In message <[EMAIL PROTECTED]> on Wed, 19 Jul 2006 07:46:19 +0800, "Bo Xie"
<[EMAIL PROTECTED]> said:
xiebopublic> Does openSSL licence permit to tailor openSSL? e.g., we only need
the
xiebopublic> SHA-512 algorithm, so we want to tailor openSSL to only include
this
xiebopublic> algorithm in or
Does openSSL licence permit to tailor openSSL? e.g., we only need the
SHA-512 algorithm, so we want to tailor openSSL to only include this
algorithm in order to reduce openSSL's footprint (we have very strict
footprint limitation requirement).
Is it permitted? Thanks!
Best Regards,
Xie, Bo
_
On 7/18/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Tue, Jul 18, 2006, Michael P. Soulier wrote:
> Hello,
>
> If I'm using openssl to manage a CA, and I need to issue a new cert with
> the same CN as a previously issued Cert, is it enough to revoke the
> previous cert with that CN?
>
N
So now I am a little confused about using openssl command line utility as CA
to give out certificates.
What could be the reasons for using anything other than openssl as CA? Are
there security issues?
Are people using openssl as their private CA? are any particular problems
reported regarding the
On Tue, Jul 18, 2006, Michael P. Soulier wrote:
> Hello,
>
> If I'm using openssl to manage a CA, and I need to issue a new cert with
> the same CN as a previously issued Cert, is it enough to revoke the
> previous cert with that CN?
>
Note that there is no problem issuing a certificate with th
> What could be the reasons for using anything other than openssl as CA? Are
> there security issues?
>
> Are people using openssl as their private CA? are any particular problems
> reported regarding the use of openssl as private CA on large scale?
I was designing an open Java/C CA a few years ba
Hello,
> Don't know the specifics but you do need all certs
> till the root CA for verification in the web of
> trust model.
Yes, and the file cacert.pem can have many certificates
or in other words - all needed.
Just add to this file all CA certificates from your
verify path.
Best regards,
--
On 7/18/06, Michael P. Soulier <[EMAIL PROTECTED]> wrote:
Kyle Hamilton wrote:
> You should be able to issue multiple certs to the same CN. One such
> example would be an email-signing certificate, and a separate
> code-signing certificate.
Thanks for the quick answer.
I've had problems doing
Kyle Hamilton wrote:
> Are you using CA.pl for it? (And what's the exact text of the error you
> get?)
No, I'm not. Let me reproduce it and capture it for you.
Mike
__
OpenSSL Project http://www.
Don't know the specifics but you do need all certs
till the root CA for verification in the web of
trust model.
You navigate up and up with the issuername matching
the subject name until both are same.
HTH
--- "Michael P. Soulier" <[EMAIL PROTECTED]>
wrote:
> Marek Marcola wrote:
> > Maybe
Are you using CA.pl for it? (And what's the exact text of the error you get?)
-Kyle H
On 7/18/06, Michael P. Soulier <[EMAIL PROTECTED]> wrote:
Kyle Hamilton wrote:
> You should be able to issue multiple certs to the same CN. One such
> example would be an email-signing certificate, and a sep
Marek Marcola wrote:
> Maybe good and acceptable solution to this problem will be
> just always checking newly created certificate,
> for example with command:
> $ openssl verify -CAfile cacert.pem new_cert.pem
> This should give you information on generated certificate status
> independentl
Kyle Hamilton wrote:
> You should be able to issue multiple certs to the same CN. One such
> example would be an email-signing certificate, and a separate
> code-signing certificate.
Thanks for the quick answer.
I've had problems doing this. The openssl tool complains that there is
already a cer
You should be able to issue multiple certs to the same CN. One such
example would be an email-signing certificate, and a separate
code-signing certificate.
Revocation of the prior one is optional, but is encouraged if the
private key has been lost or compromised.
-Kyle H
On 7/18/06, Michael P.
Hello,
If I'm using openssl to manage a CA, and I need to issue a new cert with
the same CN as a previously issued Cert, is it enough to revoke the
previous cert with that CN?
Thanks,
Mike
--
Michael P. Soulier <[EMAIL PROTECTED]>, 613-592-2122 x2522
"Any intelligent fool can make things bigger
Hello,
> > I think that this returns proper return code, for example
> > (some prepared errors):
>
> I'll have to confirm, but this did not appear to be the case if the tool
> failed to sign a csr due to a preexisting CN already issued in a cert. I
> found just a size-zero file created.
Maybe goo
Marek Marcola wrote:
> I think that this returns proper return code, for example
> (some prepared errors):
I'll have to confirm, but this did not appear to be the case if the tool
failed to sign a csr due to a preexisting CN already issued in a cert. I
found just a size-zero file created.
Mike
--
Great thanks for that now I have some linker issues My project settings
are set to /MTd so I'm linking against libeay32MTd.lib but no dice, also
I heard numerous mention to INSTALL.W32 but I cant seem to find it,
where is it??
Thank again,
AJ
-Original Message-
From: [EMAIL PROTECTED]
[m
We have our own CA that uses perl to call openssl directly, and have
used it for several years. We store everything in a database though
instead of relying on openssl's text files that it uses natively.
Right now we are in the process of rewriting the CA in ruby, so we can
use ruby on rails for t
Do you know stunnel ( www.stunnel.org ) ?
You could use that to setup https tunnel.
man evp will give u enuf info on encrypting strings
with OpenSSL.
OpenSSL really is the definitive resource for
cryptography. :-)
Please find attached my code. It may be of use.
regards,
Girish
--- "Mayorga,
On Tue, Jul 18, 2006, Dave Pawson wrote:
> Objective: To generate a certificate and private key for use by MS IIS
> server.
>
>
> Used openssl to create the CA self signed cert.
>
> Generated a cert request using openssl.
> Issued request to the CA.
> CA signs it and generates the cert.
>
> W
On Tue, Jul 18, 2006, Seth Nielson wrote:
>
> where "bp" is the bio, and "passin" is the char* passphrase. It works
> fine for unencrypted keys (passin == NULL), but it fails on encrypted
> keys with the following message:
>
> 26600:error:0906B072:PEM routines:PEM_get_EVP_CIPHER_INFO:unsupport
Hi.
I am writing an application that uses openssl. I need to be able to load
encrypted private keys.
I copied the code out of "openssl/crypto/apps/ec.c" (one of the key
types I'm importing is the ec-key type). Specifically, I call
PEM_read_bio_ECPrivateKey(bp, NULL, NULL, passin);
where "b
Hello all,
I'm having a difficulty trying to find API info.
#1. I need to be able to encrypt strings with AES and pass that off to
other functions that will pass that data over regular http.
#2. For other data I'm looking to setup an https tunnel and pass data
through it.
I chose to look into Op
At 11:14 18.07.2006 +0100, you wrote:
>
>
>I'm a little interested in the three_byte_header situation you raised.
>If I understand the outline correctly you were questioning whether it is
>safe to mix calls of SSL_read() and SSL_write() because when you looked
>over the SSL library code you saw a
Urjit Gokhale wrote:
So now I am a little confused about using openssl command line utility
as CA to give out certificates.
What could be the reasons for using anything other than openssl as CA?
Are there security issues?
Are people using openssl as their private CA? are any particular
problem
Objective: To generate a certificate and private key for use by MS IIS server.
Used openssl to create the CA self signed cert.
Generated a cert request using openssl.
Issued request to the CA.
CA signs it and generates the cert.
We need this certificate to be loaded into an IIS certificate sto
Urjit Gokhale wrote:
Hi,
I am planning to ssl enable my client server application, that I will
be making available for commercial use. In this process I had planned
to use openssl command line utility as CA to give out certificates (I
am going to work as private CA). But just then, I came acro
Hi
I feel lots of people like us do use the OpenSSL CAs. One problem you
would face is to install the CA Cert in each and every client browser
else that would give pop-ups.. Apart from that, I feel this is as much
secure as any commercial CA..
-Krishna
On 7/18/06, Urjit Gokhale <[EMAIL PROTECTED
Hi,
I am planning to ssl enable my client server
application, that I will be making available for commercial use. In this process
I had planned to use openssl command line utility as CA to give out certificates
(I am going to work as private CA). But just then, I came across a s
Hi
The OpenSSL 9.8a has install.w64 file that gives details about how to
compile the same for 64 bit.. We are done with compilation and running
performance tests over the same.. In case anyone else has done this
exercise, please share the results and any issues with 64bit OpenSSL
(if any).. Whil
ok. i undertsand. but is there any way to do that without programming? this i
s a little part of a big project and i'dl like to test all steps before
starting to develop. I 'd like to know if there is a simple way to create a
verifiable file from the bytes. I tried to use notepad, notepad++ and ot
Hello,
> You understand perfectly. Yes, as you said after some APDU exchange i have a
> stream message digest encrypted with smart card private key. A stream like
> this, for example:
>
> 79 E0 D4 DB AC 47 93 F6 D8 0C E8 FD A9 35 CB 45 64 06 20 D2...and so on...
>
> Now, how can i save this strea
I use RSA_generate_key() function and I can get private key only as pkcs#1.
I can't find out how to convert it to pkcs#8.
Can anyone help me?
--
View this message in context:
http://www.nabble.com/How-to-store-RSA-priv.-key-in-pkcs-8--tf1959792.html#a5375956
Sent from the OpenSSL - User forum at
Here is another interesting one,
What I mean by a null write is allow the write machinery to flush and
emit outstanding data or deal with renegotiation requests that need
write operations to be performed but I wont want to send any new
application data ?
The man page for SSL_write() speci
First of all, thank you for your answer.
You understand perfectly. Yes, as you said after some APDU exchange i have a
stream message digest encrypted with smart card private key. A stream like
this, for example:
79 E0 D4 DB AC 47 93 F6 D8 0C E8 FD A9 35 CB 45 64 06 20 D2...and so on...
Now, how
Henrik Thuermer wrote:
At 15:20 17.07.2006 -0700, you wrote:
Yes, I know that. But in our case there is no renegotiation: SSL_write
never returns an error and if the SSL_read return value is below zero
SSL_get_error returns only WANT_READ. In that case there was never someting
in the outgoing BI
Hello,
> Hi all. I'm new here and i have a question.
> I'm working with smart card at low level, without using opensc and other
> software like it; now, i can compute digital signature of a stream of bytes
> obtaining the same result as in OpenSSL. The digital signature is a stream
> of bytes too,
Hi All,
Where do I find the definition for GENERAL_NAME_free? There are few
files using this function.
But I am not anle find the definition for this function. Please can any
one help me.
Thanks,
Jaya.
__
OpenSSL Project
Trying to find a full list of the options in the conf file please,
and the search order?
http://www.openssl.org/docs/apps/ca.html# shows some
but not all?
E.g. the _default
and _max
_min
etc
TIA
regards
--
Dave Pawson
XSLT XSL-FO FAQ.
http://www.dpawson.co.uk
_
Girish Venkatachalam wrote:
But did you factor the fact that an SSL renegotiation
or handshake can happen anytime during the
conversation?
Thats not strictly true, the receiving end does have a tiny bit of
control over when to process it. From recent discussion in this list my
understanding
Hi all. I'm new here and i have a question.
I'm working with smart card at low level, without using opensc and other
software like it; now, i can compute digital signature of a stream of bytes
obtaining the same result as in OpenSSL. The digital signature is a stream
of bytes too, how can i verify
At 15:20 17.07.2006 -0700, you wrote:
>Excuse me if I am saying the obvious.
>
>But did you factor the fact that an SSL renegotiation
>or handshake can happen anytime during the
>conversation?
Yes, I know that. But in our case there is no renegotiation: SSL_write
never returns an error and if
43 matches
Mail list logo