SUMMARY:
The problem was that the root CA had a pathlen=0, so the intermediate CA
could not be recognized. Setting pathlen=1 solved it.
Many thanks to Goetz for his help.
From: Goetz Babin-Ebell [EMAIL PROTECTED]
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject:
Quoting Nils Larsch [EMAIL PROTECTED]:
Julien ALLANOS wrote:
...
Actually, I have tested the following:
EVP_CIPHER_CTX_init(ctx);
EVP_CipherInit_ex(ctx, EVP_aes_192_ecb(), NULL, key-data, NULL, 1);
if (!EVP_CipherUpdate(ctx, ciphertext-data, (int *)
ciphertext-length,
Hello everybody !
I've got some problems with simple DES encryption; i have compared the results of my DES fonction with the examples given in the file test.cpp and when the key has a particular form (only 0, only FF, ...) the cipherdata is not the cipherdata expected...
In other (most of)
compiling
openssl-engine-0.9.6m
on a dual opteron slamd(slack 64 10.1) box
./config completes
but then make throws and error up to do with the assemblers for md5,sha etc
so if i run ./config no-asm and then make i get no problems... however
it still only detects the system as a 32bit sys. (
Good day!
I am trying to extract my private key from a file downloaded from
Thawtes Personal Freemail certificate service. (Thawte creates the
private key for the user to simplify the process).
The file (with the meaningfull name deliver.exe) seems to be a Netscape
Certificate Sequence in
I've not been there, but is it possible that this is a PKCS#12 bag?
Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
The error I get when I use -genstr is:
unknown option -genstr
asn1parse [options] infile
where options are
-inform arg input format - one of DER TXT PEM
-in arg input file
-out arg output file (output format is always DER
-noout argdon't produce any output
-offset arg
Hello coco,
I am also facing the similar problem. I am generating signature
using OpenSSL and passing in to JAVA to verify (running JAVA test
suite). Signature format is in DER encoded PKCS#7 format.
But JAVA is not able to parse the SignedData content in the
PKCS#7 format. It
When I try to decode a particular smime message I'll get error
ASN1_get_object:too long. First I thought there's something
wrong with ASN.1 syntax but than I found a major difference
in openssl base64 decoding compared to other base64 tools.
Given attached PEM file with all other base64 tools
Hi Joachim,
On 6/16/05, Joachim Buechse [EMAIL PROTECTED] wrote:
Good day!
I am trying to extract my private key from a file downloaded from
Thawtes Personal Freemail certificate service. (Thawte creates the
private key for the user to simplify the process).
The file (with the
Thanks all for replying. More heated debates I guess.
How can there be a heated debated when there is not yet one argument
advanced in favor of the double certificate scheme?
DS
__
OpenSSL Project
In message [EMAIL PROTECTED] on Tue, 14 Jun 2005 00:14:54 -1000, coco coco
[EMAIL PROTECTED] said:
coconut_to_go We called it bullshit, and were having a hot debate,
coconut_to_go most people (the technical people) are opposed to that,
coconut_to_go saying that there is nothing secure about this
Hello,
I am writing a 802.11 wireless client that communicates with the access
point using PEAP and MSCHAPV2. I am having trouble establishing a
secure TLS tunnel in which to perform the PEAP phase 2 handshake.
My client sends a TLS Client Hello message. The servers respond with
their Server
In message [EMAIL PROTECTED] on Thu, 16 Jun 2005 11:51:57 +0200, pana [EMAIL
PROTECTED] said:
panasa1 The error I get when I use -genstr is:
panasa1
panasa1 unknown option -genstr
panasa1 asn1parse [options] infile
panasa1 where options are
panasa1 -inform arg input format - one of DER TXT
It was not the private key that got lost but me...
The private and public key are created locally - thanks to Bernhard
Froehlich for pointing this out in a private email. The private key is
never send to Thawte and hence it can not possibly be in the
deliver.exe file.
The local key
I'm delaying the release of 0.9.8 beta6 until tomorrow (friday) night.
The reason is that I want to test some changes on systems that may be
sensitive to them before releasing. I believe that will be better for
the release process as a whole.
Cheers,
Richard
-
Please consider sponsoring my
Thanks all for replying. More heated debates I guess.
How can there be a heated debated when there is not yet one argument
advanced in favor of the double certificate scheme?
I got what you meant, sorry for not being clear. I meant there will be more
heated debate between us (the
Like everyone else, I say this consultant doesn't know what he's
talking about (I'm tempted to ask you to tell me who it is, so I can
avoid him/her). Can I suggest a different line of attack, though?
It's obvious that confronting the consultant by calling bull doesn't
win you any points, so how
I am also facing the similar problem. I am generating signature
using OpenSSL and passing in to JAVA to verify (running JAVA test
suite). Signature format is in DER encoded PKCS#7 format.
But JAVA is not able to parse the SignedData content in the
PKCS#7 format. It is giving
Like the commentator, I'm also a little guy. In my case, I'm a retired guy
who got his intro to this stuff from Entrust. I got convinced that their
two (or more) -certificate solution was right, based upon the following:
If you are an employee in an organization, it is valid for the
On Thu, Jun 16, 2005 at 06:33:53PM -0700, david wrote:
Like the commentator, I'm also a little guy. In my case, I'm a retired guy
who got his intro to this stuff from Entrust. I got convinced that their
two (or more) -certificate solution was right, based upon the following:
You say
Pease help to fill in items that I might have missed :)
The security risk that this non-standard scheme might introduce an
unforseen vulnerability. This is, IMO, as likely as that it will protect
against some unforseen vulnerability -- the alleged reason for the scheme.
DS
On Jun 9, 2005, at 8:35 AM, Nabil Ghadiali wrote:
Openssl req seems to output those components...however I am not able
to find
a way to input these as command line parameters.
man openssl_req
Try something like:
openssl req -new -key foo.key -out foo.csr -sha1
Take care,
Bill
PGP.sig
Yes, Viktor... you are right. Two certificates with the same keys is ...
as you say
One of these days, I'll figure out how to write what I really mean, instead
of assuming that all readers have the same context as I do.
And that retirement was (how shall I put it) ... non-voluntary.
Pease help to fill in items that I might have missed :)
The security risk that this non-standard scheme might introduce an
unforseen vulnerability. This is, IMO, as likely as that it will protect
against some unforseen vulnerability -- the alleged reason for the scheme.
Hehe, I was
Hello All,
I
used following C code to sign the data and encode in DER format.
But
JAVA Crypto code is failed to parse the DER encoded PKCS#7 data. Following is
the C code to sign the data.
Is
there any problem in my code?
The
certificate I used is
Like the commentator, I'm also a little guy. In my case, I'm a retired guy
who got his intro to this stuff from Entrust. I got convinced that their
two (or more) -certificate solution was right, based upon the following:
If you are an employee in an organization, it is valid for the
I thought the problem was that you were using the same keypair
for encryption and signing. So that there really is only one key.
I know, the key escrow was designed when the requirements were
only for encryption only. Digital signature requirement was added when
the consultant got on board.
On Jun 16, 2005, at 11:47 PM, coco coco wrote:
For a shameless plug, this scheme is designed by myself. I'm giving
a brief description here, so you guys can help to see if that makes
sense.
[snip]
Yeah, I know, you have not seen the implementation, so not fair
to say if that's ok or not.
Then perhaps your company should hire a security expert to design the
security. Defects in portability or performance are low-risk and easily
detected, and the cost scales with the time until a patch is deployed.
Security vulnerabilities are much more tricky and expensive to detect and
the
30 matches
Mail list logo
