Hi,
Which header file I need to include for X509 OCSP Certificate Verification. I
am getting compilation error for different structures and macros. Although, I
am including following files-
// #include
#include
#include
#include
#include
// #include
#include
st() and the like as mentioned in
X509_STORE_add_cert man page or something else ?
Regards,
Michel
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 30 mars 2020 23:19
À : openssl-users@openssl.org
Objet : Re: Peer certificate v
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Monday, March 30, 2020 9:19 PM
To: openssl-users@openssl.org
Subject: Re: Peer certificate verification in verify_callback
On Mon, Mar 30, 2020 at 09:02:47PM +, Jason Schultz wrote:
> I won't get into the details of
On Mon, Mar 30, 2020 at 09:02:47PM +, Jason Schultz wrote:
> I won't get into the details of my application as it's complex, but it
> can act as a client or a server. The case we are worried about is
> obviously when it's acting as a client. I thought the standard way of
> dealing with these
users on behalf of Viktor
Dukhovni
Sent: Monday, March 30, 2020 6:17 PM
To: openssl-users@openssl.org
Subject: Re: Peer certificate verification in verify_callback
On Thu, Mar 05, 2020 at 02:04:27PM +, Jason Schultz wrote:
> I have some questions about my application’s verify_callback() fu
errors in a verify callback, if you
have a certificate store that is not directly supported by OpenSSL, you
need to implement your own custom X509_STORE type, associate that store
with the SSL_CTX and have OpenSSL's built-in certificate verification
search that store for you.
If you also want to di
On 30/03/2020 17:01, Jason Schultz wrote:
> For example, if my client application is presented a self-signed certificate
> in the handshake, verify_callback() is called with an error, for which
> X509_STORE_CTX_get_error() returns 18/X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT.
> In this case, my
Subject: Peer certificate verification in verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback
I have some questions about my application’s verify_callback() function and how
I handle some of the OpenSSL errors.
For example, if my client application is presented a self-signed certificate in
the handshake, verify_callback() is called with an error, for which
X509_STORE_CTX_get_error()
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the same error,
> but
Hi,
can you please tell me more about
1) How to verify a self signed (.crt) key in OpenSSL 1.1.1?
2) Is key generated by OpenSSL 1.0.2 can be used to connect with OpenSSL
1.1.1 and vice versa?
Thanks and regards
Shivakumar
On Mon, Mar 2, 2020 at 2:36 PM Dmitry Belyavsky wrote:
> First, I
First, I recommend you not to hurry up :)
Second, the validation procedures have changed between 1.0.2 and 1.1.1,
1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
CA cert in 1.0.2 but not valid in 1.1.1
On Mon, Mar 2, 2020 at 12:01 PM shiva
Hi,
Please help me, is this an expected behavior?
On Mon, Mar 2, 2020 at 1:48 PM shiva kumar wrote:
> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the behavior it also gives the same error,
but instead of OK it gives different error as "*ca.crt: verification
> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser wrote:
>
> the short answer is no, it does not; the openssl library will let you load
> expired/invalid certificates if you do not do any explicit checks. Use a
> verify_callback and call X509_verify_cert() to check the validity.
The verify
On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote:
Hi
We are using SSL_CTX_use_certificate and
SSL_CTX_use_certificate_chain_file APIs to load the certificates.
My query is when we are loading the certificate in the Context does
openssl verify the certificates for e.g. whether
Hi
We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file
APIs to load the certificates.
My query is when we are loading the certificate in the Context does openssl
verify the certificates for e.g. whether the certificate is expired already etc.
Thanks and Regards
> On Jul 25, 2018, at 4:50 PM, Ken Goldman wrote:
>
> For background, this is the TPM 1.2 endorsement key certificate. I.e., this
> is a real application with millions of certificates issued. The key is an
> RSA-2048 key.
>
> The TCG (for a while) specified
>
> Public Key
On 7/25/2018 4:27 PM, Viktor Dukhovni wrote:
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change. Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).
For background, this is the TPM 1.2
> On Jul 25, 2018, at 3:00 PM, Ken Goldman wrote:
>
>
> If you're suggesting that altering the above code to do the level check
> before the call to get pkey, I think that would fix my problem.
Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change.
On 7/25/2018 10:47 AM, Viktor Dukhovni wrote:
On Jul 25, 2018, at 10:05 AM, Ken Goldman wrote:
I have a certificate with a non-standard public key algorithm -rsaesOaep. See
snippet #2.
With openssl 1.0, I can validate the certificate chain. With openssl 1.1 it
fails with the error
> On Jul 25, 2018, at 10:05 AM, Ken Goldman wrote:
>
> I have a certificate with a non-standard public key algorithm -rsaesOaep.
> See snippet #2.
>
> With openssl 1.0, I can validate the certificate chain. With openssl 1.1 it
> fails with the error X509_V_ERR_EE_KEY_TOO_SMALL. See
Seeking advice.
I have a certificate with a non-standard public key algorithm
-rsaesOaep. See snippet #2.
With openssl 1.0, I can validate the certificate chain. With openssl
1.1 it fails with the error X509_V_ERR_EE_KEY_TOO_SMALL. See dump #1.
I believe that this is due to new 1.1
I understand that the trusted store must include Intermediate CA 1 or
remove Intermediate CA 2 and just have the Root CA in it. I was trying
things out to understand how client authentication works.
Regards,
Sudarshan
On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <
This is the CA - Leaf hierarchy I am testing with
Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf
Trusted certificates configured: Root CA and Intermediate CA 2
Client authenticates itself with this chain: Leaf > Intermediate CA 2 >
Intermediate CA 1
I am using openssl 1.1.0f. This
-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jan
Just Keijser
Sent: Wednesday, February 03, 2016 8:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate verification failure
Yan, Bob wrote:
> Thanks Jan,
>
> When I am using the CApath,
nssl-users] Certificate verification failure
Yan, Bob wrote:
Dear Sir/Madam,
I have an application which acting as SSL server. When the application
loads the root and intermediate CA files from a CA path, the handshake
between my application and openssl client was failed at the point when
my a
Yan, Bob wrote:
Dear Sir/Madam,
I have an application which acting as SSL server. When the application
loads the root and intermediate CA files from a CA path, the handshake
between my application and openssl client was failed at the point when
my application was authenticating the client’s
to:openssl-users-boun...@openssl.org] On Behalf Of Jan
Just Keijser
Sent: Monday, February 01, 2016 1:04 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate verification failure
Yan, Bob wrote:
>
> Dear Sir/Madam,
>
> I have an application which acting as SSL server
Dear Sir/Madam,
I have an application which acting as SSL server. When the application loads
the root and intermediate CA files from a CA path, the handshake between my
application and openssl client was failed at the point when my application was
authenticating the client's certificate. But
Summary of thread so far: The latest security update enforces
that any inherently unsigned BIGNUM must be encoded as a non-
negative DER INTEGER (which has a leading 0 byte if the most
significant bit of the first byte would otherwise be set).
It is a well known historic bug that some other
On Tue, Feb 03, 2015, jan.w...@ptb.de wrote:
This check fails for some of our certificates and the reason is that
openssl adds a padding byte for BIGNUMs in crypto/asn1/x_bignum.c if the
MSB is set. Our encoding does not contain these padding bytes and,
consequently, the re-encoded
Hi,
we have noticed that with the latest Debian wheezy-security update of the
libssl1.0.0 package sudenly the verification of some of our ECDSA-signed
certificates failed.
I've looked into this and I've traced it down to the following patch
On Tue, Feb 03, 2015, jan.w...@ptb.de wrote:
This check fails for some of our certificates and the reason is that
openssl adds a padding byte for BIGNUMs in crypto/asn1/x_bignum.c if the
MSB is set. Our encoding does not contain these padding bytes and,
consequently, the re-encoded
Hi Steve,
thanks a lot for your quick response and for the clarification.
Von: Dr. Stephen Henson st...@openssl.org
The MSB is effectively a sign bit but the explanation in the standard
isn't
very clear. If you take your example of GTS001.pem and do:
openssl asn1parse -in GTS001.pem
From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
Sent: Thursday, October 30, 2014 14:50
I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
I would expect the two to form a valid chain. And indeed,
verification succeeds:
... openssl verify -CAfile
On 10/31/2014 03:24 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
Sent: Thursday, October 30, 2014 14:50
I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
I would expect the two to form a valid chain. And indeed,
Hi,
trying to build a valid certificate chain, I came across the following
problem:
I have two certificates. The first one, contained in file root_ca.pem,
is a self-signed root CA, intended to sign intermediate CA's with. The
second
one, contained in host_ca.pem, is such an intermediate CA,
Hi,
We are switching to our own CA for in house networking. To test I've
used it to sign a server certificate and a client certificate. The
subject and issuer output for all three certificates is...
...CA:
$ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem
subject=
previoulsy available fingerprint?RegardsManoj
--
View this message in context:
http://openssl.6102.n7.nabble.com/Server-Certificate-verification-against-available-fingerprint-tp46781.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
214.770.1896 / Mobile
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Friday, July 19, 2013 4:32 PM
To: openssl-users@openssl.org
Subject: RE: SSL_connect:error in SSLv3 flush data - Certificate
- Certificate Verification:
Error (20) when setting up replacement server
From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
Sent: Thursday, 18 July, 2013 15:24
Subject: SSL_connect:error in SSLv3 flush data - Certificate
Verification: Error (20) when setting up replacement server
From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
Sent: Friday, 19 July, 2013 11:41
Thanks for the reply and good information as it helped clear
up some misunderstanding I had. Here is some additional
information based on your responses.
-The two servers have different
log I see the following error (all other tags are
[debug]:
[Thu Jul 18 08:07:07 2013] [error] Certificate Verification: Error (20): unable
to get local issuer certificate
[Thu Jul 18 08:07:07 2013] [debug] ssl_engine_kernel.c(1749): OpenSSL: Write:
SSLv3 read client certificate B
[Thu Jul 18 08:07
From: owner-openssl-us...@openssl.org On Behalf Of Michel, Audrey
Sent: Thursday, 18 July, 2013 15:24
Subject: SSL_connect:error in SSLv3 flush data - Certificate
Verification: Error (20) when setting up replacement server
Aside: the error isn't really in flush-data; it is the server
: server certificate verification fails
From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
Sent: Friday, 24 May, 2013 19:48
I add the server certificate in PEM format to the SSL store using []
X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert);
I assume you mean to the truststore
To: openssl-users@openssl.org
Subject: RE: server certificate verification fails
The certificate is for a client and is self signed.
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
behalf of Dave Thompson [dthomp...@prinpay.com]
Sent
I add the server certificate in PEM format to the SSL store using the following
call.
X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert);
The SSL_get_verify_result(SSL handle); always seems to return
error code 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
Has anyone been able to
Thanks Dave for the response.
On Wed, May 15, 2013 at 11:29 PM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of isshed
Sent: Wednesday, 15 May, 2013 08:25
I have a self-signed certificate installed on a server with
the following extensions
Hi all,
I have a self-signed certificate installed on a server with the following
extensions fields.
=
Key Usage:Digital Signature, Key Encipherment (a0)
From: owner-openssl-us...@openssl.org On Behalf Of isshed
Sent: Wednesday, 15 May, 2013 08:25
I have a self-signed certificate installed on a server with
the following extensions fields.
Key Usage:Digital Signature, Key Encipherment (a0)
Basic Constraints : Subject Type=End Entity,
schedule.
This sounds like a well-defined small problem that could benefit from it
though; are there any examples around of the capi engine used to retrieve
certificates as required from a windows certificate store to do this kind of
certificate verification? (i.e. a windows method that finds them
Just wanted to confirm an assumption, I've got 3 x509 certificates:
Root -- intermediate -- leaf
I load the intermediate certificate (but not the Root certificate) into the
x509_store and set up the verify_ctx to verify the leaf certificate.
I then use the X509_verify_cert(verify_ctx)
From: owner-openssl-us...@openssl.org On Behalf Of Nou Dadoun
Sent: Friday, 21 September, 2012 15:29
Just wanted to confirm an assumption, I've got 3 x509 certificates:
Root -- intermediate -- leaf
I load the intermediate certificate (but not the Root
certificate) into the x509_store
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
Sent: Friday, 29 June, 2012 19:37
Following is the code I used at server side program.
while (1) {
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, clientserver[1]);
if (SSL_accept(ssl) != 1)
break;
On 06/29/2012 09:29 PM, Sukalp Bhople wrote:
Hello,
I am trying to measure server performance for client certificate verification.
However, there is no significant difference in the server performance when I send one certificate
and condition when I send chain of 10 certificates.
I am aware
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
Sent: Friday, 29 June, 2012 15:30
I am trying to measure server performance for client certificate
verification.
However, there is no significant difference in the server performance
when I send one certificate and condition when
conclusions right?
On Fri, Jun 29, 2012 at 11:10 PM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople
Sent: Friday, 29 June, 2012 15:30
I am trying to measure server performance for client certificate
verification.
However
On 3/7/2012 2:06 AM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
Sent: Tuesday, 06 March, 2012 13:18
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Mr.Rout
1) what is intermediate certificate validation
.
Best Regards,
Mr. Rout
--
View this message in context:
http://old.nabble.com/Please-Clarify.Intermediate-certificate-verification---tp33452742p33452742.html
Sent from the OpenSSL - User mailing list archive at Nabble.com
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Mr.Rout
1) what is intermediate certificate validation ?
When you generate a CSR, the CA can sign it directly, or they can sign it
via an intermediate. I'm not quite sure what's the point of the
From: owner-openssl-us...@openssl.org On Behalf Of Edward Ned Harvey
Sent: Tuesday, 06 March, 2012 13:18
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Mr.Rout
1) what is intermediate certificate validation ?
When you generate a CSR, the
Hi
I am using OpenSSL and writing a TLS client opening a TLS Socket. How i can
ensure that this TLS Socket also is checking the CRL for the peer
certificate. Pls let me know the API for the same and also how the path of
CRL can be indicated to the TLS socket.
Thanks in advance.
Sushil
Please can anybody help? This is kind of priority issue for me.
I have following set of certificates with X509 extensions defined for code
signing in PKCS7 format.
Root CA - Key usage (critical): Certificate Sign, CRL Sign
CVC Sub-CA - Key usage (critical): Certificate Sign, CRL Sign
CVC cert
Greetings
I have another problem with certificate verification. I get the same
error as always with a testing CA we created... we have issued a
certificate signed by this CA but we get the same error:
*error 20 at 0 depth lookup:unable to get local issuer certificate*
After checking
Hodie III Kal. Sep. MMX, Tomás Tormo scripsit:
[...]
[amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer
-text
[...]
Not Before: Dec 8 08:31:12 2006 GMT
Not After : Dec 5 08:41:12 2016 GMT
[...]
[amsterdam:/test]# openssl x509 -in
On Mon, Aug 30, 2010, Toms Tormo wrote:
Finally, I checked the Authority Key Identifier of the EE certificate but
it looks good to me...
/[amsterdam:/test]# openssl x509 -in admesigna.cer -text
keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF
Bonjour Peter Sylvester,
Extensions are ignored in the root.
Without telling what critical extensions you have, it is difficult to help.
I had some extensions set to critical in my Sub CA certificates, i have re
generated all the sub CA certificates and now it works fine. Thats rite that
appears
[error] Certificate Verification: Error (34): unhandled critical extension
in Apache log, and the SSL handshake fails.
When I use openssl -verify on the certificate, it seems happy.
Is there a way I can ask mod_ssl or openssl to ignore critical extensions?
I am aware that this is not good
: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 7 (certificate signature
failure) depth 2 for '/CN=WiMAX Forum(R) Server Root-CA/O=WiMAX
Forum(R)/C=US'
SSL: (where=0x4008 ret=0x233)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
SSL: (where
I'm currently trying to integrate wpa_supplicant and OpenSSL 0.9.8k to
authenticate to a wireless network using EAP-TLS. It seems
like I'm failing
on verifying the server certificate. Can anybody interpret
the error for me
error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown
Hi All
I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg)
API to register the callback function for certificate verification.
However I need to set the mode (SSL_VERIFY_PEER) for SSL Context.
I am using below code to set mode and callback function. Is it right way
of doing
To close out this issue in the hopes that this will be of use to someone
in the future, Dr. Henson greatly helped in tracking the problem down to
a PHP extension that was calling EVP_cleanup().
When you have a shared library using OpenSSL and multiple applications
things like algorithm tables
can duplicate the issue in a 32 bit environment.
Server log failed:
[Wed Jul 08 08:42:20 2009] [debug] ssl_engine_kernel.c(1190):
Certificate Verification: depth: 1, subject: additional text deleted
[Wed Jul 08 08:42:20 2009] [debug] ssl_engine_kernel.c(1190):
Certificate Verification: depth: 0
[mailto:aerow...@gmail.com]
Sent: Tuesday, April 14, 2009 7:57 AM
To: Vijay Kothamasu (vikotham)
Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati
(jmynampa); Uma Sankar Panda (upanda)
Subject: Re: Query on OpenSSL for Certificate verification
Then don't return from
On Wed, Apr 15, 2009, Vijay Kothamasu (vikotham) wrote:
Hi Kyle,
Thanks for your valuable inputs, find my response inline.
Then don't return from the original SSL_CTX_set_verify callback until you
either:
a) receive a valid OCSP response that says it's okay,
b) receive a valid OCSP
: Wednesday, April 15, 2009 2:40 AM
To: Vijay Kothamasu (vikotham)
Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati
(jmynampa); Uma Sankar Panda (upanda)
Subject: Re: Query on OpenSSL for Certificate verification
I'd be happy to, if you engage me as a contractor.
-Kyle
[mailto:aerow...@gmail.com]
Sent: Tuesday, April 07, 2009 12:26 PM
To: openssl-users@openssl.org
Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham)
Subject: Re: Query on OpenSSL for Certificate verification
This is a protocol called OCSP, with its designated responder
; Kamalakanta Palei (kpalei); Jagadish
Mynampati (jmynampa); Uma Sankar Panda (upanda)
Subject: Re: Query on OpenSSL for Certificate verification
Then don't return from the original SSL_CTX_set_verify callback until you
either:
a) receive a valid OCSP response that says it's okay,
b) receive
On Mon, Apr 06, 2009 at 11:56:15PM -0700, Kyle Hamilton wrote:
Third, the
entire point of X.509 is to allow for clients to have all the
information they need to verify certificates in the absence of an
online authority.
This said, it is now widely understood that this particular entire point
on OpenSSL for Certificate verification
This is a protocol called OCSP, with its designated responder mechanism.
If you want to implement it, call the OCSP functions with the DR address and
the fields that OCSP needs during the SSL_CTX_set_verify() callback
invocation; if you really need
Hi,
I am just wondering if there is a way to realize the following scenario
with the help of OpenSSL libraries, here is the brief explanation in
this regard.
-
I have a client and Server who need to setup a secure connection using
TLS/SSL. But as part of
This is a protocol called OCSP, with its designated responder mechanism.
If you want to implement it, call the OCSP functions with the DR
address and the fields that OCSP needs during the SSL_CTX_set_verify()
callback invocation; if you really need to, create two separate
SSL_CTX contexts, one of
Hi all,
I've already asked here about similar thing before, but as things got
a little clearer now (I've read through a load of docs and code...), I
guess I can formulate my question a little better now.
My problem is, roughly, this:
- I got some CA certificates loaded in the memory (say, in
In postfix configuration i have:
smtpd_tls_CApath = /etc/postfix/CA/
and i have my selfsigned CA cert on itself in
/etc/postfic/ssl/cacert.pem , after this i'm still getting these
warnings in mail.log:
Jan 10 00:41:58 mail postfix/smtp[10404]: certificate verification failed for
smtp.myisp
these
warnings in mail.log:
Jan 10 00:41:58 mail postfix/smtp[10404]: certificate verification failed
for smtp.myisp[111.222.222.999]:587: untrusted issuer
/C=NO/O=MyISP/CN=MyISP Certification Authority/emailaddress...@myisp
Should i stick both cerificates on one big file.pem in postfix like
Hi all,
I am setting up a CA and a reverse proxy https with Squid filtering access
to the backend web site.
I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
servers. I manage to verify the sha256 protected certificate on both
computers using :
openssl verify -CAFile
On Fri, Dec 12, 2008, Raphael wrote:
Hi all,
I am setting up a CA and a reverse proxy https with Squid filtering access
to the backend web site.
I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
servers. I manage to verify the sha256 protected certificate on both
Hi all,
Actually we have one CA certificate is provided by service server (That is
root certificate in .pem format and .crt format). I used that certicate to
verify the peer. I got unknown CA. I saw that certificate was coming from
service server having thawte CA and having issuer and subject
Dear Sir,
I am not sure that this is the correct place to post this, but I can
find no official bug mailing list, and my searches of your archive do
not reveal a solution to this issue.
Issue:
The openssl s_client utility is unable to display the server certificate
if the server
On Mon, Oct 20, 2008, Matthew Franglen wrote:
Issue:
The openssl s_client utility is unable to display the server certificate if
the server certificate fails verification. Since the server certificate may
be desired irrespective of the verification status it should be possible to
display
Hi People,
I am using a trusted-roots file with Digital Certificates for various
servers.
But I am unable to connect to one of these servers.
The error I see is:
X509_V_ERR_CERT_UNTRUSTED
Any ideas on what could be wrong?
regards,
Sugandh
Till Elsner wrote:
I tried to track down the problem, but it still seems that , when it
comes to certificate verification, on the OpenWRT fails what works on
a standard linux desktop PC. I wrote a short program that validates
certificates, that I'll append to this mail. If someone has some
Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
Till Elsner wrote:
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom
BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
I
codes and finally decides about whether a certificate is
accepted or not.
Unfortunately there is no manual page for X509_verify_cert(), but it is
the same function that is used internally for SSL certificate
verification and the behaviour and the callback function are described
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
Till Elsner schrieb:
Hi,
I'm running a program using some OpenSSL
Till Elsner wrote:
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
I am not aware of any specific problems of OpenSSL
I tried to track down the problem, but it still seems that , when it
comes to certificate verification, on the OpenWRT fails what works on
a standard linux desktop PC. I wrote a short program that validates
certificates, that I'll append to this mail. If someone has some
MIPSEL platform
Till Elsner schrieb:
Hi,
I'm running a program using some OpenSSL features for certificate
handling on an MIPS architecture (Linksys WRT router with OpenWRT
firmware). On an x86 Linux everything works fine, but on the router
the certficate verification using X509_verify_cert fails. The
1 - 100 of 193 matches
Mail list logo
