Re: Firefox unhappy with my self signed Cert

On 12 Oct 2012, at 1:03 AM, Derek Cole derek.c...@gmail.com wrote: I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. When I click this button, I noticed that under

Re: Firefox unhappy with my self signed Cert

On 12 Oct 2012, at 1:40 AM, Charles Mills charl...@mcn.org wrote: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? Firefox is saying the certificate is for myserver but you

Re: Mac OS X and SSL Client Certitficates

On 12 Oct 2012, at 3:59 PM, Tom Browder tom.brow...@gmail.com wrote: I have successfully generated SSL client certs (generated with openssl 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus IE 9 on Windows, but I cannot get successful access with either Safari or Firefox

MIME types for PEM encoded CRLs

Hi all, I understand as per RFC2585 that the MIME type for a CRL is application/pkix-crl, but I am struggling to figure out whether there is a way to specify using MIME types and/or content negotiation whether the CRL is PEM encoded or DER encoded. Is there a Content-Encoding for PEM

Re: MIME types for PEM encoded CRLs

On 27 Oct 2012, at 2:18 PM, Stefan H. Holek ste...@epy.co.at wrote: I understand as per RFC2585 that the MIME type for a CRL is application/pkix-crl, but I am struggling to figure out whether there is a way to specify using MIME types and/or content negotiation whether the CRL is PEM

Find the difference in (milli|micro)seconds between two ASN1_TIME values

Hi all, I would like to know how long a CRL has until it expires in seconds (or milli or microseconds, don't care, I can convert), and am struggling to find a formally supported way to do this. What I would like to do is return the difference between a given ASN1_TIME and the current time, or

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

On 07 Nov 2012, at 3:57 PM, Jakob Bohm jb-open...@wisemo.com wrote: Look in the code that checks certificates for expiry (during certificate validation), it probably calls an appropriate subroutine on the expiry date in the X509 cert. Already did that, the function you're referring to is

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

On 07 Nov 2012, at 4:08 PM, Dirk-Willem van Gulik di...@webweaving.org wrote: The bit of code I stole from x509/x509_vfy.c works for me. Dw. if(!(X509_CRL_get_nextUpdate(crl)) return -1; int i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

On 07 Nov 2012, at 4:50 PM, Ted Byers r.ted.by...@gmail.com wrote: Why does it need to be something in openssl? Ideally because it needs to be as secure as openssl. I'm after an accurate time duration between two ASN1_TIME values, that is not dependent on local conditions, or any external

Re: Need input for Certificate generation

On 16 Nov 2012, at 4:36 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS

Re: Usage of d2i_RSA_PUBKEY function!!

On 16 Nov 2012, at 4:37 PM, PraveenPVS meetpraveen...@gmail.com wrote: I need to load RSA Public key which is stored in the char buffer. I came across d2i_RSA_PUBKEY function to do the same (Please correct me if I am wrong here). The d2i in the function you're trying to use means from DER

Re: SNI: What *doesn’t* support it?

On 19 Apr 2013, at 21:06, Felipe Gasper fel...@felipegasper.com wrote: What are the big things out there that still don’t have SNI support? As far as I know: CentOS 5 (by default) Android 2.x original iPhone iPod Touch IE on WinXP I’m looking for “major obstacles to

Re: How to securely encrypt identical files to identical ciphertext?

On 17 Aug 2013, at 06:03, Unga unga...@yahoo.com wrote: My encrypted file is with you. It is encrypted without a salt. I'm scared you may use a sophisticated system to decrypt it and read the sensitive info. I use a per file not guessable 150 character password. This password is not

Re: Consequences to draw from the latest Snowden revelations?

On 07 Sep 2013, at 11:26 PM, Steve Marquess marqu...@opensslfoundation.com wrote: Note that Dual EC DRBG is *NOT* used by default and a calling application must specifically and deliberately enable it; that cannot be done accidentally. Any application which does so will hopefully be fully

openssl pkcs12: use of caname option

Hi all, I have a cert, a CA cert, and N intermediate certificates, each in three separate files. I don't know the value of N during this process. What I need to do is combine these certs into a P12 file, but crucially I need to give the cert and the CA cert very specific nicknames for further

Verifying all subjects in a certificate chain

Hi all, In a typical client certificate scenario, you might verify that a certificate chain is complete, not expired, and trusted by a root certificate. If you were to choose a way to authorize the certificate over and above the check that the cert is valid, you might store it's subject in a

ASN1_generate_v3: reading X509 extension via the API

Hi all, I am trying to load the name and value of an X509 extension programmatically via the API (in other words, the openssl.cnf file isn't being used), and I am struggling with openssl telling me that the tag doesn't exist. The extension I want to load has the name keyUsage and value

Re: ASN1_generate_v3: reading X509 extension via the API

On 18 Jan 2014, at 4:09 AM, Graham Leggett minf...@sharp.fm wrote: I am trying to load the name and value of an X509 extension programmatically via the API (in other words, the openssl.cnf file isn't being used), and I am struggling with openssl telling me that the tag doesn't exist

Re: ASN1_generate_v3: reading X509 extension via the API

On 18 Jan 2014, at 2:25 PM, Dr. Stephen Henson st...@openssl.org wrote: Have a look at demos/x509/mkcert.c I eventually found it was as simple as this: *extension = X509V3_EXT_conf(NULL, NULL, (char *)name, (char *)val); What threw me was whether it was ok to pass NULL or not (it is).

OpenSSL support for RFC2898 / PBKDF2

Hi all, According to the man page for EVP_BytesToKey, Newer applications should use more standard algorithms such as PKCS#5 v2.0 for key derivation. Unfortunately the man page stops there, and doesn't give a clue as to which openssl function should be used to derive a key in a compliant way.

Re: OpenSSL support for RFC2898 / PBKDF2

[EMAIL PROTECTED] wrote: Does openssl support RFC2898, and if so, what function should I be looking at? PKCS5_PBKDF2_HMAC_SHA1() This function seems to be undocumented: int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, unsigned char *salt, int saltlen, int

EVP_aes_256_ecb and EVP_CIPHER_iv_length()

Hi all, I have found an anomaly in the EVP code with an ECB cipher which is claiming to have an IV length greater than zero. I am under the understanding that all ECB algorithms should have an IV size of zero - is that correct? The gdb trace is shown below - is this a potential bug or am I

Re: why build shared openssl

Julian wrote: Never ship a Shared OpenSSL library. Anyone can rebuild it to output the socket buffer to disk prior to encryption and replace yours. If someone can do that, you've been owned already, compiling it static won't make any practical difference. Regards, Graham -- smime.p7s

Re: why build shared openssl

csross wrote: I don't know what is the purpose of building openssl shared. I am building apache with ssl statically built in. What does building a shared openssl give me? The ability to upgrade openssl without having to recompile anything else. Regards, Graham -- smime.p7s Description:

Re: how to trace aes quickly?

Victor Duchovni wrote: Because in amost all cases that's exactly the right advice. The cryptography learning that is sufficient and desirable is from books such as Applied Cryptography which cover protocols and algorithms at a high level. Studying the implementation or creating ones own

Re: how to trace aes quickly?

loody wrote: Is there sample code or ducument I can realize how to use EVP? On MacOSX, the normal man pages document the API for EVP*, I assume it is the same on the other unix environments. apropos EVP should get you started. Regards, Graham -- smime.p7s Description: S/MIME

Re: self-signed cert without private key file

carock wrote: Can the same process be duplicated without going commercial? I need a certificate that doesn't use a FQDN for the common name and I haven't found a commercial one that allows that. Set up your own CA, and issue your own certificates to your own requirements. The problem then

Re: self-signed cert without private key file

carock wrote: Unfortunately, I'm dealing with an HP Proliant server. Specifically the iLO interface which is a backend management device embeded in the server. This device has it's own SSL cert from the factory. With the latest rounds of updates from Firefox, that browser now complains my

Re: Encrypting 32/64 bit integers

Peter Wilkes wrote: so we ran this with a 64 bit int and noticed that 128 bits comes out. can we safely ignore the other 64 bits? why are we getting 128 bits out? Ciphers generally encrypt data in fixed-width blocks, which means you'll end up with a final encrypted cyphertext of a multiple of

Re: General question about documentation

Tim Ward wrote: Yes indeed. This is why I often go for commercial software in preference fo free - it took me a day and a half to get a working Visual Studio 2005 debug DLL built, at a cost to my client of ... er ... well ... none of anyone else's business really, but lots more than any

Re: General question about documentation

Kenneth Goldman wrote: 1 - Reading the source is only as reliable as the skill of the reader and the comments in the code. I'd rather have the answers than a research project. So would I. But far too often, in code of all kinds, this documentation doesn't exist. As an investor I would far

Re: General question about documentation

Randy Turner wrote: As an investor, I would rather have my coders use a product with documentation to make progress on the actual goals of the product, rather than reverse-engineer the information they're trying to look for. Obviously, as I already stated below: So would I. Regards,

Re: SHA-1() question

Sebastián Treu wrote: are thes equivalent to each others? or should I use the openssl toolkit? I ask this cause sha1sum results are 41 bytes long. the SHA-1() doc says 20bytes for output. Check whether the binary sha1 hashes are being encoded along the way. A common way to encode sha1 hashes

Coaxing an error message out of PKCS7_verify()

Hi all, I am currently struggling to get to the bottom of a problem verifying a PKCS7 message, and before I can make any headway, I need access to the error message. The error message I am getting is this: error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error which, given

Re: Coaxing an error message out of PKCS7_verify()

On 07 Mar 2010, at 12:13 AM, Graham Leggett wrote: Can anyone tell me what function I should be using to retrieve the error saved by ERR_add_error_data()? After some reverse engineering, it turns out ERR_get_error_line_data() does the trick. It was the file and line parameters that threw

PKCS7_verify() and being valid on a certain date

Hi all, Now that I have my full error message, the problem I have is that the verification is failing because the certificate has expired: error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error: Verify error:certificate has expired The error message is correct - the

Re: Apache client certificate authentication

On 2010/03/20 6:55 PM, Nuno Gonçalves wrote: Questions: Is normal that firefox hangs when it doesn't have a valid certificate to provide? Openssl output looks OK?(or the error in the end is a exception?) I am not 100% sure of the details, but I do recall a hang being a symptom of using a

Loading a CRL from RAM (and not from file or directory)

Hi all, I am trying to load a CRL, and currently my options seem to be choosing one of the following: X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()) X509_STORE_add_lookup(certstore, X509_LOOKUP_file()) The dilemma I face is that I need to do this in a non blocking fashion in an

Re: Loading a CRL from RAM (and not from file or directory)

On 21 Jan 2011, at 7:20 PM, Dr. Stephen Henson wrote: You can read the CRL into an X509_CRL stucture using d2i_X509_CRL() or the PEM functions using a memory BIO. Once you have the X509_CRL structure you can add the CRL with X509_STORE_add_crl(). When reading a CRL in a directory, is it

Re: callbacks: application context

On 20 Mar 2011, at 9:35 PM, Victor Duchovni wrote: What's the obstacle to a global variable that is initialized once and never changes? You also only need to call: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); once, ... so there needs to be some once-only code in your

Re: Using OpenSSL with non-blocking I/O

On 06 May 2011, at 9:23 PM, derleader mail wrote: Can you show us the source code. Paste it into pastebin.org. We do non blocking SSL by accepting the socket in the normal way (using accept, not SSL_accept), and then wrapping the socket in a BIO like this: BIO *sbio =

Safari and application/x-x509-user-cert

Hi all, I have some openssl code that creates a certificate based on a SPKAC, and then attempts to send the certificate back to the browser. This works fine in Firefox, but doesn't working in Safari, or at least it does work, except that Safari doesn't recognise the MIME type of the

Using a EVP_PKEY as input to EVP_EncryptInit

Hi all, I have a need to encrypt a block of text (a cookie) in such a way that the contents of the cookie can be protected[1] if and when the cookie is stolen in transit. I would like to use EVP_EncryptInit and friends to do this, and this function requires that I provide a key and iv to be used

Getting a certificate and private key from SSL_CTX

Hi all, The SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_file() allow you to assign a key and cert respectively to an SSL_CTX. I have been hunting for a while, and I have as yet not found the opposite functions, to extract the cert and key from an SSL_CTX. Am I missing

Re: What Padding does OpenSSL use??

On Wed, November 21, 2007 2:39 pm, Lidia Fernández wrote: I have to encrypt a file in c with openssl and then i have to decrypt in Java. In Java i use to decrypt the algorithm Cipher cipher = Cipher.getInstance(DES/ECB/PKCS5Padding); With OpenSSL i use openssl enc -a -des-ecb -in

List of ciphers: EVP_get_cipher_byname()

Hi all, Is there a function in OpenSSL that is capable of listing the possible ciphers that are supported by EVP_get_cipher_byname()? Regards, Graham -- __ OpenSSL Project http://www.openssl.org

make install failure / Solaris v2.8

Hi all, While trying to install v0.9.7e of openssl on a Solaris v2.8 machine, the build completes fine, but it bombs out during make install as below. Google has found two other questions on mailing lists about this problem (one on NetBSD, one on Irix) but these questions were never answered. One

Re: OpenSSL: What code to add for proxy use?

Clemens Chiba said: I use Winsocks and OpenSSL in a client application which simulates HTTPS request, and it works fine as long as I don't use a proxy (proxy name/port same as host name/port). But if I set a proxy it does not work anymore. This is clear because the proxy does not know where

Compiling OpenSSL as a shared library

Hi all, Is it possible to compile openssl v0.9.5a as a shared library under Solaris v2.6? The default compilation builds static libs only. There does not seem to be any mention of shared library support anywhere in any of the build docs, and the standard --enable-shared doesn't work. Any

make install problem with v0.9.6 beta 1

Hi all, After the make install step after compiling v0.9.6 beta 1 of OpenSSL, my /usr/local/ssl/lib directory looked like this: [3:22pm] root@dsnstar:/opt/local/ssl/lib# ls -al total 15364 drwxr-xr-x 2 root other512 Sep 15 15:21 ./ drwxr-xr-x 9 root other512 Sep 15

Re: Who uses heartbeat?

On 13 Apr 2014, at 12:25 PM, Hanno Böck ha...@hboeck.de wrote: I wasn't really sure where to ask this, but I think this list is appropriate. While having read so much about heartbleed, one question stays unanswered for me all the time: What's the use of this heartbeat extension? I mean not

Re: Who uses heartbeat?

On 13 Apr 2014, at 2:04 PM, Michael Ströder mich...@stroeder.com wrote: No, it does *not* answer the question. The question was: Who is currently using it? Just to clarify any possible confusion, whether or not a piece of software actively uses the heartbeat makes no difference to the bug,

Re: SSL Root CA and Intermediate CA Certs.

On 23 Apr 2014, at 2:23 PM, Kaushal Shriyan kaushalshri...@gmail.com wrote: I am new to SSL/TLS Certificates. Please help me understand what is the difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I will appreciate if i can refer to some books or tutorials to know

Using a salt to inprove key strength in HLS

Hi all, In the HLS protocol[1], there is the option of serving encrypted data protected by a simple symmetrical key and AES-128. The symmetrical key is served to the client over a secure connection, and the data is then retrieved separately over a probably-insecure-but-cacheable connection and

Symmetrical encryption in FIPS mode?

Hi all, Looking at the headers in the FIPS module of openssl, I see none of the EVP_Encrypt* functions are available. Am I assuming correctly that no symmetrical encryption is possible at all in FIPS mode? Regards, Graham —

Order of certs returned by SSL_get_peer_cert_chain()

Hi all, Can anyone confirm the order in which certs are returned by SSL_get_peer_cert_chain()? Regards, Graham — __ OpenSSL Project http://www.openssl.org User Support Mailing List

Parsing an SSL hello packet

Hi all, I have a need to parse the first incoming hello packet on an incoming TLS connection and based on the presence (or absence) of the SNI header, choose to pass the connection through to another server. What openssl functions should I be looking at to do this? Regards, Graham —

Re: Parsing an SSL hello packet

On 28 Oct 2014, at 1:30 PM, Florian Weimer f...@deneb.enyo.de wrote: * Graham Leggett: I have a need to parse the first incoming hello packet on an incoming TLS connection and based on the presence (or absence) of the SNI header, choose to pass the connection through to another server

[openssl-users] OpenSSL and detecting whether bugs have been patched

Hi all, I just tried out the most recent version of freeradius (v3.0.7), and it failed to start up with the following message: Thu Mar 5 11:12:33 2015 : Info: Debugger not attached Thu Mar 5 11:12:33 2015 : Error: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013

Re: [openssl-users] Nonblocking IO: Kindly need your urgent authoritative confirmation that the OpenSSL API's SSL_read and SSL_write and select() must indeed be used together *exactly* like this, as t

On 22 Feb 2015, at 11:22 PM, Tinker ti...@openmailbox.org wrote: I need your authoritative answer on the following question. [snip stuff that is too long] You are totally overthinking this. The SSL protocol involves negotiation, during which the sender and the receiver exchange data with

Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote: I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call

Re: [openssl-users] Crash in SSL_do_handshake: s-method-ssl_renegotiate_check(s)

On 04 Apr 2015, at 9:46 PM, Michael Clark mich...@metaparadigm.com wrote: I am having an issue where the server crashes on subsequent connections *if* I close the connection file descriptor. See the note in openssl_async_echo_server.cc on line 239. If I leak a file descriptor and the next

Re: [openssl-users] using a random number file for generation of keys/certificates

On 3 Sep 2015, at 19:23, Viktor Dukhovni wrote: > Cat those files into /dev/urandom or /dev/random. That'll mix them > into the system's entropy pool. Then generate keys as usual from > /dev/urandom. I have used a deck of playing cards as a source of entropy, saved

[openssl-users] openssl verify reporting errors where there are none

Hi all, I am trying to use “openssl verify” as a sanity check to determine whether a set of certificates are sane and valid in a script that issues (or reissues) the certificates, and I’m struggling with the output of the “openssl verify” command. This is output I get while verifying three

[openssl-users] Unknown record type 207: what is it, and why does it cause SSL to fail?

Hi all, I am having a problem where an iPhone running iOS v9.3.3 is attempting to connect to httpd+openssl on CentOS7 and suddenly failing when this used to work in the past. The client (iOS) seems to believe the SSL handshake is successful, and so attempts to send some application data. The

Re: [openssl-users] API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

On 14 Nov 2017, at 12:00 PM, mahesh gs wrote: > We have application that provide DTLS security for SCTP connections. During > our testing we found that API "SSL_connect " fail and always returns > SSL_ERROR_WANT_READ which causes infinite loop in the application. Are you

Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

On 09 Nov 2017, at 4:17 AM, Michael Wojcik wrote: >> New, (NONE), Cipher is (NONE) >> SSL-Session: >>Protocol : TLSv1.2 >>Cipher: > > Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 protocol > level but not supporting any

Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

On 09 Nov 2017, at 2:57 PM, Michael Wojcik wrote: >> This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu >> xenial), although >> trying openssl as shipped by MacOS Sierra on the client side gives the same >> result. > > At least prior to

[openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

Hi all, I am having quite a time trying to get postgresql v9.5 to talk over SSL on Ubuntu Xenial, running openssl v1.0.1f. Previously my setup was Ubuntu Trusty, and this works fine. The questions I have based on the info below: - It is the openssl s_client side that is triggering the

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

On 24 Jul 2018, at 18:06, Viktor Dukhovni wrote: >> Or is it correct in v1.1.0 and above to just not initialise anything at all, >> not clean anything up at all, and expect openssl to “do the right thing” >> when mod_ssl is unloaded? > > Yes. And *especially* when the code that depends on

[openssl-users] Initialising OpenSSL more than once - how do we handle this?

Hi all, Over at httpd we’re struggling with crashes and instability caused by attempts by various independent libraries we link to, all of which in turn link to openssl, initialising openssl multiple times. In turn these separate libraries might de-initialise openssl on shutdown expecting a

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

On 24 Jul 2018, at 12:15, Graham Leggett wrote: > Over at httpd we’re struggling with crashes and instability caused by > attempts by various independent libraries we link to, all of which in turn > link to openssl, initialising openssl multiple times. In turn these separate > lib

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 19 Mar 2019, at 18:00, Viktor Dukhovni wrote : > Well, the *standard* structure for passing around just the unsigned > data underlying a CSR (X509_REQ), is a CertificationRequestInfo > (X509_REQ_INFO). So if the modules are to use *standard* structures > to communicate. The object being

i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

Hi all, While porting some code across from RHEL6 (openssl-1.0.1e-42) to RHEL7 (openssl-1.0.2k-16), I am getting the failure below where previously the code worked. The code creates an X509_REQ, populates it, and then passes this to a module. Before passing it to the module, the structure is

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 18 Mar 2019, at 18:49, Viktor Dukhovni wrote: > A mandatory part of the CSR is missing. It is malformed. Some further digging shows the CSR is indeed malformed - the old openssl code created a CSR like this: 507:d=2 hl=2 l= 1 prim: OBJECT:itu-t while the new openssl code

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 18 Mar 2019, at 22:27, Viktor Dukhovni wrote: >> (Even in the 1.1 API, where they are opaque, i2d_re_X509_REQ_tbs will encode >> a given X509_REQ's X509_REQ_INFO for you.) > > Yes, i2d_re_X509_REQ_tbs is the key function for constructing the > "to be signed" (tbs) request: > > int

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 18 Mar 2019, at 22:02, Dave Coombs wrote: >> This makes sense - however there don’t appear to be any APIs in openssl that >> allow you to manipulate a X509_REQ_INFO structure. I can create it, and >> encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or >> friends) to

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 19 Mar 2019, at 03:22, Viktor Dukhovni wrote: >> On Mar 18, 2019, at 8:22 PM, Graham Leggett wrote: >> >> How would I decode the X509_REQ_INFO structure on the other side, turning it >> back into X509_REQ? > > The function returns the DER form of the CRI, w

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 18 Mar 2019, at 04:55, Viktor Dukhovni wrote: > On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote: > >> [root@localhost ~]# openssl req -in req.bin -inform der >> unable to load X509 request >> 139903756527504:error:0D0C40D8:asn1 encoding >> ro

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

On 18 Mar 2019, at 12:51, Graham Leggett wrote: >> which has a non-zero length signature algorithm OID (l = 9). Your >> example has "l=0" where one would expect the signature OID after >> the extensions. > > How do I fix openssl to parse this as it did

Shutting down openssl - is the correct thing to do nothing?

Hi all, I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and apr’s apr-crypto-openssl modules. Am I right in understanding that from openssl v1.1.0 and upwards, all the following calls are no longer necessary, will be called automatically atexit by the openssl library,

Re: Shutting down openssl - is the correct thing to do nothing?

On 14 Jun 2019, at 09:41, Matt Caswell wrote: > Correct. *All* of the above calls are no-ops in 1.1.0+, e.g: > > # define EVP_cleanup() while(0) continue > > There are one or two caveats around auto-init and auto-deinit of the library. > The documentation for it is here: > >

During client cert verification: RSA_padding_check_PKCS1_type_1:block type is not 01

Hi all, I have a WIndows 10 system with a smartcard attached to it. Firefox+Smartcard works great. Edge using the smartcard to the same site returns the following: [Fri Aug 02 13:47:43.238262 2019] [ssl:info] [pid 20742:tid 139771397486336] SSL Library Error: error:0407006A:rsa

Re: During client cert verification: RSA_padding_check_PKCS1_type_1:block type is not 01

On 04 Aug 2019, at 01:56, Viktor Dukhovni wrote: > An RSA signature verification operation (block type 01) failed, > typically because the public used to check the signature does > not match the private key used to sign the data. Thanks for confirming this. > Is this a server-side log or a

PKCS7: Error: Object has zero length.

Hi all, I am trying to create a "Degenerate certificates-only CMS Signed-Data” using openssl openssl-1.1.1c (from CentOS8) as described by https://tools.ietf.org/html/draft-gutmann-scep-15#section-3.4, and in the process I am getting the entry "Error: Object has zero length” in the PKCS7

BIO_s_file() and files that are larger than int - how is overflow handled?

Hi all, According to the manpage at https://www.openssl.org/docs/man1.1.0/man3/BIO_s_file.html the macro BIO_tell() casts to int: /opt/local/include//openssl/bio.h:# define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) What happens if the file being parsed is larger than can fit in

X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

Hi all, While running code that calls X509_verify_cert(), the trusted root certificates (“BEGIN TRUSTED CERTIFICATE”) loaded into the verification are failing verification with “certificate rejected”: 2: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE: verify failed: certificate

OpenSSL provider replacement for ENGINE_load_private_key

Hi all, The ENGINE API is deprecated in favour of the new Provider API. What is the provider equivalent function that replaces ENGINE_load_private_key()? Regards, Graham —

Re: OpenSSL provider replacement for ENGINE_load_private_key

On 13 Dec 2021, at 12:15, Tomas Mraz wrote: > One option would be for a provider to provide provider-storemgmt > implementation to load a key from its special URI. You'd then use > OSSL_STORE from the application to load a private key from that special > URI. > > Another, rather simplistic,

Generating a CSR using an engine in OpenSSL3 - how?

Hi all, When the openssl interactive mode was still possible, you could set up an engine and then use it as follows: OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre