On Wed, Nov 30, 2005 at 09:52:57PM -0500, Sean Rhea wrote:
> Okay, but I need to do _some_ verification:
No, not really. Clearly OpenSSL has already verified that the client
has a private key that matches the public key in the certificate, or
else all the certificace checks are pointless. At this
On SCO Open Server 5 I am receiving an error during
the make process. Version of openssl is 0.9.8a. Here
is the "make report" output. Any ideas?
>>
wytest# make report
Checking compiler...
Creating cctest.a
Running make...
making all in crypto...
cc -I. -I.. -I../include -DDSO_DLFCN
-DHA
On Nov 30, 2005, at 8:24 PM, Victor Duchovni wrote:
Yes, but the verification is optional just tell SSL that the certs
verify OK. Postfix only uses fingerprints of verified clients, but you
don't have to do that. The machinery is much the same. In the
Postfix client,
the server verification is
On Wed, Nov 30, 2005 at 06:07:20PM -0500, Sean Rhea wrote:
> On Nov 30, 2005, at 4:42 PM, Victor Duchovni wrote:
> >This is completely doable. Example code to be found in many SSL
> >applications.
> >
> > http://www.postfix.org/TLS_README.html#server_vrfy_client
> > http://www.postfix.org/
On Nov 30, 2005, at 4:42 PM, Victor Duchovni wrote:
This is completely doable. Example code to be found in many SSL
applications.
http://www.postfix.org/TLS_README.html#server_vrfy_client
http://www.postfix.org/TLS_README.html#server_access
http://www.postfix.org/postconf
On Wed, Nov 30, 2005 at 04:18:44PM -0500, Sean Rhea wrote:
> All,
>
> I'm trying to use OpenSSL in a rather peculiar way, and I wonder if
> anyone here can help me out. I have two peers. Each has an RSA
> public-private key pair and a self-signed X509 certificate. What I'd
> like to do i
All,
I'm trying to use OpenSSL in a rather peculiar way, and I wonder if
anyone here can help me out. I have two peers. Each has an RSA
public-private key pair and a self-signed X509 certificate. What I'd
like to do is establish a TLS connection between the two of them
where each can l
Mark wrote:
cat /*.pem >ca.pem
openssl verify -CAfile ca.pem cert_to_check
works, there is something really strange with your system ...
Same error:
error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any of the *.pem
files in you
On Wed, Nov 30, 2005 at 07:32:07PM +0100, Peter Sylvester wrote:
>
> C=FR;O=JANUS;CN="server1";CN=server2"
>
> What I mean with LAST is: The code gives server1, but what should be
> compared should be server2
>
AFAIK multiple CNs are not valid in the context of at least server
certificates.
C=FR;O=JANUS;CN="server1";CN=server2"
What I mean with LAST is: The code gives server1, but what should be
compared should be server2
Victor Duchovni wrote:
On Wed, Nov 30, 2005 at 06:40:38PM +0100, Peter Sylvester wrote:
The code below gives the FIRST Common Name RDN, not the last one
On Wed, Nov 30, 2005 at 06:40:38PM +0100, Peter Sylvester wrote:
> The code below gives the FIRST Common Name RDN, not the last one in the
> hierarchy to be tested as a servername in tls.
Yes, that is its purpose, verifying DNS names in server certificates.
There is more code (not shown) that fi
be carefull with some typo error.
My openssl 0.9.7e does not accept this "RSA-AES256", but accept "RSA:AES256".
Just have a look at 0.9.7e ouput:
[] # openssl version
OpenSSL 0.9.7e 25 Oct 2004
[] linux # openssl s_client -connect 195.30.6.166:443 -cipher RSA-AES256
CONNECTED(0003)
21115:err
Peter Sylvester wrote:
> Bear Giles wrote:
>> The Common Name. You could use it as an LDAP key, convert it to a
>> string and use that a key into a database, etc.
>>
> You probably mean the Subject DN.
Yes. oops. I need to get better at proofreading. :)
_
The code below gives the FIRST Common Name RDN, not the last one in the
hierarchy
to be tested as a servername in tls. But well, if you only have one
occurrence of common name :-)
Anyway, the WHOLE DN, i.e. all attributes together are supposed to be
unique in a CA.
Of course, if your private
Bear Giles wrote:
Mark wrote:
What feature of a certificate could I use to provide an unique key
in a database table for this? How could this be extracted in a
program?
The Common Name. You could use it as an LDAP key, convert it to a
string and use that a key into a database, etc.
Frédéric Donnat wrote:
> I think you made an error:
> - RSA with AES and SHA is: AES256-SHA
Hmm, I allready thougth that "RSA-AES256" may not be valid. So this is a
bug in openssl 0.9.7e, as it does accept "RSA-AES256" as a cipher selection?
> Hope it could help,
Thanks for your response.
lg,
Hi,
I think you made an error:
- RSA with AES and SHA is: AES256-SHA
Just have a look at openssl ciphers -v ouput.
[EMAIL PROTECTED] gcb]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib
/usr/local/ossl-0.9.8/bin/openssl ciphers -v | grep AES
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=
On Wed, Nov 30, 2005 at 04:28:04PM -, Mark wrote:
> Hi Bear,
>
> > Mark wrote:
> > > What feature of a certificate could I use to provide an unique key
> > > in a database table for this? How could this be extracted in a
> > > program?
> >
> > The Common Name. You could use it as an LDAP
Hi Bear,
> Mark wrote:
> > What feature of a certificate could I use to provide an unique key
> > in a database table for this? How could this be extracted in a
> > program?
>
> The Common Name. You could use it as an LDAP key, convert it to a
> string and use that a key into a database, etc.
Hi,
I need to force a client browser to authenticate
itself against a server before the server can show any content
back.
For this to happen Mozilla compatible
browsers count with a 'KEYGEN' html tag so the client to create a key pair and
then send a request. For a long time this was th
Mark wrote:
> What feature of a certificate could I use to provide an unique key
> in a database table for this? How could this be extracted in a
> program?
The Common Name. You could use it as an LDAP key, convert it to a
string and use that a key into a database, etc.
One important nit -- you
On Tue, Nov 29, 2005 at 09:21:19PM +0300, Dmitry Belyavsky wrote:
> > > 4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> > > record mac:s3_pkt.c:426:
> > >
> > > What's wrong?
> > >
> >
> > http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2005-November/000418.
Hi,
Thank you Bear and Ted for your responses.
> On the server side, why not maintain a database of clients and
> FQDNs or IP addresses? What you gain in flexibility should more
> than offset the increased complexity in the code.
This is one of the options I am considering and, indeed, it does
Mark wrote:
Hi All,
Thanks again to all here who helped me with my understanding of
Certificates.
It is likely that we would want to embed some additional data in
client certificates to further enhance security. For example we
may wish to include a (list of) IP address(es) that the client
can
Mark wrote:
> It is likely that we would want to embed some additional data in
> client certificates to further enhance security. For example we
> may wish to include a (list of) IP address(es) that the client
> can connect from and reject those not on the list. Alternatively
> we could create a
Hi All,
Thanks again to all here who helped me with my understanding of
Certificates.
It is likely that we would want to embed some additional data in
client certificates to further enhance security. For example we
may wish to include a (list of) IP address(es) that the client
can connect from a
On 11/30/05, Usman Riaz <[EMAIL PROTECTED]> wrote:
> b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
> client to connect. When the client connects (client is a FireFox browser,
> with SSLv2,3 & TLSv1 enabled), on the server side when i try to read from
> the bio (after writi
Hi*!
I am implementing SSL support for my IOCP server using bio pairs. I
would like if someone can throw some light on the following ...
a. Do the bio pairs support full duplex data flow, like for example I get
some data from client thats less then a complete SSL record, I write that
inco
Hej,
there seems to be a change in how openssl interpretes cipher suite names
between (at least) 0.9.7e and 0.9.8.
With 0.9.7e one gets:
$ openssl s_client -cipher RSA-AES256
connect: Connection refused
And with 0.9.8:
$ openssl s_client -cipher RSA-AES256
error setting cipher list
So, is this
Hi Goetz,
> >> cat /*.pem >ca.pem
> >> openssl verify -CAfile ca.pem cert_to_check
> >> works, there is something really strange with your system ...
> >
> > Same error:
> >
> > error 20 at 0 depth lookup:unable to get local issuer certificate
>
> This indicates that your CA certificate is not
30 matches
Mail list logo
