Signing a file

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Signing a file

Roberto Arias Alegria
Hello,

I tried to sign a file using a private key (a file with a .key
extension) using this:
openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed

But I got a meesage "unable to load private key".

The private key was generated using a propiertary software (in fact, a
government-made software, not a known commercial solution) so I have
little information about how it was generated. Anyway, I tried to
follow the solution with NET files provided in the man pages (open it
in a binary editor and found the string "private-key" and then the
0x30 0x80 values, and copy everythin from here to the end of the file)
but I found that the file actually starts with 0x30 0x82, so I didn't
edit anything.

Is there another way to sign information using a ".key" file? It is
possible that the file could be in another format and the original
software just labeled it as ".key"?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Dr. Stephen Henson
On Tue, Aug 30, 2005, Roberto Arias Alegria wrote:

> Hello,
>
> I tried to sign a file using a private key (a file with a .key
> extension) using this:
> openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed
>
> But I got a meesage "unable to load private key".
>
> The private key was generated using a propiertary software (in fact, a
> government-made software, not a known commercial solution) so I have
> little information about how it was generated. Anyway, I tried to
> follow the solution with NET files provided in the man pages (open it
> in a binary editor and found the string "private-key" and then the
> 0x30 0x80 values, and copy everythin from here to the end of the file)
> but I found that the file actually starts with 0x30 0x82, so I didn't
> edit anything.
>
> Is there another way to sign information using a ".key" file? It is
> possible that the file could be in another format and the original
> software just labeled it as ".key"?

Firstly that command line probably wont "sign a file" in the way you mean. You
should use the -sign option in the dgst command for that.

So it includes the string "private-key" in it? Ugh, that's a horibly insecure
private key format. Did you try using NET format for the whole file? That is:

openssl rsa -inform NET -in file.key

How large is the file? What does:

openssl asn1parse -inform DER -in file.key

show? If the output has lots of lines with INTEGER on them and lots of digits
don't post it.

If you can generate a test key of zero importance with the same software you
could post that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Roberto Arias Alegria
Hello Stephen,

Thanks for helping me, I'm new using open-ssl I really appreciate your support.

OK firstly no, I didn't find the "private-key" string using the binary
editor, I searched for it but I didn't find it.

Thanks for the suggestion, I generated a dummy key with the same
software. After using "openssl rsa -inform NET -in file.key" I got:

unable to load Private Key
3554:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
3554:error:0D06C03A:asn1 encoding
routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:628:
3554:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1 error:tasn_dec.c:566:Field=os, Type=NETSCAPE_ENCRYPTED_PKEY
3554:error:0D09806F:asn1 encoding routines:d2i_Netscape_RSA:decoding
error:n_pkey.c:242:

Then I used  "openssl asn1parse -inform DER -in file.key" and I got this:

    0:d=0  hl=4 l= 710 cons: SEQUENCE
    4:d=1  hl=2 l=  64 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
   17:d=2  hl=2 l=  51 cons: SEQUENCE
   19:d=3  hl=2 l=  27 cons: SEQUENCE
   21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
   32:d=4  hl=2 l=  14 cons: SEQUENCE
   34:d=5  hl=2 l=   8 prim: OCTET STRING
   44:d=5  hl=2 l=   2 prim: INTEGER           :0800
   48:d=3  hl=2 l=  20 cons: SEQUENCE
   50:d=4  hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
   60:d=4  hl=2 l=   8 prim: OCTET STRING
   70:d=1  hl=4 l= 640 prim: OCTET STRING

Hope you can help,

Roberto



On 8/30/05, Dr. Stephen Henson <[hidden email]> wrote:

> On Tue, Aug 30, 2005, Roberto Arias Alegria wrote:
>
> > Hello,
> >
> > I tried to sign a file using a private key (a file with a .key
> > extension) using this:
> > openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed
> >
> > But I got a meesage "unable to load private key".
> >
> > The private key was generated using a propiertary software (in fact, a
> > government-made software, not a known commercial solution) so I have
> > little information about how it was generated. Anyway, I tried to
> > follow the solution with NET files provided in the man pages (open it
> > in a binary editor and found the string "private-key" and then the
> > 0x30 0x80 values, and copy everythin from here to the end of the file)
> > but I found that the file actually starts with 0x30 0x82, so I didn't
> > edit anything.
> >
> > Is there another way to sign information using a ".key" file? It is
> > possible that the file could be in another format and the original
> > software just labeled it as ".key"?
>
> Firstly that command line probably wont "sign a file" in the way you mean. You
> should use the -sign option in the dgst command for that.
>
> So it includes the string "private-key" in it? Ugh, that's a horibly insecure
> private key format. Did you try using NET format for the whole file? That is:
>
> openssl rsa -inform NET -in file.key
>
> How large is the file? What does:
>
> openssl asn1parse -inform DER -in file.key
>
> show? If the output has lots of lines with INTEGER on them and lots of digits
> don't post it.
>
> If you can generate a test key of zero importance with the same software you
> could post that.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Dr. Stephen Henson
On Tue, Aug 30, 2005, Roberto Arias Alegria wrote:

> Hello Stephen,
>
> Thanks for helping me, I'm new using open-ssl I really appreciate your support.
>
> Then I used  "openssl asn1parse -inform DER -in file.key" and I got this:
>
>     0:d=0  hl=4 l= 710 cons: SEQUENCE
>     4:d=1  hl=2 l=  64 cons: SEQUENCE
>     6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
>    17:d=2  hl=2 l=  51 cons: SEQUENCE
>    19:d=3  hl=2 l=  27 cons: SEQUENCE
>    21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
>    32:d=4  hl=2 l=  14 cons: SEQUENCE
>    34:d=5  hl=2 l=   8 prim: OCTET STRING
>    44:d=5  hl=2 l=   2 prim: INTEGER           :0800
>    48:d=3  hl=2 l=  20 cons: SEQUENCE
>    50:d=4  hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
>    60:d=4  hl=2 l=   8 prim: OCTET STRING
>    70:d=1  hl=4 l= 640 prim: OCTET STRING
>
> Hope you can help,
>

That looks like PKCS#8 format. Try:

openssl pkcs8 -inform DER -in file.key -out file.pem

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Roberto Arias Alegria
I want to be like you!

Exactly, the file is in PKCS #8 format, that command worked perfectly,
I entered my password and worked well.

Now I want to sign a file. You said that I should use the the -sign
option in the dgst command, right? Since I also need a md5 hash of my
string I tried:

openssl dgst -md5 -sign key.pem -out signed originalFile.txt

It is supposed that I should sign using the RSA algorithm, so not sure
where do I tell that to openssl.


Roberto



On 8/31/05, Dr. Stephen Henson <[hidden email]> wrote:

> On Tue, Aug 30, 2005, Roberto Arias Alegria wrote:
>
> > Hello Stephen,
> >
> > Thanks for helping me, I'm new using open-ssl I really appreciate your support.
> >
> > Then I used  "openssl asn1parse -inform DER -in file.key" and I got this:
> >
> >     0:d=0  hl=4 l= 710 cons: SEQUENCE
> >     4:d=1  hl=2 l=  64 cons: SEQUENCE
> >     6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
> >    17:d=2  hl=2 l=  51 cons: SEQUENCE
> >    19:d=3  hl=2 l=  27 cons: SEQUENCE
> >    21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
> >    32:d=4  hl=2 l=  14 cons: SEQUENCE
> >    34:d=5  hl=2 l=   8 prim: OCTET STRING
> >    44:d=5  hl=2 l=   2 prim: INTEGER           :0800
> >    48:d=3  hl=2 l=  20 cons: SEQUENCE
> >    50:d=4  hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
> >    60:d=4  hl=2 l=   8 prim: OCTET STRING
> >    70:d=1  hl=4 l= 640 prim: OCTET STRING
> >
> > Hope you can help,
> >
>
> That looks like PKCS#8 format. Try:
>
> openssl pkcs8 -inform DER -in file.key -out file.pem
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RES: Signing a file

Cleidson
Hi,
I have the same problem with my private keys (I have a proprietary software
that produce a private key, and I wanna use it in Openssl), but I used the
command
"openssl asn1parse -inform DER -in file.key" and I got this:

    0:d=0  hl=4 l= 630 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=2 l=  13 cons: SEQUENCE
    9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim: NULL
   22:d=1  hl=4 l= 608 prim: OCTET STRING

Any help will be appreciated.

Cleidson Correia

-----Mensagem original-----
De: [hidden email]
[mailto:[hidden email]]Em nome de Roberto Arias Alegria
Enviada em: quarta-feira, 31 de agosto de 2005 11:33
Para: [hidden email]
Assunto: Re: Signing a file

I want to be like you!

Exactly, the file is in PKCS #8 format, that command worked perfectly,
I entered my password and worked well.

Now I want to sign a file. You said that I should use the the -sign
option in the dgst command, right? Since I also need a md5 hash of my
string I tried:

openssl dgst -md5 -sign key.pem -out signed originalFile.txt

It is supposed that I should sign using the RSA algorithm, so not sure
where do I tell that to openssl.


Roberto



On 8/31/05, Dr. Stephen Henson <[hidden email]> wrote:
> On Tue, Aug 30, 2005, Roberto Arias Alegria wrote:
>
> > Hello Stephen,
> >
> > Thanks for helping me, I'm new using open-ssl I really appreciate your
support.
> >
> > Then I used  "openssl asn1parse -inform DER -in file.key" and I got
this:

> >
> >     0:d=0  hl=4 l= 710 cons: SEQUENCE
> >     4:d=1  hl=2 l=  64 cons: SEQUENCE
> >     6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
> >    17:d=2  hl=2 l=  51 cons: SEQUENCE
> >    19:d=3  hl=2 l=  27 cons: SEQUENCE
> >    21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
> >    32:d=4  hl=2 l=  14 cons: SEQUENCE
> >    34:d=5  hl=2 l=   8 prim: OCTET STRING
> >    44:d=5  hl=2 l=   2 prim: INTEGER           :0800
> >    48:d=3  hl=2 l=  20 cons: SEQUENCE
> >    50:d=4  hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
> >    60:d=4  hl=2 l=   8 prim: OCTET STRING
> >    70:d=1  hl=4 l= 640 prim: OCTET STRING
> >
> > Hope you can help,
> >
>
> That looks like PKCS#8 format. Try:
>
> openssl pkcs8 -inform DER -in file.key -out file.pem
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Dr. Stephen Henson
In reply to this post by Roberto Arias Alegria
On Wed, Aug 31, 2005, Roberto Arias Alegria wrote:

> I want to be like you!
>
> Exactly, the file is in PKCS #8 format, that command worked perfectly,
> I entered my password and worked well.
>
> Now I want to sign a file. You said that I should use the the -sign
> option in the dgst command, right? Since I also need a md5 hash of my
> string I tried:
>
> openssl dgst -md5 -sign key.pem -out signed originalFile.txt
>
> It is supposed that I should sign using the RSA algorithm, so not sure
> where do I tell that to openssl.
>
>

That command will digest using MD5 and sign the digest using whatever
algorithm (if any) is appopriate to the key type and digest.

Since only RSA supports MD5 digest signing that command already does what you
want or it would give an error.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RES: Signing a file

Dr. Stephen Henson
In reply to this post by Cleidson
On Wed, Aug 31, 2005, Cleidson wrote:

> Hi,
> I have the same problem with my private keys (I have a proprietary software
> that produce a private key, and I wanna use it in Openssl), but I used the
> command
> "openssl asn1parse -inform DER -in file.key" and I got this:
>
>     0:d=0  hl=4 l= 630 cons: SEQUENCE
>     4:d=1  hl=2 l=   1 prim: INTEGER           :00
>     7:d=1  hl=2 l=  13 cons: SEQUENCE
>     9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>    20:d=2  hl=2 l=   0 prim: NULL
>    22:d=1  hl=4 l= 608 prim: OCTET STRING
>
> Any help will be appreciated.
>

Looks like PKCS#8 unencrypted format. Try:

openssl pkcs8 -inform DER -nocrypt -in file.key

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RES: RES: Signing a file

Cleidson
That command worked just fine.

Thaks a lot.

Cleidson Correia


-----Mensagem original-----
De: [hidden email]
[mailto:[hidden email]]Em nome de Dr. Stephen Henson
Enviada em: quarta-feira, 31 de agosto de 2005 12:46
Para: [hidden email]
Assunto: Re: RES: Signing a file


On Wed, Aug 31, 2005, Cleidson wrote:

> Hi,
> I have the same problem with my private keys (I have a proprietary
software

> that produce a private key, and I wanna use it in Openssl), but I used the
> command
> "openssl asn1parse -inform DER -in file.key" and I got this:
>
>     0:d=0  hl=4 l= 630 cons: SEQUENCE
>     4:d=1  hl=2 l=   1 prim: INTEGER           :00
>     7:d=1  hl=2 l=  13 cons: SEQUENCE
>     9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>    20:d=2  hl=2 l=   0 prim: NULL
>    22:d=1  hl=4 l= 608 prim: OCTET STRING
>
> Any help will be appreciated.
>

Looks like PKCS#8 unencrypted format. Try:

openssl pkcs8 -inform DER -nocrypt -in file.key

Steve.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Roberto Arias Alegria
In reply to this post by Dr. Stephen Henson
OK, perfectly, just what I needed. Let me try it with my real file I
think I can do the rest of what I need for myself.

Thanks again!

Roberto

On 8/31/05, Dr. Stephen Henson <[hidden email]> wrote:

> On Wed, Aug 31, 2005, Roberto Arias Alegria wrote:
>
> > I want to be like you!
> >
> > Exactly, the file is in PKCS #8 format, that command worked perfectly,
> > I entered my password and worked well.
> >
> > Now I want to sign a file. You said that I should use the the -sign
> > option in the dgst command, right? Since I also need a md5 hash of my
> > string I tried:
> >
> > openssl dgst -md5 -sign key.pem -out signed originalFile.txt
> >
> > It is supposed that I should sign using the RSA algorithm, so not sure
> > where do I tell that to openssl.
> >
> >
>
> That command will digest using MD5 and sign the digest using whatever
> algorithm (if any) is appopriate to the key type and digest.
>
> Since only RSA supports MD5 digest signing that command already does what you
> want or it would give an error.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Roberto Arias Alegria
Me again,

Reading further in the specifications, I found out that the software
that builds the private and public keys is using PKCS #10, it is
important that I used

openssl pkcs8 -inform DER -in mykey.key -out mykey.pem

to convert my private key?

Just to know, it worked perfectly.


Roberto


On 8/31/05, Roberto Arias Alegria <[hidden email]> wrote:

> OK, perfectly, just what I needed. Let me try it with my real file I
> think I can do the rest of what I need for myself.
>
> Thanks again!
>
> Roberto
>
> On 8/31/05, Dr. Stephen Henson <[hidden email]> wrote:
> > On Wed, Aug 31, 2005, Roberto Arias Alegria wrote:
> >
> > > I want to be like you!
> > >
> > > Exactly, the file is in PKCS #8 format, that command worked perfectly,
> > > I entered my password and worked well.
> > >
> > > Now I want to sign a file. You said that I should use the the -sign
> > > option in the dgst command, right? Since I also need a md5 hash of my
> > > string I tried:
> > >
> > > openssl dgst -md5 -sign key.pem -out signed originalFile.txt
> > >
> > > It is supposed that I should sign using the RSA algorithm, so not sure
> > > where do I tell that to openssl.
> > >
> > >
> >
> > That command will digest using MD5 and sign the digest using whatever
> > algorithm (if any) is appopriate to the key type and digest.
> >
> > Since only RSA supports MD5 digest signing that command already does what you
> > want or it would give an error.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> > OpenSSL project core developer and freelance consultant.
> > Funding needed! Details on homepage.
> > Homepage: http://www.drh-consultancy.demon.co.uk
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Signing a file

Dr. Stephen Henson
On Wed, Aug 31, 2005, Roberto Arias Alegria wrote:

> Me again,
>
> Reading further in the specifications, I found out that the software
> that builds the private and public keys is using PKCS #10, it is
> important that I used
>
> openssl pkcs8 -inform DER -in mykey.key -out mykey.pem
>
> to convert my private key?
>

PKCS#10 isn't a private key format standard its a certificate request format.

If the above command worked then its pretty certain the private key is in
PKCS#8 format.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Handling expired certificates

david kine
My application requires a feature that allows
connection to secure servers whose certificates may
have expired.

I suppose that the OpenSSL verify callback function,
set with the function SSL_CTX_set_verify(), can
inspect an error condition and return "true" to
establish the secure connection.

My question is what condition should the verify
callback function check for, in order to allow a
secure connection when the peer's certificate is
expired.

Thanks,

-David


               
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs 
 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Handling expired certificates

david kine
I think that I found the answer - get the error code
from the X509_STORE_CTX and check for the value
X509_V_ERR_CERT_HAS_EXPIRED (defined in x509_vfy.h).

-David

--- david kine <[hidden email]> wrote:

> My application requires a feature that allows
> connection to secure servers whose certificates may
> have expired.
>
> I suppose that the OpenSSL verify callback function,
> set with the function SSL_CTX_set_verify(), can
> inspect an error condition and return "true" to
> establish the secure connection.
>
> My question is what condition should the verify
> callback function check for, in order to allow a
> secure connection when the peer's certificate is
> expired.
>
> Thanks,
>
> -David
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs 
>  
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]