RE: Client certificate verification

2012-06-29 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople Sent: Friday, 29 June, 2012 15:30 I am trying to measure server performance for client certificate verification. However, there is no significant difference in the server performance when I send one certificate and condition when

RE: [FWD] BUG: base64

2012-06-29 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Lutz Jaenicke Sent: Friday, 29 June, 2012 15:10 Forwarded to openssl-users for public discussion (attachment: 80-char lines of base64 that didn't decode) OpenSSL BIO_f_base64 by default tries to nearly enforce the MIME limit of 76 encoded

RE: Client certificate verification: performance

2012-07-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople Sent: Friday, 29 June, 2012 19:37 Following is the code I used at server side program. while (1) { SSL *ssl = SSL_new(ctx); SSL_set_fd(ssl, clientserver[1]); if (SSL_accept(ssl) != 1) break;

RE: SSL_read, SSL_write confusion

2012-07-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Dogan Kurt Sent: Friday, 29 June, 2012 15:14 Hi, i am developing a client app with openssl. I use SSL_read and SSL_write in blocking mode, i just cant figure out something about them, if server sends me 10 kb and i call SSL_read just once, can

RE: Convert PKCS7_decrypt output to char*

2012-07-03 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mohammad khodaei Sent: Monday, 02 July, 2012 10:05 I want to encrypt and decrypt using PKCS7_encrypt() and PKCS7_decrypt(). I use this procedure to encrypt so that I can retreive the encrypted buffer into a char* (and not into a file). Here is

RE: Convert PKCS7_decrypt output to char*

2012-07-05 Thread Dave Thompson
_ From: Mohammad khodaei [mailto:m_khod...@yahoo.com] Sent: Wednesday, 04 July, 2012 07:12 To: openssl-users@openssl.org; dthomp...@prinpay.com Subject: Re: Convert PKCS7_decrypt output to char* Thanks a lot for the response. I applied the feedbacks you gave me. Now I changed the

RE: What changed in the semantics of the openssl verify command?

2012-07-09 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Peter Eckersley Sent: Monday, 09 July, 2012 19:59 # now try to verify it. Note that allcerts was a poorly chosen directory name. It should have been allCAs... openssl verify -untrusted twitter.com.results_2.pem -CApath ../allcerts/

RE: TS verify: how to fix Verify error:self signed certificate in certificate chain ?

2012-07-09 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi Sent: Monday, 09 July, 2012 10:15 /usr/bin/openssl ts -verify -sha256 -untrusted CERT -CAfile CA -data FILE TO MARK -in TSA REPLY and the output we get is: 140119872083624:error:2F06D064:time stamp

RE: Openssl s_client connection closes within few seconds

2012-07-09 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sebastian Raymond Sent: Saturday, 07 July, 2012 05:31 I have set-up the apache2 on my linux machine. Everything worked fine previously. But now, when I try to use openssl s_client command to connect to the machine, SSL handshake is

RE: [PHP] PKCS7_sign and certificate [from] PKCS#12

2012-07-12 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Michal Kuchta Sent: Thursday, 12 July, 2012 10:04 I have a certificate and private key file in the encrypted .p12 file format (I have the password for the file). I need to use it in the [PHP] function PKCS7_sign, which assumes certificates

RE: setting up an openssl client/server connection

2012-07-23 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Matthias Apitz Sent: Sunday, 22 July, 2012 02:54 I'm trying to build openssl keys to be used in a client/server connection and neeed some step by step guide for this, as I'm doing it for the first time. 1)openssl req -out ca.pem -new

RE: Certificate and Certificate request (Using API)

2012-07-25 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sukalp Bhople Sent: Wednesday, 25 July, 2012 08:45 You will always have to create a certificate request using your private key. True if you're using an external CA, but not if you're doing it yourself. openssl commandline supports both options:

RE: Using Self-Signed Certificates to create SSL connection.

2012-07-26 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Hasan, Rezaul (NSN - US/Arlington Heights) Sent: Thursday, 26 July, 2012 12:02 I have created a self-signed CA certificate, a Client certificate and a Server certificate. I signed the Client and Server certificates with the self-signed CA

RE: Certificate and Certificate request (Using API)

2012-07-26 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya Sent: Thursday, 26 July, 2012 02:52 demos/x509/mkcert.c approach: I understood that I dont need to create Certificate signing request (CSR) and I can directly create X509 *My_cert , and sign it with my CA

RE: Certificate and Certificate request (Using API)

2012-07-27 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Saurabh Pandya Sent: Friday, 27 July, 2012 10:21 On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options:

RE: [openssl] Forming the correct chain for an end entity certificate Reg.

2012-07-29 Thread Dave Thompson
From: Ashok C [mailto:ash@gmail.com] Sent: Saturday, 28 July, 2012 01:21 Thanks Dave. But main use case for me is the trust anchor update case. I have a certain requirement which goes like this: I have a client application which runs on my machine and it will attempt to connect to multiple

RE: strange results after setting utf8 -subj in openssl ca command

2012-07-29 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Pica Pica Contact Sent: Saturday, 28 July, 2012 14:41 My application uses X.509 certificates with commonName field set to following format: number#UserName, Everything is ok when UserName is in ascii, but when I sign new certificates

RE: strange results after setting utf8 -subj in openssl ca command

2012-07-30 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Pica Pica Contact Sent: Monday, 30 July, 2012 13:47 Look at this example: snip This certificate was signed by openssl ca without changing subject, and openssl req did not use BMPString and UCS-2 in this case. CN string contains Georgian 

RE: Tls1.2 Problem with client certificate and RSA_verify

2012-07-30 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Albers, Thorsten Sent: Monday, 30 July, 2012 03:43 snip I also debugged the openssl-server when receiving the message above. The server recognized the correct hash and signature algorithms, but while following the functions to the point

RE: ECDSA testing with s_client/s_server

2012-08-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Erik Tkal Sent: Wednesday, 01 August, 2012 16:33 I'm playing around to see if I can observe client and server under various conditions when negotiating TLS 1.2 with newer certs. I created a root and server cert as ecdsa-with-SHA256.

RE: TLS server/client with self-signed certificate

2012-08-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Harald Latzko Sent: Thursday, 02 August, 2012 03:03 snip self-signed certificate as attached to this mail (can be retrieved from the TLS server 87.236.105.37:6619). My TLS client uses the following options: SSL_CTX_load_verify_locations(ctx,

RE: TLS server/client with self-signed certificate

2012-08-03 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Harald Latzko Sent: Friday, 03 August, 2012 03:02 Am 03.08.2012 um 03:55 schrieb Dave Thompson: Yes, the hash link (hash.0) exists and after the first connect failed, I double-checked the linked openSSL version against the commandline

RE: [openssl-users] Weird not-so-self-signed certificate

2012-08-06 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Erwann Abalea Sent: Monday, 06 August, 2012 08:06 The given certificate is correctly self-signed, you can manually check it by extracting the signature block and playing with openssl rsautl ..., dd ... | openssl dgst -sha1, etc. It

RE: my code can't connect while openssl s_client can

2012-08-07 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke Sent: Tuesday, 07 August, 2012 08:02 I'm using the attached code to connect to a server. This works perfectly until I had to excange the certificate which now needs two additional intermediate certs. All certs are

RE: Certtificate chain broken

2012-08-08 Thread Dave Thompson
From: owner-openssl-...@openssl.org On Behalf Of Mithun Kumar Sent: Wednesday, 08 August, 2012 16:53 Note: individual recipient dropped; that's poor netiquette unless requested, which AFAICS it wasn't. I think this should be -users not -dev, so I added -users back. i will elaborate, for

RE: Meanings of various return codes with non-blocking I/O?

2012-08-09 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of James Marshall Sent: Thursday, 09 August, 2012 19:41 I'm trying to write a secure embedded HTTP server using OpenSSL. I'm using non-blocking I/O, and the main functions I'm using are SSL_accept(), SSL_read(), SSL_write(), and SSL_shutdown().

RE: RC4 test vector with openssl

2012-08-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Alexander Voropay Sent: Friday, 10 August, 2012 08:24 How to produce a canonical RC4 test vectors as seen on Wikipedia http://en.wikipedia.org/wiki/Rc4#Test_vectors [or RFC6229, referenced therein] Is it possible to produce this result

RE: CA for IIS-issued self-signed certificate?

2012-08-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of CharlesTSR Sent: Friday, 10 August, 2012 16:48 Please bear with me; I'm a real SSL newbie. I am attempting to develop my first SSL program, an SSL/TLS client that will communicate with a commercial SSL server product (Kiwi Server) that

RE: s_server gethostbyname failure

2012-08-13 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Monday, 13 August, 2012 11:32 Found some things on the Web that led me to believe some programs choke when they get IPv6 addresses back from gethostbyname(), so I tried disabling IPv6 on Windows -- but no improvement.

RE: CA for IIS-issued self-signed certificate?

2012-08-13 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Saturday, 11 August, 2012 08:57 I wondered if perhaps there were path or filename specification problems (need to escape backslashes? a problem with embedded spaces?) but I eliminated all of those variables -- put the

RE: CA for IIS-issued self-signed certificate?

2012-08-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Tuesday, 14 August, 2012 08:09 snip if your self-signed cert has a KeyUsage extension that does not include certSign, OpenSSL skips it for chain-building, resulting in verify 20. Looks like the latter to me. Please

RE: How do session accept timeout with OpenSSL

2012-08-17 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of CharlesTSR Sent: Tuesday, 14 August, 2012 17:12 You've already followed-up with some, but a few more points: I am porting an existing Windows-based TCP/IP server (receive-only, not a Web server) to OpenSSL. The way it works with TCP/IP

RE: CA-signed certificate reported as self-signed

2012-08-20 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Monday, 20 August, 2012 15:32 Sorry to have so many questions ... I create a certificate request. I sign it with openssl.exe ca -in MYNOTEBOOK_server.req.pem -config CMC_root_config.cnf -out MYNOTEBOOK_server.pem

RE: Losing extension Alternative Names on signing

2012-08-20 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Monday, 20 August, 2012 16:05 I create a certificate request that includes -reqexts usr_cert. The [ usr_cert ] section specifies two additional names. I display the request and see them: snip I then sign the request

RE: Any security risk in cat-ing certificate and key?

2012-08-21 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Tuesday, 21 August, 2012 14:41 The O'Reilly OpenSSL book - in some examples but not others - cat's the certificate and key together and then just uses that one file as both certificate_chain_file and PrivateKey_file.

RE: What is the Java equivalent of openssl smime binary ?

2012-08-21 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Bart W Jenkins Sent: Monday, 20 August, 2012 09:15 I've created a prototype, in Java that creates an s/mime file, and now I need to convert that to the equivalent of what the binary switch does when using openssl. The command in openssl is:

RE: Using variable length Blowfish key with command line

2012-08-21 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Nathan McCrina Sent: Tuesday, 21 August, 2012 21:31 snip I'm using 'openssl enc' on the command line to check my [Blowfish]. However, the man page seems to indicate that it is only possible to use 128-bit keys with the openssl Blowfish. Is

RE: About the encrypted premaster length.

2012-08-22 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Tayade, Nilesh Sent: Wednesday, 22 August, 2012 16:13 The 'Client Key Exchange' packet carries the encrypted premaster. I am working on utility for decrypting the data and supported cipher suites are RC4_128_MD5 and RC4_128_SHA. Only for

RE: Convert symmetrically encrypted content to base64

2012-08-24 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Bjoern Schiessle Sent: Friday, 24 August, 2012 12:14 snip Now I'm trying the implement the function which does exactly the opposite: Take the public and private key in the PEM format from the server and import it in a RSA structure: Note

RE: OpenSSL on beagleboard

2012-08-27 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Paulo Roberto Sent: Monday, 27 August, 2012 18:37 Can no one help me? Isn't there a way of specifying the local the openssl is installed? You mean location i.e. in the file system? As far as I know packages on most Linuxes, including ubuntu,

RE: OpenSSL on beagleboard

2012-08-27 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Paulo Roberto Sent: Monday, 27 August, 2012 20:21 Okay, this time you did post the error. When I use the command gcc teste.c -lssl -o teste: /tmp/ccyvrO2i.o: In function `main': rsa.c:(.text+0x8): undefined reference to `BN_new' snip many more

RE: crash when calling ERR_print_errors_fp()

2012-08-30 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Thursday, 30 August, 2012 08:32 cryptlib.h #ifdef OPENSSL_USE_APPLINK #define BIO_FLAGS_UPLINK 0x8000 #include ms/uplink.h #endif On Thu, Aug 30, 2012 at 6:00 PM, Mithun Kumar mithunsi...@gmail.com wrote: i am extremely

RE: need help on handshake failure

2012-08-30 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Thursday, 30 August, 2012 02:04 Also when i use s_client tool it just hangs with following output. Any input on how to get full handshake dump? ... openssl s_client -connect ... -state -debug -msg CONNECTED(0003)

RE: OpenSSL migration - Linking issues

2012-08-31 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Hankyaku Sent: Friday, 31 August, 2012 05:29 I'm working on a bigger poject where openSSL is used. Right now I'm doing the migration from 1.0.0e to 1.0.1c. On the way I get a number of linking errors, like: ssleay32.lib(ssl_sess.obj) :

RE: Creating a SSH Key pair - public and private for my Windows 2008 server app so it can communicate with a partner sftp site

2012-08-31 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Friday, 31 August, 2012 12:39 To: openssl-users@openssl.org Subject: RE: Creating a SSH Key pair - public and private for my Windows 2008 server app so it can communicate with a partner sftp site You can do this with

RE: need help on handshake failure

2012-08-31 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Thursday, 30 August, 2012 19:50 openssl s_client -connect NC-WIN2008X64:1433 -state -debug -msg -ssl3 CONNECTED(0003) SSL_connect:before/connect initialization write to 08A018A8 [08A0B660] (100 bytes = 100 (0x64)) snip

RE: SSL_CTX_set_default_verify_paths and Windows?

2012-08-31 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Friday, 31 August, 2012 12:00 To: openssl-users@openssl.org Subject: SSL_CTX_set_default_verify_paths and Windows? Is there documentation for SSL_CTX_set_default_verify_paths()? It's declared here

RE: TLS problem with 1.x, not happening with 0.9

2012-09-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Richard Levenberg Sent: Sunday, 02 September, 2012 13:30 The error with both OpenSSL 1.0.0e 6 Sep 2011 and OpenSSL 1.0.1c 10 May 2012 is: 3076311816:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1251:SSL

RE: PEM_read_bio_RSA_PUBKEY

2012-09-03 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: Monday, 03 September, 2012 13:39 I try to send an RSA public from one entity to another using socket BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do that. I also tried with

RE: how to extract an RSA public key

2012-09-03 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: Monday, 03 September, 2012 10:48 I guess I just got it if the only way is to use the PEM API? Hi all, is there an API call that allows to extract an RSA public key (out of an RSA structure) or should I just access

RE: PEM_read_bio_RSA_PUBKEY

2012-09-04 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: Tuesday, 04 September, 2012 08:03 I went on reading about this error and figured out that the socket bio does not support the BIO_gets method. Is it possible that PEM_read_bio_RSA_PUBKEY uses BIO_gets internally and is

RE: crash when calling ERR_print_errors_fp()

2012-09-06 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Thursday, 06 September, 2012 16:29 When i give file pointer as input to API(ERR_print_errors_fp()) nothing is getting written to the FILE during a SSL handshake failure. Any inputs why things are failing. If you are

RE: Confused: different results on different OSs

2012-09-07 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Ben White Sent: Friday, 07 September, 2012 13:01 snipusing gSOAP with opensslsnip Everything works fine on my build system (Fedora 17 x64), but when I run the cross compiled version on my target device (ARM/Montavista 5), I get the following

RE: Enabling Logging in OpenSSL

2012-09-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Monday, 10 September, 2012 01:56 Answering -users only, this isn't a -dev question. I have a challenge befor me where i have to debug a SSL handshake failure. Client has OpenSSL libraries and Server is Microsoft SQL Server.

RE: Enabling Logging in OpenSSL

2012-09-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Monday, 10 September, 2012 08:17 On Mon, Sep 10, 2012 at 1:52 PM, Dave Thompson dthomp...@prinpay.com wrote: 2. If it's a handshake failure, can you use commandline s_client? That has logging builtin, use -msg

RE: Confused: different results on different OSs

2012-09-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Ben White Sent: Monday, 10 September, 2012 06:17 snip my previous advice, can't easily reformat Calling openssl with the -CApath pointing to the certificate store resolves this issue, so it's definitely related to this. However, there seems to

RE: Enabling Logging in OpenSSL

2012-09-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Tuesday, 11 September, 2012 02:10 On Tue, Sep 11, 2012 at 8:08 AM, Dave Thompson dthomp...@prinpay.com wrote: snip I didn't notice before, but 1433 on Windows is usually SQLServer. If so, SQLServer doesn't start

RE: HTTPS connection hangs during SSL handshake

2012-09-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida Sent: Tuesday, 11 September, 2012 10:08 To: openssl-users@openssl.org For any SSL connection, you have to assure that: 1- The cpu's can reach each other (the hostname test.mydomain.com must be also resolved).

RE: Enabling Logging in OpenSSL

2012-09-17 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Friday, 14 September, 2012 20:53 On the issue i am working currently after i connect to a SQL Server, Client hello is sent successfully but I am not getting server hello and READ() below returns as highlighted. Looks like

RE: Converting BIO* to PKCS7*

2012-09-17 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mohammad Khodaei Sent: Monday, 17 September, 2012 05:01 I've got a problem regarding BIO* to PKCS7* conversion. I want to call PKCS7_decrypt() function to decrypt a cipher text. Before that, I have this section of code: in =

RE: Converting BIO* to PKCS7*

2012-09-18 Thread Dave Thompson
From: Mohammad khodaei [mailto:m_khod...@yahoo.com] Sent: Tuesday, 18 September, 2012 06:52 Thanks for the response. The encryption is also done by me. I have generated the cipher text as below: in = BIO_new_mem_buf(pchContent, iPriKeyLen); if (!in) { // p7 =

RE: Enabling Logging in OpenSSL

2012-09-18 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Tuesday, 18 September, 2012 00:37 Hello Dave, Below is what i see in Server Logs Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed.

RE: Openssl ca application

2012-09-20 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of James Burton Sent: Tuesday, 18 September, 2012 15:15 Can you tell me what I am doing wrong , I am build a window application ( .exe ) and I got this error: igncl.exe sign.c Microsoft (R) C/C++ Optimizing Compiler Version 17.00.50727.1 for x64

RE: Handshake failure while trying to connect to imap.gmail.com

2012-09-20 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of ckyh43 Sent: Thursday, 20 September, 2012 04:50 I am unable to connect to the Gmail IMAP server with the OpenSSL s_client. snip Debug output (from the second command): http://pastebin.com/raw.php?i=BJumtDHV (sent ClientHello see below,

RE: SSL Record layer size

2012-09-21 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sharanagoud B D Sent: Friday, 21 September, 2012 02:03 Hi All, Can anyone tell me how to increase the SSL record layer length size? I assume you mean the maximum size (or limit) of 2^14 bytes. You set the length of a particular record you

RE: Intermediate certificate verification

2012-09-21 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Nou Dadoun Sent: Friday, 21 September, 2012 15:29 Just wanted to confirm an assumption, I've got 3 x509 certificates: Root -- intermediate -- leaf I load the intermediate certificate (but not the Root certificate) into the x509_store

RE: Creating Openssl certs and using them with Glassfish

2012-09-25 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Gloria Binette Sent: Tuesday, 25 September, 2012 07:42 I have been tasked with using OpenSSL to create certificates and then use them with Glassfish. I have created the CA, CSRs and CRTs, have tried various ways to import them into

RE: SSL mode flags - verification of certificates: is it safe to use none?

2012-09-25 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of David William Sent: Tuesday, 25 September, 2012 07:07 I am writing a soap request and I am using SSL_VERIFY_NONE flag mode because that was the only way that I could actually do the request to the server. I tried the others mode flags

RE: Server closes connection depending on ClientHello cipher order

2012-09-26 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Bogdan Harjoc Sent: Wednesday, 26 September, 2012 12:23 I'm looking for the reason a server closes a SSL connection unless I overwrite this cipher id from the ClientHello cipher list: (more exactly, improperly closes during handshake; close[]

RE: openssl client/server connection

2012-09-26 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of sa...@zxid.org Sent: Wednesday, 26 September, 2012 06:46 Matthias Apitz g...@unixarea.de said: and was a bit surprised that the connection went fine and the wserver accepts the SSL connection and responds fine with its dummy message.

RE: Documentation for TXT_DB errors?

2012-10-01 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Monday, 01 October, 2012 10:12 Is there specific documentation anywhere for TXT_DB errors? AFAIK only $sourcetree/crypto/txt_db/txt_db.h Unlike most(?) other modules in openssl, txt_db does NOT use the ERR_ module with

RE: Server closes connection depending on ClientHello cipher order

2012-10-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Bogdan Harjoc Sent: Thursday, 27 September, 2012 11:19 On Thu, Sep 27, 2012 at 1:43 AM, Dave Thompson dthomp...@prinpay.com wrote: What version of openssl, and was it built with any options? snip I tried with 1.0.0d and 1.0.1c. I

RE: Documentation for TXT_DB errors?

2012-10-02 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Tuesday, 02 October, 2012 17:06 I deleted index.txt and reset serial.txt to 00 and that solved the problem. Hope that was not a terrible idea. If this was play data as said it shouldn't hurt, but I'm not sure it's a

RE: exception when using Self Signed Certificate

2012-10-04 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Thursday, 04 October, 2012 14:31 I have a self signed certificate created and i have loaded that into a trust store of the client. I have also configured the Server with that self signed certificate. So when i try to

RE: How to store multiple signatures in a file

2012-10-05 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Henrik Grindal Bakken Sent: Friday, 05 October, 2012 03:47 Hi. I have a list of (RSA) signatures made on the same digest, and I'd like to store them in a single file. A simple solution is obviously to e.g. store the length of sig0 (32

RE: Where is the string SSL23_GET_SERVER_HELLO generated?

2012-10-05 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Dongcai Shen / Xiaoli Shen Sent: Thursday, 04 October, 2012 04:57 I am a newbie of using openssl and would like to seek help from you. Thank you very much. A common error message printed out by openssl is: 140770FC:SSL

RE: Best practice for client cert name checking

2012-10-08 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Saturday, 06 October, 2012 19:11 On Sat, Oct 6, 2012 at 5:41 PM, Charles Mills charl...@mcn.org wrote: Thanks. I'm a relative newbie to this whole topic. Can you point me to a resource that describes pin in the sense

RE: simple server with using openssl

2012-10-08 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Matthias Apitz Sent: Sunday, 07 October, 2012 02:36 El día Saturday, October 06, 2012 a las 01:37:06PM -0400, Indtiny s escribió: Hi, Thanks for the information .. I get the server part from the this link

RE: How to place signature into an X509 format

2012-10-08 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of redpath Sent: Saturday, 06 October, 2012 18:59 I have created EC Digital Signature and saved it in a file. snip And I use this signature file to verify a message digest later using a public key. snip You don't say, but I assume this

RE: SSL_accept fails with bad certificate error

2012-10-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Tuesday, 09 October, 2012 21:12 I am trying to write a server that will accept an incoming SSL connection. In psuedo, I have the following chain of function calls SSL_CTX_load_verify_locations(ctx,

RE: Best practice for client cert name checking

2012-10-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Monday, 08 October, 2012 07:47 Dave, any thoughts on my original question? My thread kind of got hi-jacked. Not much, but since you ask: -Original Message- From: Charles Mills [mailto:charl...@mcn.org] Sent:

RE: SSL Certificate cache

2012-10-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sharanagoud B D Sent: Tuesday, 09 October, 2012 06:25 How to check in Linux client device whether the certificate used is cached or it's from the server? I am using openssl s_client to establish http connection. By the certificate used

RE: SSL Certificate Caching

2012-10-10 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sharanagoud B D Sent: Tuesday, 09 October, 2012 06:39 Is there a option to specify a source interface along with openssl s_cleint option to establish multiple HTTP Connections from single linux device? This is required to test

RE: Generating rsakey using openssl as lib

2012-10-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida Sent: Thursday, 11 October, 2012 14:04 I have an application which already establishes SSL Socket connection using OpenSSL as lib. Now, my application needs to able the user create a RSA key pair, sign documents and

RE: PKCS7 open and extract signature

2012-10-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm Sent: Thursday, 11 October, 2012 10:45 On 10/11/2012 4:16 PM, redpath wrote: Well the situation is I have a file which has been signed for its contents. This signature is used to verify the authentication of the file. The

RE: SSL Certificate cache

2012-10-11 Thread Dave Thompson
. But that skips the only usage of certs in the protocol, namely for authentication, so it seems unlikely to be what you want. Thanks, Sharan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October

RE: Firefox unhappy with my self signed Cert

2012-10-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the

RE: Firefox unhappy with my self signed Cert

2012-10-11 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Thursday, 11 October, 2012 19:40 Some minor points: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? OP's

RE: Firefox unhappy with my self signed Cert

2012-10-12 Thread Dave Thompson
parameters needed for req -new on the commandline you don't need a config file for that. Since 1.0.0 -new demands a config file even if not needed. On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.com wrote: snip: name(s) in cert must match host desired by client like Firefox

RE: SSL_connect with pselect failing

2012-10-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Sunday, 14 October, 2012 17:36 I am trying to use SSL_connect. I have bound a socket to my interface, set up the context, and call SSL_connect(). This is returning a -1, which I catch, and call SSL_get_error() to fall through a

RE: Encryption algorithm

2012-10-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Alex Chen Sent: Friday, 12 October, 2012 21:31 The 'openssl cipher -v' command shows the following cipher suites: snip If both the client and server uses the sample version of openssl library and they only calls OpenSSL_add_all_algorithms() to

RE: Firefox unhappy with my self signed Cert

2012-10-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 17:06 Interesting. While I was playing around with this, I actually noticed that if I use the -subj option on the CSR, I am not able to do this. I was able to get it working by adding the common name

RE: win32 exe linked with -lssl -lcrypt

2012-10-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of ml Sent: Sunday, 14 October, 2012 17:54 i am a little question concerning the presence of libssl.dll libcrypt.dll into the win32 standard system or OS into linux this lib are very standard its the same when are the poor win32 OS is ready

RE: Keys for des-ede encryption

2012-10-14 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of naveen Sent: Saturday, 13 October, 2012 21:59 I have a question related to openssl. I need to give two keys k1 and k2 for ede encryption(for des). Now how do I give it in the command line ? I see that there is a pass parameter and iv parameter,

RE: openssl function to convert pkcs#8

2012-10-15 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Sanjay Patnaik (sanpatna) Sent: Friday, 12 October, 2012 16:29 Is there any documentation available for functions like PEM_read_PrivateKey, Pem_write_PrivateKey etc. On any correct Unix install you should have man pages. Or online at

RE: Firefox unhappy with my self signed Cert

2012-10-16 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 11:51 As some additional info, I am suspecting this may be an issue with my config file. I am using the same config file I used to set up my certificate authority, which has under [ req ] a

RE: Generating rsakey using openssl as lib

2012-10-16 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida Sent: Monday, 15 October, 2012 15:14 I was following the main function in genpkey.c file and following the same sequence for generating key pair. I've got some executing erros that took me some hours to get it.

RE: Building an exportable OpenSSL application

2012-10-16 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Tuesday, 16 October, 2012 11:41 If you are linking to OpenSSL DLLs, then your application isn't statically linked against OpenSSL. .lib files can simply be references to exports in .dll files. This is an

RE: reading IP addresses from Subject Alternate Name extension

2012-10-18 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of shailesh durgapal Sent: Tuesday, 16 October, 2012 17:14 I am seeing inconsistent values returned from BIO_read for different IP addresses. My certificate has: X509v3 extensions: X509v3 Subject Alternative Name:

RE: Generating rsakey using openssl as lib

2012-10-18 Thread Dave Thompson
From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida Sent: Tuesday, 16 October, 2012 17:06 Does your library dynamically-link the openssl libs, or statically embed them (while being dynamic itself)? library dynamically-link the openssl libs. My lib already uses

  1   2   3   4   5   6   7   8   9   10   >