Re: Client certificate verification

2012-06-29 Thread Peter Sylvester
On 06/29/2012 09:29 PM, Sukalp Bhople wrote: Hello, I am trying to measure server performance for client certificate verification. However, there is no significant difference in the server performance when I send one certificate and condition when I send chain of 10 certificates. I am aware

Re: X.509 certificate subject format

2012-07-02 Thread Peter Sylvester
On 07/02/2012 10:34 AM, Johannes Bauer wrote: Hi list, I have a rather simple question regarding X.509 subjects that is not entirely clear to me and for which I cannot find the appropriate reference (pointers greatly appreciated). The trouble starts when trying to compare two subjects of

Re: TS verify: how to fix Verify error:self signed certificate in certificate chain ?

2012-07-10 Thread Peter Sylvester
On 07/10/2012 02:38 AM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi Sent: Monday, 09 July, 2012 10:15 /usr/bin/openssl ts -verify -sha256 -untrusted CERT -CAfile CA -data FILE TO MARK -in TSA REPLY and the output we get is:

Re: create certificate request programmatically using OpenSSL API

2012-07-20 Thread Peter Sylvester
You can take the code in apps/req.c and extract the pieces you need. On 07/20/2012 10:17 AM, Abyss Lingvo wrote: Hi all! How to create certificate request programmatically via OpenSSL API? This is the solution for command line utility: openssl genrsa -out server_key.pem -passout

Re: Missing entries in index.txt database - Generating CRL

2012-08-09 Thread Peter Sylvester
On 08/09/2012 12:57 PM, int0...@safe-mail.net wrote: Hi ... After that I generated a CRL (I own the CA) which then contained the certificate with the serial 0x06. My question now is, would that be a proper workaround or is there a better solution? Since the CRL only contains the serial

Re: MIME types for PEM encoded CRLs

2012-10-27 Thread Peter Sylvester
On 10/27/2012 02:51 PM, Graham Leggett wrote: Section 4.1 says: Encoding considerations: will be none for 8-bit transports and most likely Base64 for SMTP or other 7-bit transports What I'm after is how to interpret section 4.1 in the context of HTTP content negotiation. Regards, Graham

Re: Reference material on how to do certificate validation with OpenSSL

2012-10-27 Thread Peter Sylvester
The way how common names are verified in The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software is not correct. It gives a false match when there is more than one common name ava __ OpenSSL

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

2012-11-07 Thread Peter Sylvester
On 11/07/2012 06:52 PM, Graham Leggett wrote: On 07 Nov 2012, at 4:50 PM, Ted Byers r.ted.by...@gmail.com wrote: Why does it need to be something in openssl? Ideally because it needs to be as secure as openssl. I'm after an accurate time duration between two ASN1_TIME values, that is not

Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine

2012-12-07 Thread Peter Sylvester
On 12/07/2012 11:05 AM, LN wrote: I have a feeling it does so because I tried to save that returned EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it back from the same file with PEM_read_bio_PrivateKey. Saving worked, but loading failed (with some decoding error

Re: extensions in certifications

2012-12-12 Thread Peter Sylvester
On 12/11/2012 09:45 PM, Michael Mueller wrote: Could I get a nudge. I'd like to get the SANs to show up in my certs. in my request: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non

Re: How to tell when no more progress can be made

2013-01-17 Thread Peter Sylvester
On 01/17/2013 12:10 PM, A G wrote: Hi Here http://marc.info/?l=openssl-usersm=124386218929227 It states that ...This is why it is very important to understand that any possible forward progress on any port (and a write operation that returns WANT_READ may have made forward progress!) requires

Re: [openssl-users] Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

2013-02-08 Thread Peter Sylvester
Ording is important. unfortunately the default order shown in the textual form is not the same as for ldap tools. using openssl asn1parse shows the encoding, country code should come first. __ OpenSSL Project

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-11 Thread Peter Sylvester
On 03/11/2013 06:43 PM, kap...@mizera.cz wrote: Hello, ... As I know, the attr. certs are not very necessary = that is why I mean, that temporary solution would be to ignore them in verification process. At least in TS it would solve the problem. Just for info: converting te stuff to

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-11 Thread Peter Sylvester
the second ess certid says SEQUENCE { OCTET STRING 52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78 EB 6C D7 AC } by 3721926ea67e877df5f4e35dd3c87397eef33d4f is the hash of the der version of te

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-11 Thread Peter Sylvester
On 03/11/2013 08:01 PM, kap...@mizera.cz wrote: Of course YES. Timestamp reply is nothing else as CMS SignedData structure. not quite but ts -reply -tokenout converts it to such a thing __ OpenSSL Project

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-11 Thread Peter Sylvester
On 03/11/2013 10:31 PM, kap...@mizera.cz wrote: Dne 11.3.2013 21:42, Peter Sylvester napsal(a): the second ess certid says SEQUENCE { OCTET STRING 52 EE 29 A7 35 03 04 F8 94 21 48 72 76 9F 24 78 EB 6C D7 AC

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-12 Thread Peter Sylvester
On 03/11/2013 11:17 PM, kap...@mizera.cz wrote: That is what we talk about here. Try to check previous posts in this thread. rfc 3126 tells This document mandates the presence of this attribute as a signed CMS attribute, and the sequence must not be empty. The certificate used to

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-12 Thread Peter Sylvester
On 03/12/2013 09:30 AM, kap...@mizera.cz wrote: RFC 3161 is written badly. The whole text was a joke anyway. The requester SHALL verify that the TimeStampToken contains the correct certificate identifier of the TSA One may conclude that openssl should simply not validate anything

Re: possible Bug in OpenSSL - rfc 3161 - TSA service

2013-03-15 Thread Peter Sylvester
for those who don't read openssl-dev Original Message Subject:[openssl.org #3016] openssl ts fix Date: Wed, 13 Mar 2013 16:13:31 +0100 From: Peter Sylvester via RT r...@openssl.org Reply-To: openssl-...@openssl.org CC: openssl-...@openssl.org Hi, I

Re: Verify callback and sending of the client certificate

2013-08-09 Thread Peter Sylvester
On 08/09/2013 11:17 AM, Florian Weimer wrote: Qt installs a verification callback like this |// Register a custom callback to get all verification errors. |X509_STORE_set_verify_cb_func(ctx-cert_store, q_X509Callback); It is not recommended to access to members in the way above, but

Re: CA hierarchy / pathlen:0

2013-08-22 Thread Peter Sylvester
On 08/22/2013 01:29 PM, Peter1234 wrote: Hi Walter, I started with release 0.9.8h and just updated to release 1.0.1e (both on MS Windows). The update to release 1.0.1e didn't change anything unless that the new release does not redirect certificates converted from PEM format to text format into

Re: Certificate extensions

2013-09-18 Thread Peter Sylvester
a surprise when policy and practice documents do not even mention these behaviours. Peter Sylvester __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users

Re: CA generation/certificate serial number

2008-04-03 Thread Peter Sylvester
openssl is VERY tolerant concerning the encoding/decoding of an INTEGER value. Other decoders may not like such things as length 0 etc. When converting such a beast from DER to PEM or the other way, you might have a surprise. From X.690: 8.3 Encoding of an integer value 8.3.1 The encoding

Re: any reference to different certificate versions

2008-08-24 Thread Peter Sylvester
Kyle Hamilton wrote: X.509 refers to the certificate version. 0 == version 1, 1 == version 2, 2 == version 3. Version 1 certificates have no means for any extensions. Version 2 certificates are CRLs. CRLs use the asn1 type Version. CRLs with extensions have Version 2, but this has nothing

Re: Decoding ASN.1 certificate content

2009-05-20 Thread Peter Sylvester
IMO a good approach is also to simple read and understand apps/x509.c __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List

Re: Decoding ASN.1 certificate content

2009-05-21 Thread Peter Sylvester
Victor B. Wagner wrote: On 2009.05.20 at 18:28:42 +0200, Peter Sylvester wrote: IMO a good approach is also to simple read and understand apps/x509.c Unfortunately, it wouldn't help much. x509 utility does work only with certificates in files (or stdin), so it uses d2i_X509_bio

Re: Question about x509

2009-05-22 Thread Peter SYLVESTER
Selon Kyle Hamilton aerow...@gmail.com: On Thu, May 21, 2009 at 11:55 PM, loody milo...@gmail.com wrote: Hi: thanks for your help. By your explanation, in der form, the leading 00 seems like a padding byte. ( Is there spec which says it must put 00 here?) from my example, the number

Re: Question about x509

2009-05-22 Thread Peter Sylvester
what is the X series mean? guess where the X in X509 comes from. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated

Re: Question about x509

2009-05-23 Thread Peter Sylvester
There is also CER. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager

Re: Certificate with custom fields

2009-07-10 Thread Peter Sylvester
Victor Duchovni wrote: On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote: Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy.

Re: Does OpenSSL support passive decryption?

2009-07-30 Thread Peter Sylvester
see http://www.rtfm.com/ssldump/ Ivan Ristic wrote: I am investigating whether it is possible to use OpenSSL to passively decrypt an SSL conversation (with access to a server's private RSA key, of course). Does OpenSSL provide any support for this mode of operation? If there isn't explicit

Re: Is Openssl vulnerable to Null-Prefix Attacks?

2009-08-11 Thread Peter Sylvester
Roger No-Spam wrote: Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation

Re: add extension to an existing (signed) CA certificate

2009-08-25 Thread Peter Sylvester
Second, I doubt your organisation is authoritative for the OID arc 1.1.1.1.1 - from what documentation I can find, the 1.1 arc is used for examples, and shouldn't be used in production. You should have your organisation register with IANA to be issued its own correct OID arc (or, I think

Re: add extension to an existing (signed) CA certificate

2009-08-26 Thread Peter Sylvester
OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey

Re: add extension to an existing (signed) CA certificate

2009-08-26 Thread Peter Sylvester
Jehan PROCACCIA wrote: Le 26/08/2009 12:17, Peter Sylvester a écrit : OK, then how do I re-issue my root CA certificate with my already existing ca.key ? If I could have a sample commande line for openssl it would help me . something like OPENSSL x509 -set_serial $SERIAL -clrext -extfile

Re: add extension to an existing (signed) CA certificate

2009-09-01 Thread Peter Sylvester
well, if one takes the standard configuration of openssl, it sets the authoritykey_identifier both the hash and issuer serial, no exception for the root. comment says that pkix recommends that. I do not see this recommandation in the rfcs. at least there is a length paragraph for roots to have

Re: TLS CA Certificate Loading in DER format

2009-09-14 Thread Peter Sylvester
I think the desired function is X509_STORE_add_cert SSL_CTX_use_certificate is to select you own certificate. Francois Dupressoir wrote: Hello Ram, You may be interested in the d2i_X509_fp() function [http://openssl.org/docs/crypto/d2i_X509.html#] in conjunction with

Re: Getting hostname with openssl library

2009-10-20 Thread Peter Sylvester
A better question is to match a given hostname against a certificate and determine whether it obeys the https rules. There can be multiple hostnames and wild cards. The code implemented by curl is a complete way to do this. /PS

Re: Getting hostname with openssl library

2009-10-20 Thread Peter Sylvester
It does not support subjectAltName extensions. SubjectAltName extension is supported since an eternity, more than 5 years ??? __ OpenSSL Project http://www.openssl.org User Support Mailing

Re: Subject Issuer Mismatch Bug!!

2009-10-30 Thread Peter Sylvester
We have in apps/ in x509.c print_name(STDout, issuer= , X509_get_issuer_name(x), nmflag); in crl.c print_name(bio_out, issuer=, X509_CRL_get_issuer(x), nmflag); In order to make a fair change that will potentially hurt everyone, I propose

Re: Apache client certificate authentication

2010-03-20 Thread Peter Sylvester
Wasn't there a pb with a great number of CA names? There are 16K already? The pb was in apache ad some of my three neurons seem to agree. https://issues.apache.org/bugzilla/show_bug.cgi?id=46952 /PS __ OpenSSL Project

Re: Server name indication

2010-04-09 Thread Peter Sylvester
Sad Clouds wrote: Hi, is there any sort of documentation on how to use SNI with OpenSSL? As far as I know, only the source in s_client and s_server.c It depends on what side you are, and what do you want to test. As a client, if you want to start a session to a server, and if you somehow

Re: X509 Verify callback

2010-05-10 Thread Peter Sylvester
On 05/10/2010 08:43 PM, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of

Re: How to set CA:TRUE, in an existing cert

2010-05-12 Thread Peter Sylvester
I'm trying to install a CA cert on my Android phone, to use my university WiFi account, via http://www.realmb.com/droidCert/ I would need to install the GTE CyberTrust Root cert, but it is getting registered as a client cert, not a CA one. If I try to install one with CA:TRUE, then it's working

Re: NameConstraints are not being applied (or I don't know how to enforce them?)

2010-06-04 Thread Peter Sylvester
On 06/03/2010 06:11 PM, Dr. Stephen Henson wrote: On Thu, Jun 03, 2010, jeff wrote: I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints

Re: SSL_CTX_set_verify issue

2010-08-06 Thread Peter Sylvester
On 08/06/2010 10:54 AM, Manjunath1847 wrote: I am using SSL_CTX_set_verify() function to set my static C callback verify function. During HTTPS transaction, my callback is also getting called with first parameter 0 or 1 (depending upon of the certificate verification is success or failure). But

Re: Verifying X509 Certificates Using The OpenSSL API

2010-08-08 Thread Peter Sylvester
try rehash the certs I am loading the certificate stores from /etc/ssl/certs which contains the stores that mozilla, chrome, and the like all verify from, but no matter what I do I can't get a single certificate to verify.

Re: Subject alternative name

2010-08-24 Thread Peter Sylvester
You can use environment variables in the config file like extensions = x509v3 [ x509v3 ] subjectAltName = @subjectAltName keyUsage= critical,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = $ENV::CRLDP subjectKeyIdentifier = hash authorityKeyIdentifier = keyid [

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-29 Thread Peter Sylvester
The encoding is invalid BER. The openssl is tolerant but also destructive in copy. whenever you use openssl x509 -in -out ... you remove one leading 0 octet. IMHO openssl should reject the cert because of invalid encoding. On 08/29/2010 04:17 AM, Mounir IDRASSI wrote: Hi, The problem you

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-29 Thread Peter Sylvester
On 08/29/2010 01:20 PM, Mounir IDRASSI wrote: Hi Peter, Although the certificate's encoding of the serial number field breaks the BER specification about the minimal bytes representation, it is known that many CA's and libraries treat this field as a blob and usually encode it on a fixed length

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-29 Thread Peter Sylvester
On 08/29/2010 07:38 PM, Mounir IDRASSI wrote: Hi Peter, Thank you for your comments. As I said, this kind of debates can be very heated and going down this road don't lead usually to any results. The debate may be whether and how something should be done in openssl, I admit I had started

Re: Verify X.509 certificate, openssl verify returns bad signature

2010-08-30 Thread Peter Sylvester
Nit: redundant leading 00 (or FF) in an INTEGER is VALID *B*ER but INVALID *D*ER. And signed things like certs are *D*ER for exactly this reason, so a reconstructed encoding is bit for bit identical and hashes and signatures etc. work. BER is already 'distinguished concerning the content

Re: Confusion about subject alternative names

2010-09-02 Thread Peter Sylvester
Since webmail, imap, smtp(s) all operate on different ports, and you have different listeners, the correct way to me seems to use three certificates with the desired hostnames etc. Having the same IP address doesn't matter in this particular case.

Re: Request for comment on Anonymous, Encrypted SSL approach

2010-09-17 Thread Peter Sylvester
On 09/17/2010 04:40 PM, Tom Cocagne wrote: Greetings, I've been searching for a way to set up an encrypted SSL connection that doesn't require the use of certificates. Ideally, I'd like to use SSL + SRP as specified in RFC 5054 but, as that isn't yet commonly available, I'd like to fall back to

Re: How to disable index and serial?

2011-01-11 Thread Peter Sylvester
On 01/11/2011 05:50 PM, Dominique Lohez wrote: Fredrik Strömberg a écrit : Hello, I want to sign a certificate without using the index or serial files. Can someone tell me how to disable them? by using the command x509 and not ca for example. you can use a serial number based on a date

Re: IP address as subjectaltname works with firefox but not MS internet explorer

2011-01-20 Thread Peter Sylvester
In addition to the adding the IP address to the cert with subjectAltName=IP:10.0.0.1; I added the IP address twice (probably didn't need to), using subjectAltName=IP:10.0.0.1,DNS:10.0.0.1 You might want to add DNS:host.mydomain.com

Re: ASN.1 encoding a private structure

2011-02-15 Thread Peter Sylvester
On 02/14/2011 01:11 PM, Eisenacher, Patrick wrote: I want to encode a private asn1 structure, say something like the following: SEQUENCE true_false BOOLEAN certificate Certificate I checked the asn1parse command and was able to specify my outer sequence and the inner boolean in the

Re: convert x509 cert into string and store certs in cache

2011-03-11 Thread Peter Sylvester
On 03/11/2011 11:57 AM, ikuzar wrote: Ok. In the doc, I think |i2d_X509() |is adequate to encode X509 *cert; The doc says : int i2d_X509(X509 *x, unsigned char **out); |i2d_X509()| encodes the structure pointed to by *x* into DER format. If *out* is not *NULL* is writes the DER encoded data

Re: [openssl-users] Quick eyeball requested - self generate openssl certs/CA

2011-05-19 Thread Peter Sylvester
The problem with this scheme is that it doesn't deal well with parallel certificate signatures. You have one shared information that must be incremented in an atomic way. But for a Junk CA (that's how I call the set of scripts I use), that's not a problem. another approach is to take the

Re: [openssl-users] Quick eyeball requested - self generate openssl certs/CA

2011-05-19 Thread Peter Sylvester
On 05/19/2011 06:20 PM, Tim Watts wrote: On 19/05/11 16:46, Peter Sylvester wrote: The problem with this scheme is that it doesn't deal well with parallel certificate signatures. You have one shared information that must be incremented in an atomic way. But for a Junk CA (that's how I call

Re: web site with many openssl examples

2011-06-30 Thread Peter Sylvester
On 06/30/2011 07:29 PM, derleader mail wrote: Hi, I'm looking for complete examples of implementing OpenSSL code - server and client. Can you give a link? Best wishes Peter the source code of s_client and s_server or ssl_use.c of curl for a client part or mod_ssl of apache for a

Re: smime verify bug???

2011-07-21 Thread Peter Sylvester
Many places including the DN comparision algorithm description of RFC3280. Sorry can you point me to the exact paragraph, I read 4.1.2.4 and 5.1.2.3 but the comparision seems to happen on the contents of the issuer field and not the order, thanks Nicola near the end of page 95 of rfc

Re: Becoming a CA for group of internal servers?

2011-09-01 Thread Peter Sylvester
you might want to read the description of the -extfile parameter of the x509 command an excerpt from curl-7.21.6/tests/certs/scripts/genserv.sh available at curl.haxx.se $OPENSSL req -config $PREFIX-sv.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-sv.key -out $PREFIX-sv.csr $OPENSSL rsa -in

Re: How to deal with new OIDs

2011-09-08 Thread Peter Sylvester
On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket 1794? __ OpenSSL Project

Re: How to deal with new OIDs

2011-09-08 Thread Peter Sylvester
On 09/08/2011 04:31 PM, Dominik Oepen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 08.09.2011 11:49, schrieb Peter Sylvester: On 09/07/2011 08:28 PM, Dr. Stephen Henson wrote: On Wed, Sep 07, 2011, Dominik Oepen wrote: Are these OIDs are by chance the ones described in ticket

Re: Error converting from .cer to .pem

2011-09-19 Thread Peter Sylvester
On 09/19/2011 04:29 PM, ubuntuv wrote: Thanks Jacob. Output of #less evalRootCertificate.cer -BEGIN CERTIFICATE- MIICBDCC.MVWn1dH/IzvUWbQ== -END CERTIFICATE- I even tried removing the following file lines -BEGIN CERTIFICATE- -END CERTIFICATE- #

Re: OpenSSL 1.0.1 example with SRP

2011-10-25 Thread Peter Sylvester
On 10/25/2011 05:15 AM, Norm Green wrote: Hello Experts, I'm new to OpenSSL so please bear with me. I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released,

Re: How to create certificate store using DER and PKCS12 certificates

2011-11-10 Thread Peter Sylvester
On 11/10/2011 12:47 PM, Rajib Karmakar wrote: Hi, I am using OpenSSL version 1.0.0e and want to create a certificate store using DER and PKCS12 formatted certificates. I have to read and convert DER and PKCS12 certificates into X509 object and add them into X509_STORE. But if PEM, DER and

Re: OpenSSL and apache2 wildcard self-signed certificate for nested subdomain

2011-12-14 Thread Peter Sylvester
On 12/14/2011 01:33 PM, rey sebastien wrote: Hello users :) I have some problem with nested subdomain and wildcard openssl certificate.. perhaps this is because the subdomain type is : site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other subdomain like .parisgeo.cnrs.fr When i

Re: Displaying Serial Number of Cert via s_client ?

2012-01-07 Thread Peter Sylvester
On 01/07/2012 02:01 AM, Ken Adler wrote: I use echo GET | openssl s_client -connect www.google.com:443 -state to troubleshoot https handshakes. Is there a way to get it to return the Serial number (or thumbprint) of the server certificate? openssl s_client -connect www.google.com:443

Re: SRP problem in OpenSSL 1.0.1 beta

2012-01-10 Thread Peter Sylvester
blocking behaviour (even if no), and you need time to lookup a credential (a verifier) in a database, you can indicate in your callback to interrupt the accept call (in blocking and non blocking mode) and repeat the accept as soon as the data are there. Norm Green VMware, Inc. Peter Sylvester

Re: SRP problem in OpenSSL 1.0.1 beta

2012-01-10 Thread Peter Sylvester
an excerpt from rfc 5054 paragraph 3.3 If an attacker learns a user's SRP verifier (e.g., by gaining access to a server's password file), the attacker can masquerade as the real server to that user, and can also attempt a dictionary attack to recover that user's password. An

Re: Customer Enterprise X.509 Extension OID Assignment

2012-02-06 Thread Peter Sylvester
On 02/06/2012 09:41 AM, Curt Sampson wrote: If I were to create a custom X.509 certificate extension for use within my enterprise and with others outside who wanted to write or modify their own software to interoperate with it, I'd need to assign an OID for this extension, right? And for that,

Re: Distinguishing a CA certificate from an end entity certificate Reg.

2012-02-23 Thread Peter Sylvester
On 02/23/2012 10:49 AM, Ashok C wrote: Hi, What would be the most efficient and easiest way to distinguish a CA certificate from an actual server/client(end entity) certificate? We were thinking of identifying the CA with the CA:TRUE constraint from the text display, but again this check does

Re: 1.0.1beta1, incompatibility with gnutls?

2012-03-08 Thread Peter Sylvester
On 03/08/2012 11:05 PM, David Holmes wrote: I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli). s_server is complaining of an unknown extension (see debug output below). Openssl 0.9.8h works just fine though. Is this a known issue? 127.0.0.1 is not a valid

Re: 1.0.1beta1, incompatibility with gnutls?

2012-03-09 Thread Peter Sylvester
On 03/08/2012 11:05 PM, David Holmes wrote: I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli). s_server is complaining of an unknown extension (see debug output below). Isn't it the client after the serverhello response? you might want to add -debug and -msg to see

Re: 1.0.1beta1, incompatibility with gnutls?

2012-03-09 Thread Peter Sylvester
On 03/08/2012 11:05 PM, David Holmes wrote: I'm trying to use openssl 1.0.1beta1 s_server with gnutls 2.4.1 (gnutls-cli). s_server is complaining of an unknown extension (see debug output below). Openssl 0.9.8h works just fine though. Is this a known issue? try beta3, should work better.

Re: SRP in OpenSSL 1.0.1

2012-04-04 Thread Peter Sylvester
On 04/04/2012 11:01 AM, Christian Weber wrote: Dear users and developers, we just read through some of the code examples for SRP usage. Concerning the necessary callbacks we wonder why in s_server.c the verifier parametrization is being delayed. Within apps/s_server.c we can find the comment:

Re: How to get the Certificate Keyusage retire error ? (lCert-ex_kusage =0)

2012-04-04 Thread Peter Sylvester
On 04/04/2012 02:51 PM, brajan wrote: I am using openssl 0.9.8g version . i convert the PEM certificate file to X509 format and try to read the key usage value . Keyuage =lCertificate-ex_kusage ; Some time the keyusage = 128 Some time Keyusage is 0 for the same certificate . why this problem

Re: How to trust a 'root' certificate

2012-04-26 Thread Peter Sylvester
On 04/26/2012 03:58 PM, Tammany, Curtis wrote: I don't see this as an Apache issue. The site has required client certs for years now and Apache was configured to require client certificates. I have intermediate DOD certs on the server but OpenSSL sees my DoD Root certificate as un-trusted

Re: How to trust a 'root' certificate

2012-04-26 Thread Peter Sylvester
put all the CA certificates into one file and remove the SSLCACertificatePath and just keep the SSLCACertificateFile Thanks. Curtis -Original Message- From: Peter Sylvester [mailto:peter.sylves...@edelweb.fr] Sent: Thursday, April 26, 2012 10:40 To: openssl-users@openssl.org Cc

Re: PHP openssl_x509_parse extensions=subjectAltName

2012-05-13 Thread Peter Sylvester
Yes, it can probably be parsed by any ASN.1 parser. But the OID is private - only the organization knows how to interpret it (or what to do with it). private/public in this context refers to governance/ownership not to visibility. if the organisation documents the any interested party can

Re: Are those TLS-SRP cipher suites supported?

2012-05-14 Thread Peter Sylvester
On 05/14/2012 02:59 PM, marek.marc...@malkom.pl wrote: Hello, $ openssl version OpenSSL 1.0.0 29 Mar 2010 $ openssl ciphers -V For SRP one should use the 1.0.1 version. openssl version OpenSSL 1.0.1 14 Mar 2012 openssl ciphers SRP

Re: Cert order in .pem format

2012-05-18 Thread Peter Sylvester
On 05/18/2012 06:03 AM, kthiru...@inautix.co.in wrote: Team, Had a query in the certs that we load, The CA's provide our certs in .p12 format, which we need to convert to a .pem and load to SSL structure during initialization. On converting to .pem, it is in the following format, Private

Re: variable response size of openssl rand on windows

2012-06-04 Thread Peter Sylvester
some new line - CRLF conversion may have hit. On 06/04/2012 04:29 PM, Ken Goldman wrote: A typical openssl user error is treating binary data as text. Random numbers are not text until you convert them with -hex. My guess is that Windows is treating some binary character specially, and this

Re: self-generated, self-signed root CA and Client Auth Certs not working

2012-06-06 Thread Peter Sylvester
On 06/05/2012 07:14 PM, DRings wrote: I've spent too much time trying to figure out something that is probably well know here. I have a restricted community application that seems a perfect fit for using openssl to self-generate our own CA, and self-sign it, and self-generate our own web client

Re: WG: [Openca-Users] After 100000 certificate issued...

2006-09-19 Thread Peter Sylvester
[EMAIL PROTECTED] wrote: I found this in the OpenCA-Users mailinglist. Any ideas or suggestions? use the 'openssl ca' command with an empty index.txt file for each new certificate. and then manages the files differently, i.e. copy the content into a database. Or don't use the ca at all

Re: a simple ca question

2006-10-15 Thread Peter Sylvester
Bernhard Froehlich wrote: Chong Peng wrote: guys: how to tell a root certificate from a non-root certificate? i sthere a field in x509 structure for us to tell? thanks. Root certificates are self signed, that is the issuer equals the subject in the certificate. AND the signature can be

Re: Compiler error ASN1

2006-10-17 Thread Peter Sylvester
Daniel Diaz Sanchez wrote: Hello to everybody, I have a problem when implementing a simple structure using OpenSSL Asn1. This is the problem: When I try to implement this data structure: A ::= SEQUENCE { b CHOICE { b1

Re: SSL_get_verify_result returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20)

2007-05-04 Thread Peter Sylvester
The load verify location has to be done before you make the connection. Christian Graf wrote: Hi all, I try to check a server's certificate on the client like this, using an operating system whose name contains an o: GC_SSL_Error retVal = GC_SSL_NO_ERROR; X509* x509cert =

Re: How put issuerUniqueID into certificate?

2007-05-07 Thread Peter Sylvester
Kyle Hamilton wrote: I have never heard of issuerUniqueID and subjectUniqueID. If you can point to where you're learning about it, it would be possible for me to figure it out. X.509, where else? smime.p7s Description: S/MIME Cryptographic Signature

Re: How put issuerUniqueID into certificate?

2007-05-09 Thread Peter Sylvester
Kyle Hamilton wrote: The ITU X.509v1? The X.509v3? The Internet Public Key Infrastructure Certificate Profile? Perhaps the Attribute Certificate profile? Or the Proxy Certificate profile? Or some other profile? excerpt from the 2000 version. Since this is the one that I have online.

Re: Certificates, users and machines

2007-05-16 Thread Peter Sylvester
I hope this information helps. -Kyle H Thank you for your response and information about the proxies. I now have a feeling that to write a verification callback function, I will need to retrieve the information stored in the certificate that the peer has sent to me. If you want

0.9.7f rc4/asm problem

2005-03-23 Thread Peter Sylvester
Has someone tried to compile 0.9.7f with VC and nasm. I have the impresssion that the changes in crypto/rc4/asm/rc4-586.pl make nasm unhappy. __ OpenSSL Project http://www.openssl.org User

Re: cURL, CERT and PEM

2005-09-06 Thread Peter Sylvester
The --cert option asks for a client certificate, not for a server certificate. That's not your parameter. :-) You need to use the --cacert parameter, and well, AFAIR, you cannot use in general a server with a self signed cert in this case: Create your own ca (this is just as simple as a self

Re: TLS Extension support - Server Name Indication

2005-10-13 Thread Peter Sylvester
Dear OpenSSL developpers, I have put a version of openssl that supports the TLS servername extension into our web server. It is based on a openssl development snapshot of last week. We have split of and simplified the code that was done together with SRP last year, an,d corrected known bugs.

Re: ssl_select?

2005-11-08 Thread Peter Sylvester
BIO_pair as with the example in ssltest.c may help to use just normal select. -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME

Re: SSL accept/connect error

2005-11-24 Thread Peter Sylvester
Make a CA cert, and sign a server cert with it, and use this in the verify locations call in the client. Mark wrote: Hi, Thanks for the help from everyone with regards to certificates. I now have an error when attempting to run my application. On the server side when I call SSL_accept() I

Re: Authentication

2005-11-30 Thread Peter Sylvester
Bear Giles wrote: Mark wrote: What feature of a certificate could I use to provide an unique key in a database table for this? How could this be extracted in a program? The Common Name. You could use it as an LDAP key, convert it to a string and use that a key into a database, etc.

Re: Authentication

2005-11-30 Thread Peter Sylvester
The code below gives the FIRST Common Name RDN, not the last one in the hierarchy to be tested as a servername in tls. But well, if you only have one occurrence of common name :-) Anyway, the WHOLE DN, i.e. all attributes together are supposed to be unique in a CA. Of course, if your private

  1   2   >