Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Dr. Stephen Henson
On Mon, Aug 30, 2010, Goran Rakic wrote: > ?? ??, 30. 08 2010. ?? 20:38 +0200, Dr. Stephen Henson : > > > > I wouldn't advise changing the code in that way (FYI I wrote it). The normal > > workaround in OpenSSL for broken encodings is to use the original encoding > > by caching it. The

Re: Tls max fragment length problem

2010-08-30 Thread peterlingoal
Hi, Sorry I made a mistake with question 3 due to my mis-understanding of "plaintext". It is actually the same question as question 1. Actually I can control the TLS record size when calling SSL_write by restricting the buffer size of each iterative. However, I couldn't control the size in commun

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Goran Rakic
У пон, 30. 08 2010. у 20:38 +0200, Dr. Stephen Henson пише: > > I wouldn't advise changing the code in that way (FYI I wrote it). The normal > workaround in OpenSSL for broken encodings is to use the original encoding > by caching it. The attached three line patch adds this workaround for > certifi

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Dr. Stephen Henson
On Mon, Aug 30, 2010, Goran Rakic wrote: > ?? ??, 29. 08 2010. ?? 04:17 +0200, Mounir IDRASSI : > > > > After some digging, I found that part of the problem is caused by the > > functions c2i_ASN1_INTEGER and d2i_ASN1_UINTEGER in file > > crypto\asn1\a_int.c. At lines 244 and 314, th

Re: Connection Resetting

2010-08-30 Thread Sam Jantz
Dave, Thank you for the clarification on HTTP keep-alives. I have just now fixed the bug. The source of the problem was an SSL_read call on the client half of the proxy. This was triggering an error SSL_ERROR_SYSCALL with a ret of zero. According to the documentation this is normally c

Re: [openssl-users] Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Erwann ABALEA
Hodie III Kal. Sep. MMX, Goran Rakic scripsit: [...] > I read the other messages in this thread, but I am not an expert in the > field so I do not know if openssl should add a support for "incorrect" > serial numbers. In RFC 3280 there is a note about "Non-conforming CAs" > where section "4.1.2.2 S

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Goran Rakic
У нед, 29. 08 2010. у 04:17 +0200, Mounir IDRASSI пише: > > After some digging, I found that part of the problem is caused by the > functions c2i_ASN1_INTEGER and d2i_ASN1_UINTEGER in file > crypto\asn1\a_int.c. At lines 244 and 314, there is an if block that > removes any leading zeros. Comment

Re: Another problem with certificate verification...

2010-08-30 Thread Dr. Stephen Henson
On Mon, Aug 30, 2010, Toms Tormo wrote: > > Finally, I checked the Authority Key Identifier of the EE certificate but > it looks good to me... > > /[amsterdam:/test]# openssl x509 -in admesigna.cer -text > > keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF >

Re: [openssl-users] Another problem with certificate verification...

2010-08-30 Thread Erwann ABALEA
Hodie III Kal. Sep. MMX, Tomás Tormo scripsit: [...] >[amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer >-text [...] >    Not Before: Dec  8 08:31:12 2006 GMT >    Not After : Dec  5 08:41:12 2016 GMT [...] >[amsterdam:/test]# openssl x509

Another problem with certificate verification...

2010-08-30 Thread Tomás Tormo
Greetings I have another problem with certificate verification. I get the same error as always with a testing CA we created... we have issued a certificate signed by this CA but we get the same error: *error 20 at 0 depth lookup:unable to get local issuer certificate* After checking if t

Re: [openssl-dev] Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Erwann ABALEA
Hodie IV Kal. Sep. MMX, Mounir IDRASSI scripsit: [...] > Specifically, Peter Gutmann in his X.509 Style Guide says this about this > field : "If you're writing certificate-handling code, just treat the > serial number as a blob which happens to be an encoded integer". This is the kind of advice th

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Peter Sylvester
Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER but INVALID *D*ER. And signed things like certs are *D*ER for exactly this reason, so a reconstructed encoding is bit for bit identical and hashes and signatures etc. work. BER is already 'distinguished" concerning the content o