Hi Stephen,
Is that a bug or is OpenSSL using stateless session resumption? FF also
supports that. In that case the session cache is not used.
It is somehow related to FF 3.5.x! I tried different 3.0.x builds on windows and
debian, as well as an old seamonkey 1.1.14 and it works all time
Hi,
I am using 098h with the non default configure option 'enable-tlsext' and have a
problem with the TLS extension servername in conjunction with ssl session
caching.
It seems that sessions that contain the SNI extension will not be cached by
openssl. (I tried with FF 351)
During the
Thanks!
No it means that the service is an RFC3161 time stamp which OpenSSL doesn't
currently support. You can perform limited verification of these using the
smime command line utility for example...
openssl smime -verify -inform DER -out ts.der -in timstamp -noverify
will verify the
Hi Stephen,
What exactly does it mean? Does it mean that the wrong digest was signed? If so
what is with the correct digest that is also present in the pkcs7 file?
Dr. Stephen Henson wrote:
That particular failure is caused by the digest contained explicitly in the
PKCS #7 structure not
Hi,
Dr. Stephen Henson wrote:
$ openssl.exe smime -verify -inform DER -in sig -content
openssl-0.9.8h.tar.gz
-noverify -out c.tar.gz
Verification failure
3776:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest
failure:pk7_doit
.c:948:
3776:error:21075069:PKCS7
Hi,
I try to verify a signature made by time.certum.pl. This is what I did: I obtain
a pkcs7 signature using wget. When I look into the binary data that will be
returned I can find the given sha1 checksum, but the verification fails.
1) What did I miss?
2) How can I extract the signed attributes
Hello list,
I am unsure how OpenSSL FIPS 1.2 can be deployed. I read that it can be linked
static but also loaded dynamically, but I also read that it can only be linked
static (as FIPS 1.1.2)
1) Can it be linked dynamically?
2) If I would like to link it dynamically when/where do I link
Hello Stephen,
thanks for your very quick reply.
1) Can it be linked dynamically?
Yes it can.
2) If I would like to link it dynamically when/where do I link the
fipscanister.o?
You build and install fipscanister.o from the FIPS 1.2 test source.
Then obtain the 0.9.8-fips source
Hi Stephen,
I have downloaded ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz,
extracted it and:
./config fipscanisterbuild
make
make install
and then
make clean
./config fips shared no-idea no-mdc2
--with-fipslibdir=/usr/local/ssl/fips-1.0/lib
make depend
make
The libraries
Hi Stephen,
thank you very much! The snapshot build compiles without these warnings.
Bye
Jan
Dr. Stephen Henson wrote:
The cause is OpenSSL doing some things which gcc 4.2 doesn't like. These have
been corrected in newer versions of OpenSSL but not when the source
was submitted for
Hi Stephen,
thank you very much! The snapshot build compiles without these warnings.
Bye
Jan
Dr. Stephen Henson wrote:
The cause is OpenSSL doing some things which gcc 4.2 doesn't like. These have
been corrected in newer versions of OpenSSL but not when the source
was submitted for
Hi,
I have problems to establish a SSL connection where the server certificate is
based on an EC key. I first tried via the c-api, but I can't make it working
even with the command line tool. This is what I did:
xxx:~./openssl ecparam -name secp256r1 -genkey -out ecc1.pem
using curve name
Hello,
since the upgrade from 0.9.8g to 0.9.8h the code below to generate a PKCS12
object failed! I have observed this on linux64 (debian 3.1) and WinXP. The
parameter have not been changed and 'key' is an RSA key.
The code:
ERR_clear_error();
PKCS12 *pkcs12cont = PKCS12_create ((char*)
Hi,
After applying the patch http://cvs.openssl.org/chngview?cn=17196 the problem is
gone!
Any ideas, what has been changed and how I can work around it?
Thanks
__
OpenSSL Project
Hi Stephen,
Dr. Stephen Henson wrote:
Servers can renegotate an SSL connection and request a client certificate
later. This might be due to a script or clcking on a login link for example.
Oh, I didn't remember this! Thanks for your quick help.
Jan
signature.asc
Description: OpenPGP
Victor Duchovni wrote:
Download a 0.9.9 dev snapshot and see the CHANGES file:
New functions (subject to change):
SSL_get_servername()
SSL_get_servername_type()
SSL_set_SSL_CTX()
Thanks Victor.
This seem to be what I was looking for. Do you know when
Hello,
can anybody explain how I can use the server name extension from the first TLS
handshake message (Client Hello)?
I would like to use it to return an appropriate certificate to avoid a CN
mismatch.
Which version of open ssl is required for this?
Thanks
Jan
Hello,
it seems that there are some incompatibilities out there. For some hosts
establishing a SSL connection fails, when using openssl, but it succeeds when
using a browser. This in one example:
F:\opensslopenssl.exe s_client -connect bshop.esprit.com:443
Loading 'screen' into random state -
Hello Marek,
thanks for the hint.
One workaround of this problem is to disable EDH ciphers, for example:
$ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH'
I tried this, but got exact the same error messages! Then I looked up the cipher
specs on
19 matches
Mail list logo
