Hello,
can someone please try the following website with Google Chrome - I use
the latest release: Version 39.0.2171.99 m -
https://banking.ing-diba.at/ (an electronic Banking site)
with the following policy enabled:
RequireOnlineRevocationChecksForLocalAnchors = 1
with this banking site
Walter H. wrote:
subjectKeyIdentifier=hash
which parts of the certificate are included in generating this hash value?
http://tools.ietf.org/html/rfc5280#section-4.2.1.2
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Hello,
it is already solved, but I just want to tell others;
I have two VMs, one with an older CentOS 4.x and one with a new CentOS 6.5
both run Postfix as MTA; both have configured a smarthost;
the smarthost allows STARTTLS and has a certificate, that is
issued by AlphaSSL; the
Authority
On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:
the older CentOS 4.x has in it's ca-bundle.crt a root certificate that
expired at the end of last month (on Jan. 28th, 2014), also attached
(rootexpired.txt), no other valid root certificate of this CA (GlobalSign)
can be found in
On 20.02.2014 17:57, Viktor Dukhovni wrote:
On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:
the older CentOS 4.x has in it's ca-bundle.crt a root certificate that
expired at the end of last month (on Jan. 28th, 2014), also attached
(rootexpired.txt), no other valid root certificate
On Thu, Feb 20, 2014 at 09:11:06PM +0100, Walter H. wrote:
in the extensions config file you have this:
subjectKeyIdentifier=hash
which parts of the certificate are included in generating this hash value?
It is generally the public key bitstring.
--
Viktor.
On 14.12.2013 00:00, Dr. Stephen Henson wrote:
How are you disabling RSA key exchange?
by setting all ciphers beginning with RSA to no in FF
If you disable RSA for authentication
too you'll hit problems if you don't have a non-RSA certificate. So for
example: ECDHE-ECDSA-3DES-EDE-SHA needs
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been sent by the server.
The server is capable
Le 13/12/2013 19:30, Walter H. a écrit :
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been
it dpends how many characters differ when sorted.
in this case:
ECDHE-ECDSA-DES-CBC3-SHA - 3AABDDDHHSSS
* *** **
ECDHE-ECDSA-3DES-EDE-SHA - 3AACCEEHHSSS
you can see (marked by *) that 6 characters don't match.
now 6 is a triangular
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
it dpends how many characters differ when sorted.
in this case:
ECDHE-ECDSA-DES-CBC3-SHA - 3AABDDDHHSSS
* *** **
Don't regret it, it wasn't that bad ;)
--
Erwann ABALEA
Le 13/12/2013 20:39, andrew cooke a écrit :
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
it dpends how many characters differ when sorted.
in this case:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually provide it? if so, what mode does it use
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually
well, not really, because in practice the name has to match, so you are stuck
(as the earlier answer says).
i guess the answer is somewhere in the nss code...
andrew
On Fri, Dec 13, 2013 at 10:04:52PM +0100, Walter H. wrote:
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i
On Fri, Dec 13, 2013, Walter H. wrote:
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Walter H.
snip
The server is capable of ciphers DHE-* and others;
the list is quite longer than the avaiable ciphers of the client ...,
so I think this is quite strange ...
openssl ciphers -V
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and what
the server accepts. The error you get has been sent by the server.
--
Erwann ABALEA
Le 11/12/2013 22:34, Walter H. a écrit :
Hello Eliezer Croitoru,
this is also to the OpenSSL mailing list, because can someone verify that
the CA certificate and the SSL certificate fit together - the last
section of this mail.
(of course I can do this by myself, but here I want to opinion of a 3rd
party)
I have the solution that
Bonjour,
The certificate specifies digitalSignature as its sole key usage.
That means the certified key can only be used to sign data, and not
perform any decrypt operation.
If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite,
that's OK because the server's RSA private key will
; then this works in
Firefox, too;
why this strange behaviour?
Thanks,
Walter
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
certificate is a built-in token; then this works in
Firefox, too;
why this strange behaviour?
Thanks,
Walter
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
From: owner-openssl-us...@openssl.org On Behalf Of Walter H.
Sent: Friday, October 04, 2013 15:30
there exists a self signed root CA certificate (A)
one intermediate CA certificate (B)
and this intermedia certificate has signed a SSL certificate (C) of a
web server;
[and C and B have
; why does this work
without errors only in IE, and not in FireFox?
if the root CA certificate is a built-in token; then this works in
Firefox, too;
why this strange behaviour?
Thanks,
Walter
__
OpenSSL Project
? Does s_server simulate certificate
checking?
Any help will be appreciated.
Best regards,
Koza
--
View this message in context:
http://www.nabble.com/s_server-with-client-authentication-strange-behaviour-tp14708069p14708069.html
Sent from the OpenSSL - User mailing list archive at Nabble.com
but DH_generate_parameters...
Best regards,
Koza
--
View this message in context:
http://www.nabble.com/strange-behaviour-of-clock%28%29-with-DH_generate_key-tf4930945.html#a14172832
Sent from the OpenSSL - User mailing list archive at Nabble.com
this message in context:
http://www.nabble.com/strange-behaviour-of-clock%28%29-with-DH_generate_key-tf4930945.html#a14113620
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project
Hi,
Can someone please explain the following behaviour?
On my Solaris box:
$ uname -a
SunOS bid-dev22 5.8 Generic_117350-08 sun4u sparc SUNW,Sun-Fire-V240
$ openssl version
OpenSSL 0.9.6g 9 Aug 2002
$ openssl md5 test
MD5(test)= 2cbba5a2632ae92aa4f10003f7970082
$ md5 test
MD5 (test) =
On Fri, Apr 29, 2005 at 09:45:08AM +0200, Jostein Tveit wrote:
$ uname -a
SunOS bid-dev22 5.8 Generic_117350-08 sun4u sparc SUNW,Sun-Fire-V240
$ openssl version
OpenSSL 0.9.6g 9 Aug 2002
$ openssl md5 test
MD5(test)= 2cbba5a2632ae92aa4f10003f7970082
$ md5 test
MD5 (test) =
Victor Duchovni [EMAIL PROTECTED] writes:
On Fri, Apr 29, 2005 at 09:45:08AM +0200, Jostein Tveit wrote:
The same file copied with cygwin scp to my windows box:
Thereby globally changing LF to CRLF...
That does not explain the difference between openssl md5 and the
md5sum command.
The
Bonjour,
I'm running into something strange.
Here's an extract of my code:
-
[...]
{
time_t start;
BIO *cbio = NULL;
if ((cbio = BIO_new(BIO_s_connect())) == NULL)
{
result = ERR(CMCLIENTERR_CONNEXION);
goto done;
}
BIO_set_conn_hostname(cbio, server_name);
Hello,
I was doing some tests with openssl and I found a strange issue:
First, I ran s_server to instantiate a fake server in localhost:
s_server -cert mycertfile -key mykeyfile
Second, I execute s_client to connect to my fake server:
s_client -connect 127.0.0.1:4433
Until here, it's ok.
Hi!
We are using the PHP-based IMP (http://horde.org) software to access our
mail from a web interface, but there's a strange problem...
As IMP does not support SSL natively yet, we are using openssl c_client
to tunnel and encrypt the imp-imap connections through a false local
port that in fact
Ramdas
-Original Message-
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 22, 2001 5:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Strange behaviour with SSL_CTX_set_verify
You need to do the SSL_CTX_set_verify() *before* you do the SSL_new(). The
SSL * sort of in
After I do the SSL initialization, I do the following in my server code.
while(1){
if((s=accept(sock,0,0))0)
err_exit("Problem accepting");
sbio=BIO_new_socket(s,BIO_NOCLOSE);
ssl=SSL_new(ctx);
SSL_set_bio(ssl,sbio,sbio);
SSL_CTX_set_verify(ctx,
.
_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_
- Original Message -
From: "Hegde, Ramdas" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, March 22, 2001 6:10 PM
Subject: Strange behaviour with SSL_CTX_set_verify
After I
Thanks Greg
Moving the SSL_CTX_set_verify() above the SSL_new() did the job of fixing
the problem.
Ramdas
-Original Message-
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 22, 2001 5:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Strange behaviour with SSL_CTX_set_verify
Hi,
I noticed a strange behaviour while importing certificates generated
with openssl 0.9.5 into MS IE4.
The context : inside a community of users (let's think of it as an
Intranet), we use a self-signed CA. This CA signed my CA. With this CA,
I generate users certificates. I use the following
38 matches
Mail list logo