Asp Forum - Re: OpenSSL::X509 hash mystifications

leon breedt

3/30/2005 6:22:00 AM

On Tue, 22 Mar 2005 04:10:09 +0900, Magnus Bodin <magnus@bodin.org> wrote:
> When doing peer certificate verifications, one should save the ca_certs
> in the ca_path in a filename that matches the "hash" of the ca_cert with
> the extension '.0'. This works ONLY if you calculate the hash from the
> commandline. HOW DO YOU calculate the 'correct' hash from ruby?
Isn't the extension intended for dealing with collisions?

I.e. what are you supposed to do when you have two certificates in the
same "store" with the same hash, but entirely different DN's?
Increment it to .1?

Just curious,
Leon

1 Answer

Magnus Bodin

3/30/2005 8:21:00 AM

On Wed, Mar 30, 2005 at 03:21:36PM +0900, leon breedt wrote:
>
> I.e. what are you supposed to do when you have two certificates in the
> same "store" with the same hash, but entirely different DN's?
> Increment it to .1?

Yes.

As it says in the openssl srcdocs; (doc/ssl/SSL_CTX_load_verify_locations.pod)

"If more than one CA certificate with the same name hash value exist, the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
properties of the certificates."

-- magnus

Servizio di avviso nuovi messaggi

Ricevi direttamente nella tua mail i nuovi messaggi per
Re: OpenSSL::X509 hash mystifications

Inserendo la tua e-mail nella casella sotto, riceverai un avviso tramite posta elettronica ogni volta che il motore di ricerca troverà un nuovo messaggio per te

Il servizio è completamente GRATUITO!

comp.lang.ruby

Re: OpenSSL::X509 hash mystifications

leon breedt

Magnus Bodin

x Login to ForumsZone