We've seen a number of Cisco AnyConnect VPN servers which don't have the
SSL server purpose bit set in their certificate.
We have a workaround¹ but I've just received a complaint that this
workaround doesn't work correctly with older (<0.9.8k) versions of
OpenSSL.
Does the patch below make sense?
On 23/03/10 8:50 PM, PGNet Dev wrote:
> On Tue, Mar 23, 2010 at 4:54 PM, Patrick Patterson
> wrote:
>>> where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder.
>>>
>> I hope you realize that there are MANY warnings against doing this for
>> other than test purposes - for one t
On Tue, Mar 23, 2010 at 5:41 PM, Dr. Stephen Henson wrote:
> If you aren't sorry you did you might be the first person who isn't. Just
> warning you...
noted.
> It's a deprecated extension from long ago. Best leave it out all together.
didn't realize. do now,
http://www.openssl.org/docs/app
On Tue, Mar 23, 2010 at 4:54 PM, Patrick Patterson
wrote:
>> where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder.
>>
> I hope you realize that there are MANY warnings against doing this for
> other than test purposes - for one thing, the server will fall over and
> die if i
On Tue, Mar 23, 2010, PGNet Dev wrote:
> hi,
>
> On Tue, Mar 23, 2010 at 4:56 PM, Dr. Stephen Henson wrote:
> >> Which, if any/all, of the "Digital Signature, Non Repudiation, Key
> >> Encipherment" KeyUsage specifications are required, if this cert will
> >> be used ONLY for/by the OCSP respond
hi,
On Tue, Mar 23, 2010 at 4:56 PM, Dr. Stephen Henson wrote:
>> Which, if any/all, of the "Digital Signature, Non Repudiation, Key
>> Encipherment" KeyUsage specifications are required, if this cert will
>> be used ONLY for/by the OCSP responder daemon?
>>
>
> Well Key Encipherment is not requi
Hi there:
On 23/03/10 7:39 PM, PGNet Dev wrote:
> I'm planning to run openssl ocsp in server mode,
>
> openssl ocsp \
> -index /svr/demoCA/index.txt \
> -port \
> -CA /svr/demoCA/certs/CA/CA.cert.pem \
> -rsigner /svr/demoCA/crl/OCSP.cert.pem \
> -rkey /svr/demoCA/crl/OCSP.privkey.pem
On Tue, Mar 23, 2010, PGNet Dev wrote:
> I'm planning to run openssl ocsp in server mode,
>
> openssl ocsp \
> -index /svr/demoCA/index.txt \
> -port \
> -CA /svr/demoCA/certs/CA/CA.cert.pem \
> -rsigner /svr/demoCA/crl/OCSP.cert.pem \
> -rkey /svr/demoCA/crl/OCSP.privkey.pem \
> -tex
I'm planning to run openssl ocsp in server mode,
openssl ocsp \
-index /svr/demoCA/index.txt \
-port \
-CA /svr/demoCA/certs/CA/CA.cert.pem \
-rsigner /svr/demoCA/crl/OCSP.cert.pem \
-rkey /svr/demoCA/crl/OCSP.privkey.pem \
-text -out /var/log/ocsp.log
where "OCSP.cert.pem" is a singl
On Tue, Mar 23, 2010, Victor Duchovni wrote:
>
> Last time I asked (around October 2009), the best guess was that 1.0.0
> would be released in by year end. Then the whole renegotiation mess hit,
> and priorities changed...
>
> Is there a new estimated release timeline? I'd like to use 1.0.0 for
On Tue, Mar 23, 2010, Dr. Stephen Henson wrote:
> Another possible cause is multiple closes on the same file descriptor in a
> multi threaded application. I saw this once myself where the SSL_free() closed
> the file descriptor and the application itself closed it as well.
The application is send
Hi everyone,
I working on a project which combines several 3rd party libraries. Two
of these libraries depend upon openssl, however differing versions.
Since I don't have the source for these 3rd party libraries, I can't
rebuild them to a common version of openSSL.
The problem I'm having is o
On 23/03/10 3:09 PM, Konrads Smelkovs wrote:
> What are the risk moments here? Why this clause was put in?
Probably due to the complexity of handling the trust path correctly -
most clients can't do even the most simple checks required by
RFC5280/3280 - expecting to have the client know somehow th
Last time I asked (around October 2009), the best guess was that 1.0.0
would be released in by year end. Then the whole renegotiation mess hit,
and priorities changed...
Is there a new estimated release timeline? I'd like to use 1.0.0 for some
internal projects, but don't want to wait forever, so
On Mon, Mar 22, 2010 at 04:23:53PM -0700, Claus Assmann wrote:
> It should probably be
>
> ssl_errno = SSL_get_error(ssl, rc);
>
> but even then I get SSL_ERROR_SYSCALL and errno=EBADF using sendmail
> 8, while previously it didn't complain about errors.
For what it's worth, Postfix calls
What are the risk moments here? Why this clause was put in?
--
Konrads Smelkovs
Applied IT sorcery.
On Tue, Mar 23, 2010 at 8:21 PM, Patrick Patterson <
ppatter...@carillonis.com> wrote:
> Hi Konrads:
>
> No, in order for trust model 2 to work, the OCSP responder would have to be
> signed by the
Understood, this indeed is the case.
Is it a violation of good practice, RFC? What are the security risks?
--
Konrads Smelkovs
Applied IT sorcery.
On Tue, Mar 23, 2010 at 7:44 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 23, 2010, Konrads Smelkovs wrote:
>
> > Hi,
> > The OCSP responder has EKU=
On Tue, Mar 23, 2010, Eisenacher, Patrick wrote:
> Hi Steve,
>
> > -Original Message-
> > From: Dr. Stephen Henson
> >
> > There are two automatic trust models for OCSP responder
> > certificates. One is the CA key that signed the
> > certificate also signs responses: that isn't
> > recom
Hi Steve,
> -Original Message-
> From: Dr. Stephen Henson
>
> There are two automatic trust models for OCSP responder
> certificates. One is the CA key that signed the
> certificate also signs responses: that isn't
> recommended for security reasons.
can you please elaborate on this?
Tha
Hi Konrads:
No, in order for trust model 2 to work, the OCSP responder would have to be
signed by the intermediate CA, not the root CA.
The "Root CA is authoritative to delegate OCSP responses over the entire subCA
tree" (which is the model you are using), is unsupported under RFC2560.
Change
On Tue, Mar 23, 2010, Darryl Miles wrote:
> Claus Assmann wrote:
>> It should probably be
>> ssl_errno = SSL_get_error(ssl, rc);
>
> Ah yes you could be correct on that, please consult the SSL_get_error()
> documentation for correct usage.
>
>
>> but even then I get SSL_ERROR_SYSCALL and err
On Tue, Mar 23, 2010, Konrads Smelkovs wrote:
> Hi,
> The OCSP responder has EKU=OCSP:
>
>X509v3 extensions:
> X509v3 Subject Key Identifier:
> 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C
> X509v3 Extended Key Usage:
>
On Tue, Mar 23, 2010, Adam Grossman wrote:
> hello.
>
> After FIPS_set_mode() passes, and i am in FIPS mode, is there anyway to
> retrieve a version strings, such as "FIPS 1.2" or anything like that so
> i can verify that the correct FIPS module is being used?
>
Not directly but the 1.2 module
Hi!
I am very inexperienced with C so please bear with my question:
I am working on a project which uses a third-party library LibRTMP
which in turns uses OpenSSL (v0.9.8m). I managed to compile all three
components (OpenSSL, LibRTMP and my project) using MinGW+MSYS on
Windows XP. My problem is t
Hi,
The OCSP responder has EKU=OCSP:
X509v3 extensions:
X509v3 Subject Key Identifier:
2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C
X509v3 Extended Key Usage:
OCSP
X509v3 Key Usage:
Digital Si
hello.
After FIPS_set_mode() passes, and i am in FIPS mode, is there anyway to
retrieve a version strings, such as "FIPS 1.2" or anything like that so
i can verify that the correct FIPS module is being used?
thank you,
-=- adam grossman
__
Claus Assmann wrote:
It should probably be
ssl_errno = SSL_get_error(ssl, rc);
Ah yes you could be correct on that, please consult the SSL_get_error()
documentation for correct usage.
but even then I get SSL_ERROR_SYSCALL and errno=EBADF using sendmail
8, while previously it didn'
On Tue, Mar 23, 2010, Konrads Smelkovs wrote:
> Hello,
>
> I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I
> want to check OCSP response.
> Root chain is added to root list. OpenSSL says all of it is OK:
> Chain has three level architecture - Root which Signs OCSP & Poli
On Tue, Mar 23, 2010, Thomas Guettler wrote:
> Hi,
>
> I try to verify the file 'data'. The signature is in file 'sig' and the
> public key in 'pub_key.pem'
>
> But it fails. Can someone please help me? What I am doing wrong?
>
> u...@host> bin/openssl pkeyutl -verify -in data -sigfile sig -p
Hi,
I try to verify the file 'data'. The signature is in file 'sig' and the public
key in 'pub_key.pem'
But it fails. Can someone please help me? What I am doing wrong?
u...@host> bin/openssl pkeyutl -verify -in data -sigfile sig -pubin -inkey
pub_key.pem
Public Key operation error
1397387149
Hello,
I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I
want to check OCSP response.
Root chain is added to root list. OpenSSL says all of it is OK:
Chain has three level architecture - Root which Signs OCSP & Policy, Policy
which signs issuing CA which signs subscriber CA
31 matches
Mail list logo