Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER
but INVALID *D*ER. And signed things like certs are *D*ER
for exactly this reason, so a reconstructed encoding is
bit for bit identical and hashes and signatures etc. work.
BER is already 'distinguished" concerning the content o
Hodie IV Kal. Sep. MMX, Mounir IDRASSI scripsit:
[...]
> Specifically, Peter Gutmann in his X.509 Style Guide says this about this
> field : "If you're writing certificate-handling code, just treat the
> serial number as a blob which happens to be an encoded integer".
This is the kind of advice th
Greetings
I have another problem with certificate verification. I get the same
error as always with a testing CA we created... we have issued a
certificate signed by this CA but we get the same error:
*error 20 at 0 depth lookup:unable to get local issuer certificate*
After checking if t
Hodie III Kal. Sep. MMX, Tomás Tormo scripsit:
[...]
>[amsterdam:/morralla/ttormo/ACIndenova]# openssl x509 -in acindenova.cer
>-text
[...]
> Not Before: Dec 8 08:31:12 2006 GMT
> Not After : Dec 5 08:41:12 2016 GMT
[...]
>[amsterdam:/test]# openssl x509
On Mon, Aug 30, 2010, Toms Tormo wrote:
>
> Finally, I checked the Authority Key Identifier of the EE certificate but
> it looks good to me...
>
> /[amsterdam:/test]# openssl x509 -in admesigna.cer -text
>
> keyid:B2:D2:89:54:6C:14:8E:84:CC:F4:DA:26:6A:45:9C:27:A9:5C:02:CF
>
У нед, 29. 08 2010. у 04:17 +0200, Mounir IDRASSI пише:
>
> After some digging, I found that part of the problem is caused by the
> functions c2i_ASN1_INTEGER and d2i_ASN1_UINTEGER in file
> crypto\asn1\a_int.c. At lines 244 and 314, there is an if block that
> removes any leading zeros. Comment
Hodie III Kal. Sep. MMX, Goran Rakic scripsit:
[...]
> I read the other messages in this thread, but I am not an expert in the
> field so I do not know if openssl should add a support for "incorrect"
> serial numbers. In RFC 3280 there is a note about "Non-conforming CAs"
> where section "4.1.2.2 S
Dave,
Thank you for the clarification on HTTP keep-alives.
I have just now fixed the bug. The source of the problem was an
SSL_read call on the client half of the proxy. This was triggering an error
SSL_ERROR_SYSCALL with a ret of zero. According to the documentation this
is normally c
On Mon, Aug 30, 2010, Goran Rakic wrote:
> ?? ??, 29. 08 2010. ?? 04:17 +0200, Mounir IDRASSI :
> >
> > After some digging, I found that part of the problem is caused by the
> > functions c2i_ASN1_INTEGER and d2i_ASN1_UINTEGER in file
> > crypto\asn1\a_int.c. At lines 244 and 314, th
У пон, 30. 08 2010. у 20:38 +0200, Dr. Stephen Henson пише:
>
> I wouldn't advise changing the code in that way (FYI I wrote it). The normal
> workaround in OpenSSL for broken encodings is to use the original encoding
> by caching it. The attached three line patch adds this workaround for
> certifi
Hi,
Sorry I made a mistake with question 3 due to my mis-understanding of
"plaintext". It is actually the same question as question 1.
Actually I can control the TLS record size when calling SSL_write by
restricting the buffer size of each iterative. However, I couldn't control
the size in commun
On Mon, Aug 30, 2010, Goran Rakic wrote:
> ?? ??, 30. 08 2010. ?? 20:38 +0200, Dr. Stephen Henson :
> >
> > I wouldn't advise changing the code in that way (FYI I wrote it). The normal
> > workaround in OpenSSL for broken encodings is to use the original encoding
> > by caching it. The
12 matches
Mail list logo