Hi Victor and Michael,
Thanks for your respective response.
I need to make sure the following validation happens.
- subject field in one certificate matches with the issuer field in the
subsequent certificate
- no duplicate certificate in the chain
- basicConstraints : for CA cer
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Wednesday, May 03, 2017 06:40
>
> For the full verification process see:
>
>
> https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a
> 819bbeffb2/crypto/x509/x509_vfy.c#L208
> On May 3, 2017, at 5:58 AM, john gloster wrote:
>
> Hi,
>
> I needed to validate different extensions of each of the Issuer certificate
> in the chain.
>
> Snippet rom https://linux.die.net/man/3/ssl_set_verify:
>
> "The certificate chain is checked starting with the deepest nesting level
Hi,
I needed to validate different extensions of each of the Issuer certificate
in the chain.
Snippet rom https://linux.die.net/man/3/ssl_set_verify:
"The certificate chain is checked starting with the deepest nesting level
(the root CA certificate) and worked upward to the peer's certificate. A
Hi,
I needed to validate different extensions of each of the Issuer certificate
in the chain.
Snippet rom https://linux.die.net/man/3/ssl_set_verify:
"The certificate chain is checked starting with the deepest nesting level
(the root CA certificate) and worked upward to the peer's certificate. A
On Sat, Feb 27, 2016, Jeffrey Walton wrote:
> This came up recently on Stack Overflow. The server code specified
> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
> SSL_CTX_set_client_CA_list. The connection did not fail as expected.
>
> Looking at t
Hi Jeff,
The test I just ran was done with NO custom callback :
SSL_CTX_set_verify( pCtx, AUTH_REQUIRE, NULL );
with AUTH_REQUIRE defined as ( SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT )
-Message d'origine-
De : Jeffrey Walton [mailto:noloa...@gmail.com]
Envoyé : same
> I have a server code whose context is configured with SSL_VERIFY_PEER |
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call
> SSL_CTX_set_client_CA_list().
> In this case, handshake is failing as expected when clients didn't send a
> certificate.
Thanks Michel.
Does
Really ?
As your post alarmed me, I tried my tests programs again and didn't noticed
anything wrong.
I have a server code whose context is configured with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call
SSL_CTX_set_client_CA_list().
In this case, handshake is faili
This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.
Looking at the man page for SSL_CTX_set_verify [1] and
SSL_CTX_set_client_CA_list [2] it
Dear Dave,
Thanks for your help.
I solved my problem and I am very ashamed...
I tried with the ssl client command line of my freshly compiled
openssl version and got the same error. After investigation, I
realised that the official windows binary client failed too. Thus, I
was wondering why it w
> From: owner-openssl-us...@openssl.org On Behalf Of Brice André
> Sent: Friday, 31 May, 2013 06:00
> The problem seems indeed to be located in the call to
> X509_STORE_CTX_get1_issuer. In this function, the function
> X509_STORE_get_by_subject returns an error. When digging into this
> code, the
Hello Dave,
Thanks for this info.
I compiled my own openssl lib with debug support and started debugging.
The problem seems indeed to be located in the call to
X509_STORE_CTX_get1_issuer. In this function, the function
X509_STORE_get_by_subject returns an error. When digging into this
code, the
> From: owner-openssl-us...@openssl.org On Behalf Of Brice André
> Sent: Thursday, 30 May, 2013 04:08
> I tested [s_client] and it seems to work properly, which, I
> suppose, means that the problem resides in my client code. I
> copy-pasted the output below.
>
I think so; see more below.
> I jus
Now, we can safely cleanup socket stuff */
TerminateSSLSession();
}
}
wxSSLSocketClient::SslSessionStatus_t wxSSLSocketClient::InitiateSSLSession()
{
/* Check if we are not already in SSL session */
if (connection_state == SslConnectedState)
{
/* We are already in SSL session... *
> From: owner-openssl-us...@openssl.org On Behalf Of Brice André
> Sent: Wednesday, 29 May, 2013 03:14
> I performed a test yesterday with the instruction
> SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM);
> replaced by
> SSL_CTX_load_verify_locations(ctx, path_to_file, NULL);
>
>
Hello Jakob,
All commands described in my mail are executed from the client.
I only try to perform server authentication by certificate, and my
problem is that the client is not able to perform this authentication.
I think that my server code is ok (but I may be wrong). On the server
side, the pr
Hello,
Just a little hint:
Your questions would be much clear if you state, at each step,
which end of the connection each thing applies to, like at what
end did you call SSL_CTX_load_verify_locations, at what end did
you get which error messages etc.
I suspect this may be the cause of some con
Hello Dave,
Once again, thanks for your help.
I performed a test yesterday with the instruction
SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM);
replaced by
SSL_CTX_load_verify_locations(ctx, path_to_file, NULL);
Where path_to_file points to my file "server.crt". The function
ret
> From: owner-openssl-us...@openssl.org On Behalf Of Brice André
> Sent: Monday, 27 May, 2013 23:45
> You are right, I am using a self-signed certificate for use by my
> server. In fact, I do not perform client authentication in my
> application : only the server shall be authentified by ssl. The
ould have said so.
>
>> Now, my problem is that, when I configure openssl to check the peer
>> certificate, with the SSL_set_verify command and the SSL_VERIFY_PEER
>> option, I get the error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT when
>> handshaking the connection on the
.
A self-signed cert for the client would be different, but
client-auth is rarely used and I expect you would have said so.
> Now, my problem is that, when I configure openssl to check the peer
> certificate, with the SSL_set_verify command and the SSL_VERIFY_PEER
>
configure openssl to check the peer
certificate, with the SSL_set_verify command and the SSL_VERIFY_PEER
option, I get the error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT when
handshaking the connection on the client side.
My understanding of this error is that, by default, open-ssl is not
accepting
On Tue, Mar 12, 2013 at 10:23:20AM +, Nathan Smyth wrote:
> Just wondering - if SSL_VERIFY_PEER is set on a connection, if
> the verification locations have not been loaded
> (SSL_CTX_load_verify_locations has not been set) - does the connection
> fail? Or continue as unverifi
Just wondering - if SSL_VERIFY_PEER is set on a connection, if the verification
locations have not been loaded (SSL_CTX_load_verify_locations has not been set)
- does the connection fail? Or continue as unverified?
Also, is it possible to set the verify_location as somewhere remote (i.e. some
On Fri, Dec 17, 2010 at 01:24:40PM -0500, Jeff Saremi wrote:
> d1-srvr.c:
> int dtls1_accept(SSL *s)
>
> I cannot be 100% sure what changes on the client or on the server in
> between. But the low-level client socket and ssl connections are exactly
> the same in both scenarios. Also both use Open
So this is some minor debugging I did to get to this problem.
Modified the following methods to add two printf lines:
ssl_lib.c:
X509 *SSL_get_peer_certificate(const SSL *s)
{
X509 *r;
if ((s == NULL) || (s->session == NULL))
{
printf("SSL_get_p
cannot rely on
> the presence of the peer certificate even if SSL_VERIFY_PEER is set?
If the client signed the handshake with a private key and presented the
corresponding certificate chain, then on an initial handshake you'll
see the client cert and the full trust chain and your verifi
erver,
> even though SSL_VERIFY_PEER is set in the context using
> SSL_CTX_set_verify().
>
Is the SSL_CTX* always set before you create (any) SSL* from it?
(Or (re)set in the SSL* before you handshake?) Could you have a bug
in (any!) other code that clobbers memory? (These are often very
hard
We have some intermittent problems which seem to go away after
restarting our server.
The problem is that the client's certificate disappears on the server,
even though SSL_VERIFY_PEER is set in the context using
SSL_CTX_set_verify().
So under situations that are not entirely clear, a ca
Hi,
anytime I use the SSL_VERIFY_PEER flag for my DTLS connections
(clientside, serverside, or on both sides) I get this error message:
d1_both.c(1046): OpenSSL internal errror, assertion failed:
s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == (unsigned
int)s->init_num
I
Hi,
anytime I use the SSL_VERIFY_PEER flag for my DTLS connections
(clientside, serverside, or on both sides) I get this error message:
d1_both.c(1046): OpenSSL internal errror, assertion failed:
s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == (unsigned
int)s->init_num
Doe
Hi,
I am trying to build an application server which requests a client
certificate, but that if this is not provided, it will not fail, just
generate a warning.
To request the client cert, i set the SSL_VERIFY_PEER.
To make it not fail if client does not provide cert, i use
33 matches
Mail list logo