Hello,
My company developed application using OpenSSL libraries to establish
SSL/TLS connections.
Our customers would like to have a reasonable way of updating user's
certificate (that is about to expire) without bringing the application
down and loosing all the existing SSL/TLS connections.
What would be the best way to implement the user certificate update?
Currently our code calls following functions during application
initialization to set up the user certificate:
PKCS12_parse(p12, "", &pkey, &x509, NULL);
bool = SSL_CTX_use_PrivateKey(ssl_ctx, pkey);
bool = SSL_CTX_use_certificate(ssl_ctx, x509);
Could we call the same code to set up new certificate. Would these calls
effectively replace the older certificate?
Could we update existing connections to use this new certificate during
session rekeying process?
I greatly appreciate any suggestions and link to any sample code.
Thanks a lot.
Liz
______________________________________________________________________ ...

For educational purposes, I want to use openssl to create an RSA key
with prime numbers I provide.

Is this possible with an openssl command, or do I have to adapt the source code?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hi,

I have about 10 X.509 certificates that I need to load into PKCS12
keystores for testing purpose. I understand each keystore has its
certificate alias. I would like to add all these certificates into
one keystore file and when I load it I can get the certificate I need
through certificate alias. Is it possible to do that using pkcs12
command of OpenSSL?
BTW, I am using this command

openssl>pkcs12 -export -in cert.pem -inkey privatekey.pem -out
keystore_1.p12 -name "cert1"

Thanks,
Joanne

On July 17, 2008 10:48:51 am Yuliya Shulman wrote:

That's probably exactly what you should be doing.

Since the table of primes previously mentioned tops out at around 30bit primes
(and there are 50 Million of those)... and modern cryptography suggests at
least 4096 bit primes, you are completely doing the right thing by not using
a table. (Just to make it clear - an application using those tables would be
trivially crackable - and not just by reverse engineering the code :)

Hi,

I'm developing a client in for a protocol where the public servers
that use SSL typically use self-signed certificates.

In order to make the best of a bad situation, I would like to
implement "server key caching", similar to the way that SSH is
typically used (that is, on the first connection to a given server,
the client presents the user with the fingerprint of the public key
that the server used; if the user accepts it, the public key is
remembered by the client so that future connections to the same server
can be verified).

To this end I have two questions:

1) Clearly in this case SSL_get_verify_result() is likely to indicate
that the server certificate failed verification (because it was
self-signed). However, in this situation can I still assume that the
public key from the certificate (obtained with
SSL_get_peer_certificate()) was the public key that the server
actually used to connect with me?

Hello,

I'm currently trying to configure some pre-existing code using EVP signing
to offload work to the PKCS #11 engine on an OpenSPARC. Since I'm new to
this, I tried initializing the PKCS11 engine two different ways which can be
triggered by command line argument. By default, the program will run without
the PKCS11 engine initialized. Here are the two ways I attempt to initialize
the PKCS11 engine.

if (usePKCS == 1){
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
ENGINE_set_default_RSA(ENGINE_by_id("pkcs11"));
}
else if (usePKCS2 == 1){
ENGINE_load_builtin_engines();
ENGINE *e = ENGINE_by_id("pkcs11");
ENGINE_init(e);
ENGINE_set_default_RSA(e);
}

Below is the section of code in which the actual signing takes place.

I read on a website (http://developer.mozilla.org/en/docs/NSS_FAQ) that
OpenSSL does not support the PKCS #11 chip by default. I'm aware there is a
patch for this, but I'm not sure if it's already installed. I'm currently
working on an OpenSPARC. By typing "openssl version -a" in the terminal, I
recieved the following informaiton:

OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
built on: date not available
platform: information not available
options: bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long)
blowfish(ptr)
compiler: information not available
OPENSSLDIR: "/etc/sfw/openssl"

Is there a way to determine if the patch is installed and if the backend is
set up? Any help would be greatly appreciated.

-Chris
--
View this message in context: http://www.nabble.com/Determing-if-the-OpenSSL-PKCS11-Patch-is-installed.-tp18506872p18506872...
Sent from the OpenSSL - User mailing list archive at Nabble.com.