Re: [openssl-users] Intermediate certificates

> From: openssl-users On Behalf Of Kurt Roeckx > Sent: Tuesday, January 27, 2015 17:14 > On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote: > What browsers do is cache the intermediate certificates. That's one possibility. Another is that it uses AuthorityInfoAccess to fetch the cert autom

Re: [openssl-users] Intermediate certificates

> Browsers have too many work arounds for broken sites which results in > those sites not actually getting fixed. Because if the site doesn't work, the user will blame the browser and switch. :( ___ openssl-users mailing list To unsubscribe: https://mta.

Re: [openssl-users] Intermediate certificates

On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote: > > > It is unfortunate that browsers "lend a helping hand" to such sites. > So, you want to say that browsers trust connections that don't provide > intermediate certs during SSL handhake? > As I know most browsers have also intermediate cert

Re: [openssl-users] Hostname validation

28.01.2015, 00:04, "Dr. Stephen Henson" : > It's this: > >    param = SSL_get0_param(ssl); > > Because SSL_get0_param retrieves the internal pointer to parameters used by > ssl: so if you modify those parameters the modified versions will be used by > ssl. Thanks, Stephen. Now it's clear. -

Re: [openssl-users] Intermediate certificates

27.01.2015, 23:15, "Viktor Dukhovni" : > Indeed some websites are misconfigured. > But www.verisign.com is not among them: > This is not needed for properly configured servers, such as > www.verisign.com. Ok. Seems to be I don't set the last root for www.verisign.com in my trusted root certs and

Re: [openssl-users] Hostname validation

Hi, Viktor. 27.01.2015, 23:07, "Viktor Dukhovni" : > It is complete enough.  The word "mumble" is not meant to be taken You full code from wiki is: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = "www.example.com"; ssl = SSL_new(.

Re: [openssl-users] Hostname validation

On Tue, Jan 27, 2015, Serj wrote: > Hi, Viktor. > > 27.01.2015, 23:07, "Viktor Dukhovni" : > > It is complete enough.  The word "mumble" is not meant to be taken > > You full code from wiki is: > > const char *servername; > SSL *ssl; > X509_VERIFY_PARAM *param; > > se

[openssl-users] Intermediate certificates

Hello. Some web-sites don't send all intermediate certs during "SSL Handshake". For example, www.verisign.com sends only server's cert but doesn't send next intermediate cert: s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign C

Re: [openssl-users] Hostname validation

Hi, Viktor. 27.01.2015, 20:23, "Viktor Dukhovni" : > I would set SSL verification parameters is to obtain the parameter > handle via SSL_get0_param() or where appropriate SSL_CTX_get0_param(), > and use the various X509_VERIFY_PARAM_mumble() functions to tweak > the parameter object in place. Why

Re: [openssl-users] Intermediate certificates

On Tue, Jan 27, 2015 at 10:21:01PM +0300, Serj wrote: > Some web-sites don't send all intermediate certs during "SSL Handshake". Indeed some websites are misconfigured. > For example, www.verisign.com sends only server's cert but doesn't send next > intermediate cert: But www.verisign.com is n

Re: [openssl-users] Hostname validation

On Tue, Jan 27, 2015 at 10:09:38PM +0300, Serj wrote: > 27.01.2015, 20:23, "Viktor Dukhovni" : > > I would set SSL verification parameters is to obtain the parameter > > handle via SSL_get0_param() or where appropriate SSL_CTX_get0_param(), > > and use the various X509_VERIFY_PARAM_mumble() functi

[openssl-users] TSLEXT_TYPE_opaque_prf_input

This is an implementation of an IETF draft that expired seven years ago. Is anyone using it? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ___ openssl-users mailing list To unsubscrib

Re: [openssl-users] Using FIPS mode and modifying apps

On 01/27/2015 11:09 AM, jonetsu wrote: > "Steve Marquess" wrote on 01/27/15 09:18: Thank > you (and Tom) for your comments - much appreciated. > >> Tom Francis nailed the answer to this one. We did design the FIPS >> module + "FIPS capable" OpenSSL combination to make it possible to >> have a syst

Re: [openssl-users] Hostname validation

On Tue, Jan 27, 2015 at 04:18:49PM +0300, Serj wrote: > I didn't find docs on such functions as SSL_get0_param As I mentioned, this function should be documented, but is not yet. > Why there is no corresponding functions as SSL_set0_param in your code? > Where can I found documentation on functi

Re: [openssl-users] Using FIPS mode and modifying apps

"Steve Marquess" wrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated. > Tom Francis nailed the answer to this one. We did design the FIPS module > + "FIPS capable" OpenSSL combination to make it possible to have a > system wide "FIPS mode" capability, but that presume

Re: [openssl-users] Hostname validation

Hi, Viktor. I have some questions. I didn't find docs on such functions as SSL_get0_param Why there is no corresponding functions as SSL_set0_param in your code? Where can I found documentation on functions operating with params? I found only this code: X509_VERIFY_PARAM *param; param = X509_

Re: [openssl-users] Using FIPS mode and modifying apps

On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote: > On Fri, 16 Jan 2015 10:16:48 -0500 > Steve Marquess wrote: > >> On 01/15/2015 05:52 AM, Marcus Meissner wrote: > >>> On Linux usually triggered by /proc/sys/crypto/fips_enabled >>> containing "1" or the environment variable >>> OPENSSL_FORCE_