> From: owner-openssl-us...@openssl.org On Behalf Of
rober...@mail.uni-paderborn.de
> Sent: Thursday, 16 February, 2012 03:07
> To: openssl-users@openssl.org
> Subject: Define own x.509v3 Extension, "myterious zeros"
>
> Hallo mailing list.
>
> I want to define an own Extension for a specific usa
Hi Kevin,
I encountered this problem when compiling the 1.2.3 FIPS object module some
time ago, with exactly the same compiler. After some experimentation I managed
to get it to embed the fingerprint correctly using the following compiler
options:
-fno-common -fdata-sections -ffunction-section
From what I saw in OpenSSL site and the user guide, the FIPS object module is
only compatible with OpenSSL 0.9.8, not 1.0. Is that still valid? Does that
mean if I cannot use that module to work with OpenSSL 1.0?
The FIPS 140 certification number 1051 is for source code module and from what
I
2012/2/16 Iñaki Baz Castillo :
> That's not true. Regardless there is peer certificate or not, and
> regardless there is peer chain of certificates or not, the function
> returns a pointer to STACK_OF(X509) (rather than STACKOF). Then I can
> do sk_X509_num(sk) to get the numbers of certs in the c
2012/2/16 Iñaki Baz Castillo :
> As far as I see, SSL_get_peer_cert_chain(ssl) does never return NULL,
> regardless the client presented a single certificate, a certificate +
> chain of certificates, or no certificate at all. Am I miss something?
> SSL_get_peer_cert(ssl) does return NULL in case of
If this subject varies based on context, then I'm specifically focusing on
generating private keys / certs via "openssl" command-line tools on linux
(rhel/centos) for use in https, etc.
My question is, assuming servers are generated from VM snapshots or clones,
or restored from backups, or oth
2012/2/16 Iñaki Baz Castillo :
> Now I've realized that in case the client presents a chain of public
> certificates (rather than a single certificate) the function
> SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or
> BIO_read) just takes the first certificate in the chain.
>
2012/2/16 Iñaki Baz Castillo :
> However I've already got it:
>
> X509 *client_X509;
> unsigned char client_PEM_string[10*1024];
> size_t client_PEM_string_len = sizeof(client_PEM_string);
> BIO *bio;
> int res;
>
> if ((client_X509 = SSL_get_peer_certificate(ctx))) {
> b
2012/2/16 :
> well, I think the certificate is coded in base64. so write it to file, run
> openssl base64 -d -in file -out newfile
> and read the newfile in. or start parsing it an pipe the output to your
> application.
Well, this is to run within a server application so I cannot write to
a file
> From: John Hascall
> To: openssl-users@openssl.org,
> Date: 02/16/2012 09:54 AM
>
> Richard writes:
> > Well, seeding the PRNG correctly seems not to be a trivial task,
>
> Which is really sad, because you can buy a hardware RNG
> for diddly-squat these days, for example http://www.entropykey
well, I think the certificate is coded in base64. so write it to file, run
openssl base64 -d -in file -out newfile
and read the newfile in. or start parsing it an pipe the output to
your application.
Zitat von Iñaki Baz Castillo :
Hi, after the SSL/TLS handshake from a client I want to get
Hallo mailing list.
I want to define an own Extension for a specific usage, how can I do that?!
And there is something I wonder about while reading documentations of
x.509 Format: Using RSA with sha 1, on some places in the certificate
(between key header and the header of the structure with
2012/2/16 Jakob Bohm :
> I think the PEM formatting (a line with dashes, the
> Base64 lines and another line with dashes) is currently
> tied to writing and reading files via the BIO layer.
>
> So you would have to set up a "memory" BIO handle, then
> tell the X509 routines to save the certificate
On 2/16/2012 5:53 PM, Iñaki Baz Castillo wrote:
Hi, after the SSL/TLS handshake from a client I want to get the
client's certificate(s) in PEM format (so I get a string I can print
somewhere).
So I do:
X509 *client_cert;
if ((client_cert = SSL_get_peer_certificate(ssl))) {
# Printf g
012/2/16 Iñaki Baz Castillo :
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in
Hi, after the SSL/TLS handshake from a client I want to get the
client's certificate(s) in PEM format (so I get a string I can print
somewhere).
So I do:
X509 *client_cert;
if ((client_cert = SSL_get_peer_certificate(ssl))) {
# Printf got cert in PEM format
}
Now my question is: how ca
Richard writes:
> Well, seeding the PRNG correctly seems not to be a trivial task,
Which is really sad, because you can buy a hardware RNG
for diddly-squat these days, for example http://www.entropykey.co.uk/
John
---
On Thu, Feb 16, 2012, Jakob Bohm wrote:
> On 2/16/2012 11:36 AM, Magosányi Árpád wrote:
> >Hi!
> >
> >Is the sentence "It checks that p and q are in fact prime, and
> >that n = p*q" in RSA_check_key's documentation mean that it checks
> >for weak primes, like the ones mentioned here?:
> >http://ar
Am 16.02.2012 12:17, schrieb Jakob Bohm:
2. Creating primes starts with high quality random numbers,
such that there are a gigantic number of possible primes.
If done correctly (like in current OpenSSL versions), the
chance of choosing the same prime as somebody else is
extremely low (again, I h
On Thu, Feb 16, 2012, john hagen wrote:
> Can someone shed some light on the following?
>
> I'm able to 'verify' via the command line like this:
> "# env OPENSSL_FIPS=1 ./openssl dgst -sha512 -verify pub.pem
> -signature format.sign format.c
> Verified OK"
>
> Programmatically I get the followin
Can someone shed some light on the following?
I'm able to 'verify' via the command line like this:
"# env OPENSSL_FIPS=1 ./openssl dgst -sha512 -verify pub.pem
-signature format.sign format.c
Verified OK"
Programmatically I get the following runtime error.
"(error:0407708E:rsa routines:RSA_verify
On 2/16/2012 11:36 AM, Magosányi Árpád wrote:
Hi!
Is the sentence "It checks that p and q are in fact prime, and that n
= p*q" in RSA_check_key's documentation mean that it checks for weak
primes, like the ones mentioned here?:
http://arstechnica.com/business/news/2012/02/crypto-shocker-four-
Hi!
Is the sentence "It checks that p and q are in fact prime, and that n =
p*q" in RSA_check_key's documentation mean that it checks for weak primes,
like the ones mentioned here?:
http://arstechnica.com/business/news/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security.ars
On 2/16/2012 10:29 AM, T. Valent wrote:
4. Configure each serverX to accept client certificates
issued by old-groupX-cert OR new-groupX-cert (most server
software can be configured with a list of valid
client-cert-issuers and the SSL protocol supports that).
More or less that's the way to go.
T
> > With Git, Mercurial and other revision control systems
> > available. Why is OpenSSL still suck on CVS?
>
> Moving a mature project off of CVS is not trivial.
Also, why move at all?
People can development features with let's say GIT, even
in teams and concurrently, and then checking in to C
On 2/12/2012 4:56 AM, Ryan Brown wrote:
With Git, Mercurial and other revision control systems available. Why
is OpenSSL still suck on CVS?
Besides the reply about how hard it is to migrate,
I have had bad experiences and/or too scary stories
with most of the other systems.
CVS classic (not th
> 4. Configure each serverX to accept client certificates
> issued by old-groupX-cert OR new-groupX-cert (most server
> software can be configured with a list of valid
> client-cert-issuers and the SSL protocol supports that).
More or less that's the way to go.
That's what I've come up with (yet
27 matches
Mail list logo