support for CAdES
Hello, I am trying to understand if CAdES is supported in OpenSSL 1.0.1e. I don't find nay trace of it, neither positively nor negatively. Maybe I misunderstood the relationship between CAdES and CMS... Can anyone help me please to understand if CAdES is going to be added to openssl, or if I am totally wrong? Thank you Ottavio -- Non c'è più forza nella normalità, c'è solo monotonia
Which version of net-snmp is compatible with openssl-1.0.1e
Hello, I have compiled net-snmp-5.5.2 with openssl-1.0.1e, and find it can not success in windows OS. At last I realize net-snmp-5.5.2 is not compatible with openssl-1.0.1e. So I want to know which version of net-snmp is right under openssl-1.0.1e environment. Hope your quick answer, thank you very much! Best Regards
Bidirectional socket communication and SSL_renegotiate.
Hi, The client and server that I have in my project runs in a simple 1 socket, blocking mode environment. The model is that of a typical producer-consumer one. The client produces data, sends it to the server. The server consumes it. Once in a while, the server sends a control message to the client that the client periodically receives. Below is a simplified version of the client and server after enabling them for SSL/TLS communication. 1 Client: 2 --- 3 while (true) 4 { 5 if (poll(pollin, timeout=0) || 0 < SSL_pending(ssl)) 6 { 7 SSL_read(); 8 // Handle WANT_READ or WANT_WRITE appropriately. 9 // If no error, handle the received control message. 10 } 11 // produce data. 12 while (!poll(pollout)) 13 ; // Wait until the TCP/IP pipe is ready for a send(). 14 SSL_write(); 15 // Handle WANT_READ or WANT_WRITE appropriately. 16 if (time to renegotiate) 17 SSL_renegotiate(ssl); 18 } 19 20 Server: 21 --- 22 while (true) 23 { 24 if (poll(pollin, timeout=1s) || 0 < SSL_pending(ssl)) 25 { 26 SSL_read(); 27 // Handle WANT_READ or WANT_WRITE appropriately. 28 // If no error, consume data. 29 } 30 if (control message needs to be sent) 31 { 32 while (!poll(pollout)) 33 ; // Wait until the TCP/IP pipe is ready for a send(). 34 SSL_write(); 35 // Handle WANT_READ or WANT_WRITE appropriately. 36 } 37 } The trouble happens when I force, for testing purposes, SSL/TLS renegotiation by calling SSL_renegoitate() once in a while on the client (lines 16-17). I don't do any follow up SSL_do_handshake as I assume the subsequent SSL_write/SSL_read will take care of it automatically. The session starts of nice and easy. A few messages are transmitted and in fact, a few forced SSL/TLS renegotiations happen successfully as well. But, sometime later, I get an SSL_ERROR_SSL from SSL_write on the client and SSL_ERROR_SSL from SSL_read on the server. Below are the error details: Client: --- error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Server: --- error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message What am I doing wrong? Is there anything that needs to be taken care of when handling SSL/TLS renegotiations in cases where bidirectional socket communications is used? Any help is appreciated. Thanks, Karthik.
Re: [openssl-users] Re: adding certificate policies extension in CSR
Am 09.09.2013 12:13, schrieb phildoch: > Ok. So meanwhile, unless it will be proven that is is illegal, Looking at the IETF RFCs, none that I found explicitly or implicitly indicated a meaningful use of the certificate policies entry in a CSR. On the other hand the semantics of this entry means that it can be used to check whether the certificate issuer has a policy that allows the relying party to trust it, and thus accept the data signed using the private key associated with the certificate's public key component. The certificate is a kind of ID document for the data sent and its relation to its originator. In this sense putting a certificate policy in a CSR is like requesting the issuance of a passport based on the requester's wishes not the policy of the public authority issuing the document. Allowing a certificate policy entry in the CSR without considering it for the issuance of a certificate would be consistent with the semantics of the certification policies, but pure nonsense. > let's say that > for any reason the Certificate requester wants to add a "certificate > policies" extension in the CSR. > Is this syntax correct:? > add_ext(exts, NID_certificate_policies, "1.3.6.1"); > (based on function mkreq() in file > openssl/demos/x509/openssl/demos/x509/mkreq.c) > > Thanks > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- --- Willy Weisz Computational Science Center University of Vienna Oskar Morgenstern-Platz 1 A-1090 Wien Tel: (+43 1) 4277 - 23724Fax: (+43 1) 4277 - 823724 Mobile: +43 699 10109546 e-mail: willy.we...@univie.ac.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: adding certificate policies extension in CSR
Ok. So meanwhile, unless it will be proven that is is illegal, let's say that for any reason the Certificate requester wants to add a "certificate policies" extension in the CSR. Is this syntax correct:? add_ext(exts, NID_certificate_policies, "1.3.6.1"); (based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c) Thanks -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: adding certificate policies extension in CSR
The requestor is allowed to ask for any extension it wants. The CA will do its job, ignore those requested extensions, and place the good ones in the certificate. It can also change the subject name contained in the certificate. -- Erwann ABALEA Le 09/09/2013 11:21, phildoch a écrit : Oh I see. Can you point to a documentation where it is defined which extensions a certificate requestor is allowed to add and which should be added by the CA only? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46469.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: adding certificate policies extension in CSR
Oh I see. Can you point to a documentation where it is defined which extensions a certificate requestor is allowed to add and which should be added by the CA only? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46469.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: adding certificate policies extension in CSR
Hi, Am 09.09.2013 10:37, schrieb phildoch: > Hello, > > I am trying to add a "certificate policies" extension in CSR. For this I am > using the openssl sample function mkreq() in file > openssl/demos/x509/openssl/demos/x509/mkreq.c What do you want it for? What does it mean that the certificate requestor defines the certificate policies? Only the CA may state which certification policies it is following. Regards Willy > > This the line of code I added: > add_ext(exts, NID_certificate_policies, "1.3.6.1"); > > Unfortunately it causes a segmentation fault. > Is the syntax correct? Any clue what is wrong? > > Thanks. > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- --- Willy Weisz Computational Science Center University of Vienna Oskar Morgenstern-Platz 1 A-1090 Wien Tel: (+43 1) 4277 - 23724Fax: (+43 1) 4277 - 823724 Mobile: +43 699 10109546 e-mail: willy.we...@univie.ac.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
adding certificate policies extension in CSR
Hello, I am trying to add a "certificate policies" extension in CSR. For this I am using the openssl sample function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c This the line of code I added: add_ext(exts, NID_certificate_policies, "1.3.6.1"); Unfortunately it causes a segmentation fault. Is the syntax correct? Any clue what is wrong? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org