openssl for self signed certificates

2013-07-31 Thread Indtiny s
Hi , Since openssl.1.0.1c doesn't support ECDHE-ECDSA-AES128-CCM cipher suite, I added this support in the openssl code. It works fine with ECC certificates which are not self-signed. When I process my ECC self-signed certificate, my webserver throughing X5*

Re: openssl for self signed certificates

2013-07-31 Thread Jakob Bohm
On 31-07-2013 08:22, Indtiny s wrote: Hi , Since openssl.1.0.1c doesn't support ECDHE-ECDSA-AES128-CCM cipher suite, I added this support in the openssl code. It works fine with ECC certificates which are not self-signed. When I process my ECC self-signed certificate, my webserver throughing

RE: OCSP and self signed

2013-07-31 Thread Eisenacher, Patrick
-Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote: In Boolean logic, we have the following possibilities: - Root is trusted, so the revocation is valid, so the root is not trusted. This is a

SSL error after machine restart.

2013-07-31 Thread Rajeev Tomar
Hi We are using openssl 0.9.8 in our application. Things are working fine and suddenly we are having . Linux awtah.dispatchserver1 3.6.11-1.fc16.i686 #1 SMP Mon Dec 17 21:36:23 UTC 2012 i686 i686 i386 GNU/Linux error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record

Re: SUIT-B supported cert/keys

2013-07-31 Thread mehroz
anyone? -- View this message in context: http://openssl.6102.n7.nabble.com/SUIT-B-supported-cert-keys-tp45753p46006.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project

Re: OCSP and self signed

2013-07-31 Thread Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote: In Boolean logic, we have the following possibilities: - Root is trusted, so the revocation is valid, so the root

Re: SSL error after machine restart.

2013-07-31 Thread Jakob Bohm
On 31-07-2013 11:16, Rajeev Tomar wrote: Hi We are using openssl 0.9.8 in our application. Things are working fine and suddenly we are having . Linux awtah.dispatchserver1 3.6.11-1.fc16.i686 #1 SMP Mon Dec 17 21:36:23 UTC 2012 i686 i686 i386 GNU/Linux error:1408F119:SSL

RE: OCSP and self signed

2013-07-31 Thread Eisenacher, Patrick
-Original Message- From: Jakob Bohm On 31-07-2013 11:02, Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote: Jakob, I don't understand your reasoning here. You

Re: openssl for self signed certificates

2013-07-31 Thread Indtiny s
Hi , If there are no v3 extensions in the certificate, verify goes fine , If I add keyUsage , I get the below error . *X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE* But as per standard which I have follow for certficate generation , I have to create the certificate with these extensions . is

how to do SSL_shutdown()

2013-07-31 Thread Priyaranjan Nayak
Hi All, I am using openssl-1.0.1c in our project.when SSL_shutdown(ssl) get executed it returns 0.If I get return value zero then calling the same SSL_shutdown(ssl) again.In 2nd time it return -1. Can any one tell me how to shutdown ssl context ? How can I execute SSL_shutdown(ssl) , so

Re: OCSP and self signed

2013-07-31 Thread Walter H.
Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 31-07-2013 11:02, Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote: Jakob, I don't

Re: OCSP and self signed

2013-07-31 Thread Jakob Bohm
On 31-07-2013 16:01, Walter H. wrote: Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 31-07-2013 11:02, Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm On 30-07-2013 20:53, Walter H. wrote: On 30.07.2013 19:51, Eisenacher, Patrick wrote:

Re: OCSP and self signed

2013-07-31 Thread Walter H.
On 31.07.2013 16:47, Jakob Bohm wrote: the only cert that can't be checked by OCSP is the root cert itself; This is where I disagree, can you point me to an actual reason why not, which is not refuted by my logical ABC argument above. the Authority Information Access extension does not make

RE: OCSP and self signed

2013-07-31 Thread Eisenacher, Patrick
-Original Message- From: Walter H. Eisenacher, Patrick wrote: -Original Message- From: Jakob Bohm As I said before, there's no pki-inherent mechanism to revoke a self signed certificate other than to remove it from your truststore. not really; a CA that has to revoke

RE: OCSP and self signed

2013-07-31 Thread Salz, Rich
This is not possible according to PKIX. RFC5280 states The trust anchor for the certification path [of the crl] MUST be the same as the trust anchor used to validate the target certificate. The root certificate creates a crl-signing cert. The root certificate includes a cRLDistributionPoint

Re: OCSP and self signed

2013-07-31 Thread Jakob Bohm
On 31-07-2013 19:56, Salz, Rich wrote: This is not possible according to PKIX. RFC5280 states The trust anchor for the certification path [of the crl] MUST be the same as the trust anchor used to validate the target certificate. The root certificate creates a crl-signing cert. The root

RE: OCSP and self signed

2013-07-31 Thread Salz, Rich
Wouldn't it be just as good to have a cRLDistributionPoint which does not restrict the available ReasonFlags and then put cACompromise in the CRL if/when that disaster happens? No because with my idea you are a priori restrict the crlDP to be only CA revocation. Wouldn't it be equally

Re: OCSP and self signed

2013-07-31 Thread Jakob Bohm
On 31-07-2013 22:11, Salz, Rich wrote: Wouldn't it be just as good to have a cRLDistributionPoint which does not restrict the available ReasonFlags and then put cACompromise in the CRL if/when that disaster happens? No because with my idea you are a priori restrict the crlDP to be only CA