I was thinking about manual verification of certificates on the command
line. From what you wrote now, it seems that you are using some calls to
the openssl library in a client-server application, maybe via other
tools/webserver or so, and I understand that the server certificate was
issued by a
thanks martin. i made the changes and now im getting
Verify return code: 19 (self signed certificate in certificate chain)
is this ok, or i need code 0
On Thu, Jan 9, 2014 at 1:33 PM, Martin Hecht he...@hlrs.de wrote:
I was thinking about manual verification of certificates on the command
X509_V_OK would be code 0
19 means that the CA certificate could be found, the chain could be
built and verified completely up to the CA certificate but the latter is
not trusted. (see http://www.openssl.org/docs/apps/verify.html)
ah, for some things to work correctly, the file name must be the
On Thu, Jan 09, 2014, Abdul Anshad wrote:
Hello All,
I have a set up in which i have installed OpenSSL-1.0.0l and httpd-2.4.7.
httpd-2.4.7 was compiled against OpenSSL-1.0.1e.
Now, when i try to start httpd-2.4.7 with mod_ssl enabled ( OpenSSL
installed version is 1.0.0l ) it throws
On Thu, Jan 09, 2014, Bin Lu wrote:
Hi,
I have a piece of code doing CRL revocation check which worked fine with
0.9.8 but now failing in 1.0.1.
The code does something like:
X509_STORE_add_crl(store,crl);
X509_STORE_CTX_init(ctx, store, cert, NULL);
could you please explain the last reason.
On Thu, Jan 9, 2014 at 3:38 PM, Martin Hecht he...@hlrs.de wrote:
X509_V_OK would be code 0
19 means that the CA certificate could be found, the chain could be
built and verified completely up to the CA certificate but the latter is
not trusted.
There is a asm and a C implementation of sha1_block_data_order, in
sha256-x86_64.s and in sha1dgst.c When I do,
$ gdb openssl
(gdb) r dgst -sha1 data.txt
I see that the asm implementation is taken. What do I have to do so the C
implementation is taken?
Thanks,
Eric J.
On Thu, Jan 09, 2014, Eric J. Van der Velden wrote:
There is a asm and a C implementation of sha1_block_data_order, in
sha256-x86_64.s and in sha1dgst.c When I do,
$ gdb openssl
(gdb) r dgst -sha1 data.txt
I see that the asm implementation is taken. What do I have to do so the C
I don't know what exactly you are doing, so it is difficult to speculate
why you are receiving code 19.
Some information is exchanged during establishment of the ssl
connection. For example if you have a web server and a browser, the web
server shows the host certificate to the browser and the
Here is the problem, in cert_crl():
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
* a certificate was revoked. This has since been changed since
* critical extension can change
On 1/9/2014 6:46 AM, Dongsheng Song wrote:
[1] GetVersionEx may be altered or unavailable for releases after
Windows 8.1. Instead, use the Version Helper APIs.
[1]
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724451%28v=vs.85%29.aspx
Scandalous! According to that page,
I'd recommend using VerifyVersionInfo:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms725492(v=vs.85).aspx.
It's supported from Win2k onward and isn't deprecated as of Win 8.1. I don't
remember for sure if it's present in Windows CE and unfortunately I don't have
my CE documentation
On Thu, Jan 09, 2014, Bin Lu wrote:
Here is the problem, in cert_crl():
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
* a certificate was revoked. This has since been changed since
On 1/9/2014 8:14 PM, Dr. Stephen Henson wrote:
On Thu, Jan 09, 2014, Bin Lu wrote:
Here is the problem, in cert_crl():
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
* a
On 09.01.2014 19:48, Watson, Patrick wrote:
I'd recommend using VerifyVersionInfo:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms725492(v=vs.85).aspx.
It's supported from Win2k onward and isn't deprecated as of Win 8.1. I don't
remember for sure if it's present in Windows CE and
#
read from 0x1fee3f0 [0x1e6ea5b] (5 bytes = 5 (0x5))
- 16 03 00 00 51Q
read from 0x1fee3f0 [0x1e6ea60] (81 bytes = 81 (0x51))
- 02 00 00 4d 03 00 52 cf-5a 99 be 19 c0 7e 80 55 ...M..R.Z~.U
0010 - d6 4c 2d af 05 41 f8 19-79 24 a3 66 ba 82
From: owner-openssl-users On Behalf Of Martin Hecht
Sent: Thursday, January 09, 2014 11:54
Generally good explanation, but a few quibbles:
I don't know what exactly you are doing, so it is difficult to speculate
why you are receiving code 19.
Some information is exchanged during
(Due to Outlook upgrade, I can no longer reply inline to richtext. Sorry.)
Is it possible your failing client openssl was built with -no-tlsext ?
Both ServerHello replies do contain the RI extension (because the
cipherlist contained SCSV_ERI); if the code to parse extensions
isn't
I use these macro to disable TLSEXT,
CPPOPTS +=-DOPENSSL_NO_TLSEXT -DOPENSSL_NO_HEARTBEATS -DOPENSSL_NO_SRTP
-DOPENSSL_NO_DTLS1
whether there is other macro is required to set, so openSSL 1.0.1 won't
tell server TLS features
Lee
On Fri, Jan 10, 2014 at 12:30 PM, Dave Thompson
I am also disable the TLSEXT in the openSSL 0.9.8. It is a strange, why
server gave different response.
It is true that server give different response. (openSSL request is also
different.)
Lee
On Fri, Jan 10, 2014 at 12:44 PM, yueyue papa yueyuep...@gmail.com wrote:
You are complete
I found this post:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/ZLQcp87Zx8A
This is the right solution
Lee
On Fri, Jan 10, 2014 at 1:04 PM, yueyue papa yueyuep...@gmail.com wrote:
I use these macro to disable TLSEXT,
CPPOPTS +=-DOPENSSL_NO_TLSEXT -DOPENSSL_NO_HEARTBEATS
You are complete right. I disabled TLSEXT, because of the code size.
Up to now, the result is very clear now.
Lee
On Fri, Jan 10, 2014 at 12:30 PM, Dave Thompson dthomp...@prinpay.comwrote:
(Due to Outlook upgrade, I can no longer reply inline to richtext. Sorry.)
Is it possible your
thanks dave and martin. with all that information i think i should start
the process again. Do you have some materials that have step by step
process of configuring two way connections
On Fri, Jan 10, 2014 at 7:30 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-users On
23 matches
Mail list logo