Alright, I got it.
After inserting the structs etc. in order to hop through the extension, I got
down to the ASN1_OBJECT representing the professionOID.
OBJ_obj2txt(buf,buflen,obj,1) gives the OID I was looking for (first approach
was to create an object with that OID and use obj_cmp, which
Hi and thanks for your continued help!
Meanwhile I did indeed define the syntax of the extension and get my way
through to the leaf being an ASN1_OBJECT representing the professionOID. Now my
lack of knowledge strikes back:
I want to check, whether a professionOID of 1.2.276.0.76.4.88 is
Hello,
what I've been doing lately is repeatedly grep-ing my way through OpenSSL
source code in order to find examples and definitions of such functions. Very
helpful to my mind. :)
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
-Ursprüngliche Nachricht-
Von:
Hello,
ok, what I did so far is get the extension by OID. At least I know by now,
whether the extension is present or not:
[...]
X509 *client_cert = X509_STORE_CTX_get_current_cert(ctx);
const char *admoid = 1.3.36.8.3.3;
ASN1_OBJECT *admobj = NULL;
X509_EXTENSION *admext = NULL;
int
Dear list,
another trial. ;)
We need to validate the existence and value of an X.509 extension in a client
certificate from within Apache/mod_ssl. The extension Admission is described
by ISIS-MTT and has OID 1.3.36.8.3.3:
AdmissionSyntax ::= SEQUENCE {
admissionAuthority GeneralName
-Ursprüngliche Nachricht-
Von: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] Im Auftrag von Dr. Stephen Henson
Gesendet: Dienstag, 28. Juli 2009 23:43
An: openssl-users@openssl.org
Betreff: Re: OCSP_basic_verify:root ca not trusted
On Tue, Jul 28, 2009,
Dear list,
another problem with the OCSP-handling in Apache/mod_ssl:
[Tue Jul 28 14:27:12 2009] [error] SSL Library Error: error:27069070:OCSP
routines:OCSP_basic_verify:root ca not trusted
[Tue Jul 28 14:27:12 2009] [error] failed to verify the OCSP response!
Now, of course this could be just
Hello Steve,
thanks for the quick and enlightening reply - I was wondering about the ocsp
signer cert being issued by a different CA as unusual, but the idea of global
responders was not familiar. We will check this with the provider/trustcenter.
Mit besten Grüßen
- Natanael Mignon
Updated details. If we do compare the two requests (one failing because of not
enough data, one working fine), there are obvious differences in receiving the
response.
Working fine:
[Tue Jul 07 14:32:24 2009] [debug] ssl_util_ocsp.c(104): [client 10.200.48.140]
sending request to OCSP
Dear list,
another update - we got it.
[Fri Jul 10 10:28:39 2009] [error] [client 172.30.64.154] MWDE/nm: OCSP
response line unstripped: HTTP/1.1 200 OK
[Fri Jul 10 10:28:39 2009] [debug] ssl_util_ocsp.c(217): [client 172.30.64.154]
OCSP response header: Date: Fri, 10 Jul 2009 09:29:06 GMT
10 matches
Mail list logo
