I will just put this code here. It is not panacea, as it doesn’t deal with FreeBSD, but it is helpful in most cases when all you need is to support Windows and and say Debian. Of course, the clean solution assumes usage of CRYPTO_THREADID_* family introduced recently. (to give an idea, it has a … Read more
but my problem is, this callback function is being executed after execution of “SSL_accept” function, but I have to choose and use the appropriate certificate before using “SSL_new” command, which is way before execution of SSL_accept. When you start your server, you provide a default SSL_CTX. This is used for non-SNI clients, like SSLv3 clients … Read more
Thanks to the contributing answer by Aleksi, I found a bug/feature request that already requested this very thing: http://bugs.python.org/issue18233. Though the changes haven’t been finalized, yet, they do have a patch that makes this available: This is the test code which I’ve stolen from some forgotten source and reassembled: import socket from ssl import wrap_socket, … Read more
Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Configure scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl rather than SSL_library_init. Note the use of RPATH’s on Linux (OS X would use a different technique). OpenSSL configuration options are mostly … Read more
A possible explanation for this behaviour: The standard PKCS#12 provider up to Java 7 did not allow trusted certificate entries at all. The JSSE Reference Guide says this: Storing trusted certificates in a PKCS12 keystore is not supported. PKCS12 is mainly used to deliver private keys with the associated certificate chains. It does not have … Read more
To get rid of compilation error in Joe H’s answer: sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
Your .key and .crt files may be in PEM format. To check this open them with a text editor and check whether the content looks like ——BEGIN CERTIFICATE—— (or “begin RSA private key”…). This is generally the default format used by OpenSSL, unless you’ve explicitly specified DER. It’s probably not required (see below), but if … Read more
If I run the following command from my development box: $ openssl s_client -connect github.com:443 I get the following last line of output: Verify return code: 20 (unable to get local issuer certificate) You are missing DigiCert High Assurance EV CA-1 as a root of trust: $ openssl s_client -connect github.com:443 CONNECTED(00000003) depth=1 C = … Read more
The default path where certificates are looked up might be different on each platform. You can lookup your system configuration using the following command: $ openssl version -d OPENSSLDIR: “/etc/pki/tls”