Re: [openssl-users] Alert number 43

Hi Jeff, I am not sure I can post the entire cert here. Is there any part in particular that would be useful to debug the Alert Number 43 problem? David On Tue, Nov 1, 2016 at 8:07 PM, Jeffrey Walton wrote: >> When I tested a remote server using s_client, it responded with:

[openssl-users] Alert number 43

Hi, When I tested a remote server using s_client, it responded with: verify return:1 139790582232992:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1259:SSL alert number 43 139790582232992:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake

[openssl-users] Strange problem in using verify command

Hi, I am using "openssl verify -CAfile " to verify the certificate. It's been running as expected. Recently I started to run this command on a different x86 platform. What I found is the the first few times I always got: error 9 at 1 depth lookup:certificate is not yet valid Then I waited 10

Re: [openssl-users] Strange problem in using verify command

Hi Jakob, The computer has been up running for quite a while. I wonder if it really needs NTP to take that long to sync up. David On Thu, Sep 10, 2015 at 7:20 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 11/09/2015 02:13, David Li wrote: >> >> Hi, >> >> I

Re: [openssl-users] How to verify a cert chain using Openssl command line?

and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html 2015-06-29 23:58 GMT+02:00 David Li dlipub...@gmail.com: The subCA has nameConstraints in the subCA configuration file: [name_constraints] permitted;DNS.0 = example.com client configuration file has subjectAltName

Re: [openssl-users] How to verify a cert chain using Openssl command line?

, Ben Humpert b...@an3k.de wrote: Do you use nameConstraints or have specified IP in subjectAltName? Because OpenSSL can't handle that correctly. 2015-06-29 22:51 GMT+02:00 David Li dlipub...@gmail.com: Hi, As a test, I have created a rootCA, a subCA (signed by the rootCA) and a client cert

Re: SSL_MODE_SEND_FALLBACK_SCSV option

I am still a little unclear by what exactly TLS_FALLBACK_SCSV option would do. What if the server only supports SSLv3 + TLSv1 and client only connects with SSLv3? Without the patch, both would agree to SSLv3. So this is a problem. What happens with the patch only on the server? And what happens

Re: SSL_MODE_SEND_FALLBACK_SCSV option

On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning richard.koenn...@ts.fujitsu.com wrote: At 24.10.2014 19:03, David Li wrote: I am still a little unclear by what exactly TLS_FALLBACK_SCSV option would do. What if the server only supports SSLv3 + TLSv1 and client only connects with SSLv3

Re: SSL_MODE_SEND_FALLBACK_SCSV option

On Fri, Oct 24, 2014 at 1:28 PM, Richard Könning richard.koenn...@ts.fujitsu.com wrote: Am 24.10.2014 20:47, schrieb David Li: On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning richard.koenn...@ts.fujitsu.com mailto:richard.koenn...@ts.fujitsu.com wrote: At 24.10.2014 19:03, David

Re: Question on EVP_DecryptFinal_ex

Hi Thulasi/Rich, Thanks! This prompted me to uncover another bug in the code. I did encrypt an extra block of zeros! Now everything makes sense. Can't help to dig a little deeper into this: In AES-CBC mode, the decryption can be paralleled. Is this what the EVP_DecryptUpdate is doing behind the

Re: Question on EVP_DecryptFinal_ex

, Aug 1, 2014 at 5:46 AM, David Li dlipub...@gmail.com wrote: Hi, I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary long ASCII string. I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then the output is unrecognizable. If I remove the following

Question on EVP_DecryptFinal_ex

Hi, I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary long ASCII string. I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then the output is unrecognizable. If I remove the following then the output is OK. if ((rc = EVP_DecryptFinal_ex(ctx, debuf, tmplen))

Question on certificate chain creation in using SSL_CTX_use_certificate_chain_file

Hi, Say, I have a servercert.pem, serverkey.pem and cacert.pem. When using SSL_CTX_use_certificate_chain_file() to load a cert file as the second argument, I will have to construct the file like this: cat servercert.pem serverkey.pem cacert.pem server.pem and use server.pem in the API. My

Openssl crashed when loading certificates

Hi, I am new to openssl programming. My goal is trying to get a simple server up and running. I am using OpenSSL 1.0.1e-fips 11 Feb 2013 on Centos6.5. I am using SSL_CTX_use_certificate_chain_file() to load my server certificate files at initialization. The PEM file is created by concatenating

Re: Openssl crashed when loading certificates

, Dustin Oprea myselfasun...@gmail.comwrote: On Tue, May 20, 2014 at 1:04 PM, David Li dlipub...@gmail.com wrote: Hi, I am new to openssl programming. My goal is trying to get a simple server up and running. I am using OpenSSL 1.0.1e-fips 11 Feb 2013 on Centos6.5. I am using

Re: Openssl crashed when loading certificates

: owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] On Behalf Of David Li Sent: Tuesday, May 20, 2014 13:05 snip I am using SSL_CTX_use_certificate_chain_file() to load my server certificate files at initialization. The PEM file is created by concatenating server cert

Re: Openssl crashed when loading certificates

Rich, I did the following calls: OpenSSL_add_all_algorithms(); OPENSSL_init_library(); SSL_load_error_strings(); Are these enough? On Tue, May 20, 2014 at 1:32 PM, Richard Moore richmoor...@gmail.comwrote: On 20 May 2014 20:13, David Li dlipub...@gmail.com wrote: So obviously my

Re: Openssl crashed when loading certificates

Oh, I see, I should have used SSL_library_init() rather than OPENSSL_init_library(). Thanks everyone! Great help! David On Tue, May 20, 2014 at 1:38 PM, David Li dlipub...@gmail.com wrote: Rich, I did the following calls: OpenSSL_add_all_algorithms(); OPENSSL_init_library