL connections),
and have apparently solved them by
On 5/4/2011 9:14 AM, Ashwin Chandra wrote:
Okay I read the complete bug report and it looks like there is a fix in
the latest openssl. However I checked it out and it limits the maximum
time RAND_poll will take to a second. 1000ms. Is there any other way to
speed this up?
Populate the OpenSSL
On 5/3/2011 11:31 AM, derleader mail wrote:
Hi,
I found OpenSSL server code which uses threds in order to process
clients. Is it possible to create connection pool with OpenSSL. There is
no information about this on openssl.org
How I can add threaded pool to this code?
On 5/1/2011 1:34 AM, derleader mail wrote:
I'm going to use stream protocol - TCP/IP. Here is the template source
code of the server without the encryption part
We mean application protocol.
while (1) {
sock = accept(listensock, NULL, NULL);
printf(client connected to child thread %i with
On 5/1/2011 3:31 AM, derleader mail wrote:
So I need a high performance solution that can handle many connections
with little server load.
1. SSL is a good solution but is not high performance - it's more
suitable for encryption of a web page. When establishing connection more
that 100
On 4/30/2011 10:48 AM, derleader mail wrote:
Thank you very much for the reply. The problem is that the encryption
and decryption must be on separate machines. I need a way to take the
size of the encrypted message using language function like strlen(). Is
there other solution?
Are you
On 4/20/2011 1:18 AM, Luc Perthuis wrote:
Hi all,
I'm specially interested on finding a way to uniquely identify rather
small data chunks (less than or equal to 128*1024 bytes in size) without
using a byte per byte compare.
Is there any theoretical proof for a good selection of 2 HASH
On 4/13/2011 2:35 AM, pattabi raman wrote:
*1. If I can't use sprintf then how can I copy the enrypted message to a
character buffer. Bcoz so far I am sending the request to middleware in
Char Buffer using TCP /IP socket. How can I able to achieve now.*
**
If you don't know how to copy bytes
On 4/11/2011 6:36 PM, Adrian D. Sacrez wrote:
I'm fairly new to OpenSSL. How do I convert the rsa generated
ry rsa_keygen_ex() into a public and private key?
Is there a way to do that?
I assume you mean RSA_generate_key_ex. It already is. The purpose of
this function is to generate a new
On 4/10/2011 3:03 PM, Anton Vodonosov wrote:
The question: if I provide locking_callback, will it be called only from the
threads where I invoke OpenSSL functions,
or OpenSSL may call it from some private/internal threads not created by me?
Since there's no callback to create a thread,
or 'present' the
client cert now...
Client key AND cert. See my reply 03-29 21:56.
- Original Message -
From: David Patricola david.patric...@jefferson.edu
To: openssl-users@openssl.org
Sent: Wednesday, March 30, 2011 9:32:36 AM
snip: Java keytool -importcert
Do the other two stay in the same folder as root.crt, but only root.crt
actually gets installed in the cacerts file?
-Original Message-
From: Tomas Gustavsson [mailto:to...@primekey.se]
Sent: Wednesday, March 30, 2011 3:49 AM
To: openssl-users@openssl.org
Cc: David Patricola
Subject: Re
to!
_
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Lou Picciano
Sent: Wednesday, March 30, 2011 8:55 AM
To: openssl-users@openssl.org
Subject: Re: Truststore or Cacerts file?
David,
You may get some ambiguous answers to - ultimately
or Cacerts file?
David,
You may get some ambiguous answers to - ultimately - a PG question on the
SSL list... Yes, in a _standard_ PostgreSQL SSL setting, in which libpq is
reading the certs from _default_ positions, the root.crt, postgresql.crt and
postgresql.key are all in the same 'folder'. (I
-
From: David Patricola david.patric...@jefferson.edu
To: openssl-users@openssl.org
Sent: Wednesday, March 30, 2011 9:32:36 AM
Subject: RE: Truststore or Cacerts file?
Ok, I've modified my import as follows: E:\JRun4\jre\binkeytool -importcert
-alias dca -file E:\Jrun4\jre\lib\security\root.crt
On 3/30/11 8:33 AM, Crypto Sal wrote:
David:
Firefox caches that information, so that it can use them later if you
view a similar certificate hierarchy.
If you view the Firefox Certificate Manager you should see Software
Security Device vs. that of Built in Object next to each
?
David
[root@rhesprodipvs01 ~]# openssl s_client -connect
dealer.md-bmc.rpdss.com:443
CONNECTED(0003)
depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by
ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
Secure Server Certification Authority
verify
On 3/29/11 12:58 PM, Bruce Stephens wrote:
Add the -showcerts option to the s_client commands and you'll see the
first server returns a chain of certificates where the second offers
only the end server certificate.
Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm
able to
they go into the default cacerts file or create a
truststore?
David Patricola | Senior Cold Fusion Developer | Web Applications Services
| Jefferson Information Technologies
Thomas Jefferson Universtiy | Philadelphia, PA | 215.503.1715 (Office)
101 - 200 of 1731 matches
Mail list logo