Hi ,
Since openssl.1.0.1c doesn't support ECDHE-ECDSA-AES128-CCM cipher suite,
I added this support in the openssl code.
It works fine with ECC certificates which are not self-signed.
When I process my ECC self-signed certificate, my webserver throughing X5*
On 31-07-2013 08:22, Indtiny s wrote:
Hi ,
Since openssl.1.0.1c doesn't support ECDHE-ECDSA-AES128-CCM cipher
suite, I added this support in the openssl code.
It works fine with ECC certificates which are not self-signed.
When I process my ECC self-signed certificate, my webserver throughing
Hi ,
If there are no v3 extensions in the certificate, verify goes fine ,
If I add keyUsage , I get the below error .
*X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE*
But as per standard which I have follow for certficate generation , I have
to create the certificate with these extensions .
is
Dear Dave,
Thanks for your help.
I solved my problem and I am very ashamed...
I tried with the ssl client command line of my freshly compiled
openssl version and got the same error. After investigation, I
realised that the official windows binary client failed too. Thus, I
was wondering why it
Hello Dave,
Thanks for this info.
I compiled my own openssl lib with debug support and started debugging.
The problem seems indeed to be located in the call to
X509_STORE_CTX_get1_issuer. In this function, the function
X509_STORE_get_by_subject returns an error. When digging into this
code, the
From: owner-openssl-us...@openssl.org On Behalf Of Brice André
Sent: Friday, 31 May, 2013 06:00
snip
The problem seems indeed to be located in the call to
X509_STORE_CTX_get1_issuer. In this function, the function
X509_STORE_get_by_subject returns an error. When digging into this
code, the
Hello,
I tested your small program and it seems to work properly, which, I
suppose, means that the problem resides in my client code. I
copy-pasted the output below.
I just find something strange on the server : to write my server code,
I followed a tuto where they initialised a diffie-helman
From: owner-openssl-us...@openssl.org On Behalf Of Brice André
Sent: Thursday, 30 May, 2013 04:08
I tested [s_client] and it seems to work properly, which, I
suppose, means that the problem resides in my client code. I
copy-pasted the output below.
I think so; see more below.
I just find
Hello Dave,
Once again, thanks for your help.
I performed a test yesterday with the instruction
SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM);
replaced by
SSL_CTX_load_verify_locations(ctx, path_to_file, NULL);
Where path_to_file points to my file server.crt. The function
Hello,
Just a little hint:
Your questions would be much clear if you state, at each step,
which end of the connection each thing applies to, like at what
end did you call SSL_CTX_load_verify_locations, at what end did
you get which error messages etc.
I suspect this may be the cause of some
Hello Jakob,
All commands described in my mail are executed from the client.
I only try to perform server authentication by certificate, and my
problem is that the client is not able to perform this authentication.
I think that my server code is ok (but I may be wrong). On the server
side, the
From: owner-openssl-us...@openssl.org On Behalf Of Brice André
Sent: Wednesday, 29 May, 2013 03:14
I performed a test yesterday with the instruction
SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM);
replaced by
SSL_CTX_load_verify_locations(ctx, path_to_file, NULL);
Where
From: owner-openssl-us...@openssl.org On Behalf Of Brice André
Sent: Monday, 27 May, 2013 23:45
You are right, I am using a self-signed certificate for use by my
server. In fact, I do not perform client authentication in my
application : only the server shall be authentified by ssl. The
self-signed certificates.
So, my question is how can I configure open-ssl to accept self-signed
certificates ?
Thanks in advance,
Brice
__
OpenSSL Project http://www.openssl.org
User Support Mailing
, open-ssl is not
accepting self-signed certificates.
Are you setting up the client truststore, and how? By default
openssl doesn't trust *any* peer cert, self-signed or not.
If you are setting up truststore, you aren't doing it right.
So, my question is how can I configure open-ssl to accept
Hi all,
I have a self-signed certificate installed on a server with the following
extensions fields.
=
Key Usage:Digital Signature, Key Encipherment (a0)
IIRC, this means that the Subject and Issuer names on your self-signed cert do
not match.
Stefan
On 10.05.2013, at 18:48, no_spam...@yahoo.com wrote:
openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
I get the following error:
error 20 at 0 depth lookup:unable to get
On Sat, May 11, 2013 at 10:49:40AM +0200, Stefan H. Holek wrote:
On 10.05.2013, at 18:48, no_spam...@yahoo.com wrote:
openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
I get the following error:
error 20 at 0 depth lookup:unable to get local issuer certificate
Must non-CA, self-signed certificates have the keyCertSign bit set in the
keyUsage extension to be valid?
If I don't have the bit set and execute the following command:
openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
I get the following error:
error 20 at 0 depth
Great. Thank You :-)
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Dave Thompson
Sent: Thursday, July 26, 2012 5:49 PM
To: openssl-users@openssl.org
Subject: RE: Using Self-Signed Certificates to create SSL connection
Hi All,
I have created a self-signed CA certificate, a Client certificate and a
Server certificate. I signed the Client and Server certificates with the
self-signed CA certificate and placed all certs in the appropriate
locations. Then attempted to create an SSL connection with 'openssl
From: owner-openssl-us...@openssl.org On Behalf Of Hasan, Rezaul (NSN -
US/Arlington Heights)
Sent: Thursday, 26 July, 2012 12:02
I have created a self-signed CA certificate, a Client certificate and a
Server certificate. I signed the Client and Server certificates with
the self-signed CA
you have 100 self-signed certificates. You have to put them out of band, in
a secure way, in the N places they will be needed to authenticate the owners of
the associated private keys.
The day you add the 101st self-signed certificate, you have to put it on the N
places, as before.
On the other
Sent: Tuesday, June 05, 2012 1:35 PM
To: openssl-users@openssl.org
Subject: self-signed certificates vs CA (was: Re: authenticate peer)
What is a CA? _Conceptually_ a CA is nothing more than a self-signed
certificate you trust as an issuer of other
certificates :-)
So, a self-signed certificate
at the same time is too low.
Regards,
Vladimir.
--
From: Marco Molteni
Sent: Tuesday, June 05, 2012 1:35 PM
To: openssl-users@openssl.org
Subject: self-signed certificates vs CA (was: Re: authenticate
From: dthomp...@prinpay.com
To: openssl-users@openssl.org
Subject: RE: Using self-signed certificates with openssl
Date: Fri, 13 May 2011 22:06:55 -0400
From: owner-openssl-us...@openssl.org On Behalf Of Roger No-Spam
Sent: Friday, 13 May, 2011 04:15
We have decided
Hello,
We have decided to use openssl to protect a connection in our system with TLS.
Clients will be authenticated using X509 certificates. To cut a long story
short, a decision has been taken to use self-signed certificates. On the
server, each client's self-signed cert will be loaded
has been taken to use self-signed
certificates.
On the server, each client's self-signed cert will be loaded by a call to
SSL_CTX_load_verify_locations(). This is pretty much working as expected,
To be exact: you can't be doing a load_verify_locations for each of
multiple certs -- unless you do
Hi.
I'm trying to transition from using PSK's with ipsec-tools to self-signed certs
(harder to guess, etc) but I've not been very successful. When it fails, it's
not always apparent why it fails... that's the nature of security, of course.
I was wondering if anyone else had done this, and
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Safford
Sent: Monday, 25 January, 2010 11:49
I am using Self-Signed Certificates and had a few questions about
them.
When running the command to verify whether the certificate chain is
valid
or not (in weblogic
Hi All,
I am using Self-Signed Certificates and had a few questions about them.
When running the command to verify whether the certificate chain is
valid or not (in weblogic), I receive a message stating that the chain
is invalid:
java -cp %BEA_HOME%\weblogic81\server\lib
Hi everyone,
I have been trying to determine if there is a specific command I need to
use when creating Self Signed Certificates with openssl that determines
TLS v1.0 over SSL v3.0? I have been using the following commands:
Create a file named openca.cnf and copy the content in italic
On Wed, Sep 02, 2009, Kyle Safford wrote:
I have been trying to determine if there is a specific command I need to
use when creating Self Signed Certificates with openssl that determines
TLS v1.0 over SSL v3.0?
No there are no certificate fields or extensions that indicate TLS v1.0
4.2.1.3 Key Usage)
This extension MUST appear in certificates that contain public keys
that are used to validate digital signatures on other public key
certificates or CRLs.
But I heard self signed certificates should not have keyUsage field.
I want to know the limitation of self signed
On Wed, Oct 03, 2007 at 11:47:33AM +0530, Subramaniam wrote:
I am using a self signed certificate as a CA certificate.
Post the CA certificate to the list.
My entity certificate is signed by this self signed CA. in my test programs
Post the entity certificate to the list.
But another
one is rejected with the error
message Only self-signed certificates are added to the CTL. Maybe anyone
has an idea...
You can check the certificate structure using the command:
openssl asn1parse -in cert.pem
... and compare it with the structure of the first one.
I think you only forgot some
Good evening,
Is a difference between:
openssl req -x509 ...
and:
openssl ca -selfsign ...
?
I can use a certificate created using the first way as certificate in the
CTL of MS IIS ver. 5.1 while the second one is rejected with the error
message Only self-signed certificates
Hello all,
I was having a play with Eric Rescorla's programs implementing simple
openssl client/server comms; the ones from his An Introduction to
OpenSSL Programming articles.
He supplies some self-signed certificates for testing along with the
source accompanying the articles. Now, I compile
cles.
He supplies some self-signed certificates for testing along with the
source accompanying the articles. Now, I compile his software with
openssl version 0.9.7e and the function
SSL_get_verify_result (ssl)
throws the error 19, which translates to:
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
I presu
On Thu, Feb 03, 2005, Seb James wrote:
Hello all,
I was having a play with Eric Rescorla's programs implementing simple
openssl client/server comms; the ones from his An Introduction to
OpenSSL Programming articles.
He supplies some self-signed certificates for testing along
I hope I'm using this mailing list correctly, as this is the 1st time I've used a
majordomo service. If I'm using the mailing list incorrectly, I appologize in
advance! Anyway, here is my question:
I want to create a certificate that is self signed, which will be used for an https
connection
Hi
I tried to make self-signed certificates for testing with FreeRadius and
Radiator in combination with EAP/TLS and EAP/TTLS (and eventually PEAP).
With the radiator certificate example script and the scripts I saw on
the net for FreeRadius implementations I keep getting errors creating
Hi,
[EMAIL PROTECTED] wrote:
Write out database with 1 new entries
Data Base Updated
Segmentation fault
I had this problem in 0.9.7
Use 0.9.6h to create your CA and certs!
Well, I can do that, but there is no support for an
external-extensions-file in 0.9.6h, is there?
I tried to
PROTECTED]]On Behalf Of Neil Aggarwal
Sent: Saturday, 28 December 2002 3:10 PM
To: [EMAIL PROTECTED]
Subject: RE: SOLVED: Using pcAnyhwere with public-key encryption and
self-signed certificates
Victor:
I am attaching my notes on how to set-up pcAnywhere
with public key encryption using self
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Neil Aggarwal
Sent: Friday, December 27, 2002 7:41 AM
To: Open SSL mailing list
Subject: SOLVED: Using pcAnyhwere with public-key encryption and
self-signed certificates
Hello All:
Thanks to some generous help
On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote:
Except when you have an independent means to verify that
a) the self-signed certificate which you received druing the handshake
comes from the entity which claims to be the originator
b) you also feel comfortable to
Well, I can answer my own question here. This occurs when you put the
exact same information in your certificate as you have in your CA.
Skadz
Ryan P Skadberg writes:
Hopefully someone has an answer to this. I saw the question once in
the archives, but no answers :(
I have compiled
47 matches
Mail list logo