On 31.03.2021 19:48, Viktor Dukhovni wrote:
On Mar 31, 2021, at 1:43 PM, Michael Wojcik
wrote:
As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say
anything about the practice, though I may have missed something. I had a vague memory
that some standard or
Hey,
Try calculating the private Key from the public key ;-)
but this can last a little time you don't have;
Walter
On Thu, September 12, 2019 09:50, Bharathi Prasad wrote:
> Hi,
> I have the public key of the client but not the private key.
> ...
>
> Regards,
> Bharathi
and which CA does this as the forum guidelines say?
On 23.12.2018 22:50, Felipe Gasper wrote:
Actually, per the latest CA/Browser forum guidelines, subject.CN is not only
optional but “discouraged”.
-FG
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
Gasper wrote:
Wow that’s pretty bad .. is that the current version of httpd??
That’d be worth a big report if so, IMO, though I’d imagine it’s an issue
they’re aware of.
-FG
On Dec 23, 2018, at 6:53 AM, Walter H. wrote:
I tried the following
the certificate had a CN oftest.example.com
, Dec 23, 2018 at 3:25 AM Walter H. wrote:
On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> >. New certificates should only use the subjectAltName extension.
Are any CAs actually doing that? I thought they all still included
subject.CN.
Yes, I think commercial CA's
On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
> >. New certificates should only use the subjectAltName extension.
Are any CAs actually doing that? I thought they all still included
subject.CN.
Yes, I think commercial CA's still do it. But that doesn't make my statement
Hello,
I found several different certificates on the net
some are like this:
CN=example.com
SANs areDNS:example.com, DNS:www.example.com
and some are like this:
CN=www.example.com
SANs areDNS:example.com, DNS:www.example.com
does this matter or is one them the preferred one?
Hello,
it is a little bitte weird/strange/complicated;
On 02.11.2018 23:05, Matt Caswell wrote:
On 02/11/2018 21:51, Walter H. wrote:
Hello,
when I try to connect to https://www.3bg.at/
I get the following error
Handshake with SSL server failed: error:1408E0F4:SSL
Hello,
when I try to connect to https://www.3bg.at/
I get the following error
Handshake with SSL server failed: error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message
but
https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at
says its ok ...
is the problem on my side or on their
Hello,
which of these possibilities is the correct one?
(a) CN=*.example.com
and subjectAltName = DNS:*.example.com, DNS:example.com
(b) CN=example.com
and subjectAltName = DNS:example.com, DNS:*.example.com
(c) CN=example.com
and subjectAltName = DNS:*.example.com,
On 30.05.2018 08:45, Mark Shnaider via openssl-users wrote:
Hello,
I use OpenSSL version is openssl-1.1.0h(Windows) and
I run following command from apps directory
|openssl s_server -accept 443 -www|
The server in this case use certificate "server.pem"
On client computer I run command
On 20.09.2017 18:33, Jordan Brown wrote:
Q: Does OpenSSL's trust-list verification support trusting multiple
certificates with the same subject name and overlapping validity periods?
do these replacement certificates have the same serial number and the
same private key?
smime.p7s
On Tue, February 21, 2017 12:16, Jakob Curdes wrote:
> Hi, I am new to the list and have a question where it seems I cannot find
> the answer in archives here or in other sources.
>
> We want to verify the certificate chain of an "official" certificate, but
> including the revocation status of the
Hello,
openssl s_client -connect mailhost:25 -starttls smtp
displays this:
CONNECTED(0003)
depth=0 OU = Domain Control Validated, CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = ...
verify
On 18.12.2016 17:21, sahorwitz wrote:
I am obviosly a newbie and missing something. How then do I encrypt the file
on one machine (little endian), transmit it to another machine (big endian)
and decrypt it there?
similar to this:
encrypt
openssl enc -e -in file -out encryptfile -aes-256-gcm
Hello,
what is correct:
this:
subjectAltName = DNS:www.example.com, IP:127.0.0.1, IP:[2001:db8:123::1]
or this:
subjectAltName = DNS:www.example.com, IP:127.0.0.1, IP:2001:db8:123::1
or the question in other words: do I have to put an IPv6 address of the
subjectAltName in []-brackets?
On 26.05.2016 18:33, R-D intern wrote:
Hello,
I have implemented ssl for my internal server that listens over a
private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys
test shows the amount of ssl implementation of a server listening over
public ip and even checks
On 18.05.2016 21:10, Viktor Dukhovni wrote:
On May 18, 2016, at 1:26 PM, Walter H.<walte...@mathemainzel.info> wrote:
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first
-untrusted /tmp/chain.pem /tmp/cert.pem
/tmp/chain.pem contains a root certificate
/tmp/ce
Hello,
when
running this:
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt
-trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem
/tmp/chain.pem contains a root certificate
/tmp/cert.pem contains a certificate that was signed by this root
certificate;
I get the following
On 13.12.2015 11:34, Ben Humpert wrote:
2015-12-13 3:53 GMT+01:00 Viktor Dukhovni:
In other words, you can concatenate all the trusted root CA
certs into the "cert.pem" file in that directory, but this
has a performance cost, as all the certificates are loaded
into
Hi Dan,
On 10.12.2015 16:27, daniel bryan wrote:
*TEST #2: *Next test was using OCSP:
[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
/Response verify
Hello,
my website has an official SSL certificate, which I renewed this year to
have a SHA-256 certificate;
when I test my site with SSLLabs.com, I'm shows two certificate paths:
the first one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint:
0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)
On 05.12.2015 20:20, Viktor Dukhovni wrote:
On Sat, Dec 05, 2015 at 07:55:50PM +0100, Walter H. wrote:
my website has an official SSL certificate, which I renewed this year to
have a SHA-256 certificate;
when I test my site with SSLLabs.com, I'm shows two certificate paths:
the first one:
my
On 04.11.2015 16:13, Ben Humpert wrote:
Oh crappy Gmail stop creating broken links ...
openssl.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0VEhGYm82YUhraDQ/view?usp=sharing
reqs/client_sample.cnf is at
https://drive.google.com/file/d/0B8gf20AKtya0QWNIbjY0WUtLVEk/view?usp=sharing
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
and made a certification request using this tutorial and I use this
tutorial to
On 03.11.2015 18:45, John Lewis wrote:
On 11/03/2015 12:04 PM, Walter H. wrote:
On 03.11.2015 14:46, John Lewis wrote:
I created a local certification authority using this tutorial
https://www.debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
On 31.10.2015 23:23, Michael Ströder wrote:
Walter H. wrote:
give me a hint for finding S/MIME certificates, finding my own would be nice;
You claim that clear-text OCSP requests are not a privacy issue.
yes ..., a security problem I mentioned in connection with stupid CAs
some posts before
On 01.11.2015 10:25, Matt Caswell wrote:
CT is the answer to a big problem. I fail to see that CAs deploying CT
is a problem. I also don't see why only a CA can do this. There might be
some adversaries that are perfectly capable of building large databases
of certificates that they have
On 30.10.2015 21:42, Michael Ströder wrote:
Walter H. wrote:
On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
She (Eve) would know that the requesting party Alice
was talking to Bob at the very moment she sent Trent
the OCSP *request* for Bob's certificate.
[...] equivalent of having (almost
Hello Jabob,
On Thu, October 29, 2015 11:07, Jakob Bohm wrote:
> On 28/10/2015 21:58, Walter H. wrote:
>> On 28.10.2015 18:34, Jakob Bohm wrote:
>>> On 28/10/2015 17:36, Walter H. wrote:
>>>>>> OCSP must not be https ...
>>>>>> the same with
On 28.10.2015 17:27, Steve Marquess wrote:
There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.
-Steve M.
OCSP works through proxies; there is no reason for having such strange
setups ...
Walter
smime.p7s
Description: S/MIME
On 28.10.2015 16:44, Jakob Bohm wrote:
On 27/10/2015 21:21, Walter H. wrote:
On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile
the code in Cygwin environment. My openssl version is 1.0.1h
On 26.10.2015 21:42, rosect...@yahoo.com wrote:
Hi, I need some help on this call.
I am building an OCSP client following guide in openssl and compile
the code in Cygwin environment. My openssl version is 1.0.1h.
With HTTP based OCSP, the code works fine. But, with HTTPs, the code
gets
Hello,
openssl verify -CAfile root.pem -untrusted issuer.pem srvr.pem
gives this output
srvr.pem: OK
but
openssl verify -CAfile root.pem -crl_check -untrusted issuer.pem srvr.pem
gives this:
srvr.pem: C = US, OU = Domain Control Validated, CN = revoked.grc.com
error 3 at 0 depth lookup:unable
On 5.10.2015 17:11, Dr. Stephen Henson wrote:
On Mon, Oct 05, 2015, Walter H. wrote:
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves
Hello,
attached is the certificate and its chain of https://revoked.grc.com/
doing this:
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
http://ocsp2.globalsign.com/gsdomainvalg2
goves the following:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
On 05.07.2015 14:19, David Thompson wrote:
Quoting the man page for req(1) -- although depending on the packaging
which I don't know for CentOS it may be a different section like 1s or 1ssl --
and also on the web https://www.openssl.org/docs/apps/req.html
-x509
this option outputs a self
Hello,
I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid)
like this:
I havn't defined anything - everything is set default from the linux
distribution
openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump
CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout
On 29.06.2015 10:48, Jakob Bohm wrote:
On 26/06/2015 21:41, Walter H. wrote:
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be
capable of verifying such mails correctly?
I believe GlobalSign has a knowledge
Hello,
has anybody got a reliable source or knowledge about which
mail clients - especially which Thunderbird release - should be capable
of verifying such mails correctly?
this
openssl smime -verify -CAfile trusted.crt -in mail.eml
successfully verifies such an e-Mail;
Thanks,
Walter
--
Hello
On 22.05.2015 08:30, Jeffrey Walton wrote:
Or are you talking about server certificates with fixed DH parameters?
can you please tell me more about this?
how do I have to create the certificate request?
(using debian 7 latest updates installed: 'apt-get update apt-get
upgrade' has
Hi,
before calling this function,
remove any whitespace;
Walter
smime.p7s
Description: S/MIME Cryptographic Signature
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 18.03.2015 16:08, Prashant Bapat wrote:
printf(Base64 decoded string is : %s\n, b64_decode(str, strlen(str))); //
This should print binary for a ssh key.
not really, because the return of b64_decode is not a C string; and the
format specfier %s expects a C string;
smime.p7s
Description:
the mentioned error above, when
activating this mentioned policy?
the question to squid specialists: was it a good idea signing the
SSL-bump CA certificate with the root certificate of my CA?
Thanks
--
Best regards,
Walter H.
smime.p7s
Description: S/MIME Cryptographic Signature
On 03.01.2015 18:16, Richard Moore wrote:
I've now got this working, though to do so I seem to have to take the
certificates supplied in the OCSP response directly out of the certs
field of the OCSP_BASICRESP and add these as intermediates for the
verification too. It feels bad to directly
On 05.12.2014 23:08, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 02:50:00PM -0700, Philip Prindeville wrote:
On Dec 5, 2014, at 1:57 PM, Walter H.walte...@mathemainzel.info wrote:
On 05.12.2014 21:46, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
On 26/11/14 02:05,
On 05.12.2014 21:46, Kurt Roeckx wrote:
On Fri, Dec 05, 2014 at 07:34:13PM +, TJ wrote:
On 26/11/14 02:05, Salz, Rich wrote: We will soon be freezing the mailing
list memberships for a couple of days.
We are moving to a new server and upgrading the mail infrastructure
Are you aware that
On 05.11.2014 18:47, neil carter wrote:
I'm trying to install the 1.0.1j version on a Windows 2003 server
(32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState
perl v5.16.3.
Steps involved include running the VCVARS21.BAT script, ' perl
Configure VC-WIN32
On 05.11.2014 19:27, neil carter wrote:
Sorry, typo - s/b 'VCVARS32.bat'
So are you implying that MS Visual Studio 6.0 might be the issue in
that it might not have built-in code with IPv6 headers?
yes, definitly
WINSOCK2.H contains this:
/*
* Constants and structures defined by the
Hello
On 15.08.2014 17:43, Salz, Rich wrote:
Does ANYONE think that case-sensitive cipher names are good idea?
this is a bad idea; or can you explain the difference between
tlsv1:rc4-md5 and TLSV1:RC4-MD5?
Someone who types TLSV1:RC4-MD5 will find things working, but is
likely to be
On 08.08.2014 02:11, Dr. Stephen Henson wrote:
Well maybe, maybe not. Just because a ciphersuite is included in the
cipherlist doesn't mean it is included or could be selected. For example if
you set a ciphersuite which uses ECDSA authentication it wont be selected if
the server doesn't include
haven't configured none of those ...
Is the second server on not-very-recent RedHat or CentOS?
Yes, it is a CentOS 6.5
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Walter H.
*Sent:* Sunday, August 10, 2014 02:39
*To:* openssl-users@openssl.org
Hello,
does anybody know what to write in the extension config to get this
X509v3 Name Constraints as the attached certificate (intel-ca.pem,
intel-ca.text)?
Thanks.
--
Greetings,
Walter
-BEGIN CERTIFICATE-
MIIJWTCCCEGgAwIBAgIQeRdKqRQXNv4Vp8qfLP9FiDANBgkqhkiG9w0BAQUFADBv
Hello,
On Tue, May 27, 2014 15:44, Sven Reissmann wrote:
Hi,
I'm having a comprehension question on certificate verification.
Having a trustchain like this:
rootCA - subCA - subCA2
I can verify the subCA2 certificate using the command:
openssl verify -CAfile rootCA.pem -untrusted
On 30.04.2014 03:57, Nikolay Elenkov wrote:
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the root. Then there won't be a need to have the root key at multiple places and
not problems with serial. Additionally, clients will only have to
install and trust
the
On 29.04.2014 22:32, Tim Hudson wrote:
On 30/04/2014 6:05 AM, Walter H. wrote:
On 29.04.2014 21:38, d...@deadhat.com mailto:d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256
bit or
greater true random number. There will be no collisions.
the serial
On 29.04.2014 20:15, Jakob Bohm wrote:
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
Hi,
could you please try to find this; I would be interested in such - a way
On 29.04.2014 21:38, d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions.
the serial number has maximum length ..., 256 bit is quite too big ..
smime.p7s
Description: S/MIME Cryptographic
On 26.04.2014 05:52, csa321 wrote:
We've generated our own CA for self-signing certificates.
The issue is that
we package up the openssl install for installation on multiple servers.
Therefore, the root CA we create is part of the package as well.
the private key of the root CA should
On 10.04.2014 13:16, Rob Stradling wrote:
On 09/04/14 20:43, Salz, Rich wrote:
Can you please post a good and a bad server example. I have
tested a lot of servers, including 'akamai.com', and they all show
HEARTBEATING at the end:
Look at Victor's recent post about how to patch
Hello,
On Thu, March 27, 2014 10:47, Stefan H. Holek wrote:
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so on the Intermediate CA's?
Pathlen is not used on root CA certs.
On 09.03.2014 14:39, Michael Post wrote:
last year i created my keys, certs and so on with the following steps
for an openvpn server:
the only certificate that is still valid is your self signed ca
certificate;
# Serverside
openssl req -new -x509 -newkey rsa:2048 -keyout
Hello,
it is already solved, but I just want to tell others;
I have two VMs, one with an older CentOS 4.x and one with a new CentOS 6.5
both run Postfix as MTA; both have configured a smarthost;
the smarthost allows STARTTLS and has a certificate, that is
issued by AlphaSSL; the
Authority
On 20.02.2014 17:57, Viktor Dukhovni wrote:
On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:
the older CentOS 4.x has in it's ca-bundle.crt a root certificate that
expired at the end of last month (on Jan. 28th, 2014), also attached
(rootexpired.txt), no other valid root certificate
On 07.02.2014 21:04, Tom Pfeifer wrote:
...which are required for Extended Validation (EV) certificates. I'm
currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs
specified in the [new_oids] section in openssl.cnf like this:
On 09.01.2014 19:48, Watson, Patrick wrote:
I'd recommend using VerifyVersionInfo:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms725492(v=vs.85).aspx.
It's supported from Win2k onward and isn't deprecated as of Win 8.1. I don't
remember for sure if it's present in Windows CE and
On 14.12.2013 00:00, Dr. Stephen Henson wrote:
How are you disabling RSA key exchange?
by setting all ciphers beginning with RSA to no in FF
If you disable RSA for authentication
too you'll hit problems if you don't have a non-RSA certificate. So for
example: ECDHE-ECDSA-3DES-EDE-SHA needs
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been sent by the server.
The server is capable
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually
/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/
I hope it helps.
Eliezer
On 08/12/13 22:34, Walter H. wrote:
Hello,
I have the ident problem as here:
http://comments.gmane.org/gmane.comp.web.squid.general/99601
SELinux=enforcing prevents running squid ...
my system: a CentOS
Hello,
can someone give me an example of the certificate, that is used here:
http_port 3128 ssl-bump cert=/etc/squid/cert/cert.pem
I'm using the latest CentOS release (6.5) with squid 3.1.10
I generated one with this:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj
Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
X509v3 Extended Key Usage:
Trust Root
what is this strange?
'Trust Root' as Extended Key Usage?
__
OpenSSL Project
the ASN.1 dump of this certificate ...
0 470: SEQUENCE {
4 319: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 5: INTEGER 00 D6 2D F4 34
20 13: SEQUENCE {
22 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5)
33 0:
Windows has its own System wide certificate store;
look at certmgr.msc
keep in mind, that some applications have their own store
e.g. Mozilla ThunderBird, Mozilla FireFox
and some other can use this system wide certificate store
e.g. Adobe Reader/Pro/Std
Walter
On 15.11.2013 09:57, Manoj
On Tue, November 12, 2013 05:47, Alan Jakimiuk wrote:
Is there a way I can make all three linked?
this should be the default.
ie. Cert A-Cert B-Cert C in the certification path?
Any help would be appreciated
can you view the certificates?
openssl x509 -noout -text -in certfile
you should
On 01.11.2013 23:12, Viktor Dukhovni wrote:
$ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256)
Mac=SHA1
$ openssl ciphers -v AES128-SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128)
On 03.11.2013 18:27, Viktor Dukhovni wrote:
On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote:
how would I define forward-secrecy on Apache webserver?
If the server negotiated both ciphers, it already supports
forward-secrecy (aka PFS) if the client does too.
What about a browser
Hello,
Which one of the following two is better (1) or (2)?
(1)
SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=256
SSL_COMPRESS_METHOD=NULL
SSL_PROTOCOL=TLSv1
SSL_SECURE_RENEG=true
(2)
SSL_CIPHER=AES128-SHA256
Hello,
On 01.11.2013 22:34, Viktor Dukhovni wrote:
On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote:
Which one of the following two is better (1) or (2)?
(1)
SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA
$ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx
Hello,
On 30.10.2013 18:17, Marcus Schmitt wrote:
I have one problem after I created a root-CA, intermediate-CA and a server
certificate. After I configured my apache with the server cert, key and
intermediate cert and importing the root-CA to firefox 24 I received the
following error when I
Hello Marcus
On 30.10.2013 19:26, Marcus Schmitt wrote:
nameopt = default_ca
certopt = default_ca
what do this lines should mean in your openssl.cnf?
can you do the following with each of your generated certificates:
openssl
On 08.10.2013 15:00, Rahul Tolani wrote:
Actual Subject Property =
subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\x00
this is just a bug - the \x00 looks like the terminating \0 ...
Required Subject Property =
subject=/CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1
Greetings,
Walter
I thought similar, but it becomes more strange;
if the webserver uses a certificate that is signed from a CA with built
in token, then this needn't be;
and in case it is signed from my internediate certificate, this doesn't
help ...
Greetings,
Walter
On 07.10.2013 09:39, Mat Arge wrote:
Hello,
there exists a self signed root CA certificate (A)
one intermediate CA certificate (B)
and this intermedia certificate has signed a SSL certificate (C) of a
web server;
the SSL certificate has in its 'Authority Information Access' extension
the URL to the
intermediate CA certificate,
Hello,
can someone please tell me the difference between
OpenSSL x.x.x any date
and
OpenSSL x.x.x-fips any date
is there a difference in functionality?
is there a difference in legality?
what does it tell to me, when
openssl version
shows fips, and what does it tell, when
openssl version
On 02.09.2013 10:33, deepak.kathuria wrote:
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform. OCSP
Requester sends the OCSP Request to OCSP Responder and if OCSP Responder
will not come, then what will be the expected behavior of OCSP Requester in
this case?
this can be
Hi,
this shouldn't be, because you marked this extension as critical;
what is your OpenSSL release?
and in case of Linux, which distro (version/release) are you using?
Walter
On 20.08.2013 20:18, Peter1234 wrote:
Hi all,
although I issued a certificate for an intermediate CA (CA2) with a
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jakob, I don't
On 31.07.2013 16:47, Jakob Bohm wrote:
the only cert that can't be checked by OCSP is the root cert itself;
This is where I disagree, can you point me to an actual reason why
not, which is not refuted by my logical ABC argument above.
the Authority Information Access extension does not make
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for posting
that request.
A self-signed certificate can't be revoked via a crl, because you won't be able
to successfully verify its signature.
keep in mind, that in case you detect a
Hello,
look into the .DEF file, there is the information, which
type of dynamic library should be generated;
it is very probable, that
your .DEF file is for 32-bit only;
Walter
Am 08.07.2013 10:59,
schrieb Andrew MARLOW:
Hello gentlemen,
I am trying to build
openssl 1.0.1e on
the major features that 1.0.x supports are
openssl ts (http://www.openssl.org/docs/apps/ts.html)
openssl cms (http://www.openssl.org/docs/apps/cms.html)
Greetings,
Walter
On 26.03.2013 18:50, Gopakumar Pillai wrote:
Hi,
Can any one point me to a location where I can find the major
On 25.03.2013 18:05, Jakob Bohm wrote:
This one lacks the data part, it seems to have been generated without
the -nodetach option.
- myreply02cms-asn1.text
This one has the data part, but lacks the signingTime attribute which
is the whole point of this exercise.
how can I correct this?
Hi,
thanks for your infos
can you please tell me, where I can find your postings to this topic,
you made in the past?
On 19.03.2013 20:07, Jakob Bohm wrote:
Won't work (as you saw), this function doesn't take the actual
ContentInfo structure as input, but data which it will (mis)treat
as
On 17.03.2013 16:37, kap...@mizera.cz wrote:
Dne 16.3.2013 20:58, Walter H. napsal(a):
I tried this with my Adobe Acrobat,
and you wouldn't believe it; it doesn't work with Adobe Acrobat, too.
the error message - I use German version:
Fehler beim Erstellen der Unterschriftseigenschaften des
On 17.03.2013 18:48, kap...@mizera.cz wrote:
be verified - the same as you had ...
OpenSSL and Adobe conform to RFC 3161;
but not this TSA ...
correct, the error message means, that the received timestamp could not
But the discussed TSA postsignum would not exist at all if there would
be a
On 16.03.2013 19:27, kap...@mizera.cz wrote:
Dne 16.3.2013 12:58, Walter H. napsal(a):
Unfortunately not, it is official paid service.
But You can make tests on testing TSA:
http://www.postsignum.cz/testovaci_casova_razitka.html
I don't understand this language; can you tell me the URL
On 13.03.2013 01:19, kap...@mizera.cz wrote:
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
No.
if there is a need to have an account; then this page is not conforming
to any RFC - HTTP 400
Hello John,
I had the same problem; the solution is just:
UTF8String or UTF8 and not UTF8STRING
Walter
On 14.03.2013 17:06, rasmu...@us.ibm.com wrote:
I'm using the following configuration file section in an attempt to
create a CA with UTF8 characters in subject (and other) fields.
Hello,
I found the following:
http://tsa.postsignum.cz:444
produces the following error, when using this as time stamp server with
adobe standard/pro
BER decoding error
what software do they use?
my solution with OpenSSL works ...
Greetings,
Walter
smime.p7s
Description: S/MIME
1 - 100 of 118 matches
Mail list logo