Re: [openssl-users] ECDSA Certificate does not work
AH! Thanks man. My postfix server seems to work now with ciphers-sets using ECDSA! I just wish openssl would have complained about it (or had given me a warning or something). Anyway, I'm using Postfix 2.11, but either way, I like it when I can do things manually. :P Thanks. On 4/28/16, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote: > >> I've been trying to get an ECDSA certificate to work with a Postfix >> installation lately. > > See also http://www.postfix.org/postfix-tls.1.html, which does all > the magic to create RSA and/or ECDSA keys for Postfix 3.1 or later. > > # postfix tls new-server-cert -a ecdsa -b secp521r1 > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECDSA Certificate does not work
Dear OpenSSL users, I've been trying to get an ECDSA certificate to work with a postfix installation lately. , however, it seems that when I try to use the aECDSA protocol with a client the server gives "no shared cipher" errors. I had created the certificate like the following: openssl ecparam -name secp521r1 -genkey -param_enc explicit -out private/ec-email-server.pem openssl req -new -x509 -key private/ec-email-server.pem -out certs/ec-email-server.pem -days 365 Now, when I test the certificate with s_server and s_client like: openssl s_server -accept 123 -cert /etc/ssl/certs/ec-email-server.pem -key /etc/ssl/private/ec-email-server.pem openssl s_client -connect localhost:123 I still get "no shared cipher" errors. I'm guessing openssl restricts the ciphers to those ciphers that use ECDSA as authentication. However, maybe openssl doesn't allow me (for some reason) to use ECDSA. I'm using Debian and my openssl version is: OpenSSL 1.0.1k 8 Jan 2015 Does anyone know where the issue lies? Thank you -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Compilation of openssl for arm platform
Dear Freinds I have a problem in compiling ssl application for arm platform. i am using arm-linux-gcc and openssl version 0.9.8a or 0.9.7a for the compilation. i face the following problems its giving me an error related to libssl.a and libcrypto.a. saying skipping incompatible libssl.a and libcrypto.a when searching for -lssl and -lcrypto Error Message arm-linux-gcc client.o common.o -o sslclient -L/usr/local/ssl/lib -lssl -lcrypto /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/bin/ld: skipping incompatible /usr/local/ssl/lib/libssl.a when searching for -lssl /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/bin/ld: skipping incompatible /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/lib/libssl.a when searching for -lssl /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/bin/ld: skipping incompatible /usr/arm-linux/bin/../lib/libssl.a when searching for -lssl /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/bin/ld: skipping incompatible /usr/arm-linux/lib/libssl.a when searching for -lssl /usr/lib/gcc-lib/arm-linux/3.4.4/../../../../arm-linux/bin/ld: cannot find -lsslmake: *** [sslclient] Error 1 Plese help me out to solve this problem. Waiting for your reply Danny -- View this message in context: http://www.nabble.com/Compilation-of-openssl-for-arm-platform-tf2077583.html#a5722391 Sent from the OpenSSL - User forum at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
how to generate Private for Blowfish, CAST and rc4
Hi, I am using the 0.9.7e version of the openssl and i am having trouble with generating the private key for Blowfish, CAST and rc4. Was wondering how do i actually go about doing it. I have search the internet for any command lines related to them was unable to find any. Hope there is someone who can give me some advice. thank you Danny Ng HP:0423750935 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Signing a binary file
Dr. Henson, following your last e-mail. Yes, I would like to obtain a PKCS#7 data ContentInfo from my binary file: so can you tell me more about the API albeit function? And another question : what is the input file format with - signer in smime function. I have an .509 extension and I have an error message saying unable to load certificate. Following the examples, I guess it takes a PEM format. Do you know how to translate a .509 format to a PEM format? Thank you Danny Danny Joseph, ing./P. Eng. Recherche et Développement Research and Development [EMAIL PROTECTED] Équipement Electroline Equipment Inc. 8265 boul. St-Michel, Montréal, QC H1Z 3E4, Canada Tel: +1 (514) 374-6204 ext.447 Fax: +1 (514) 374-8901 What I want to do is to take my binary file, encapsulate it in a PKCS #7 data message (without signing) and then, take this last one and, along with the cert and private key, create a PKCS #7 signed data message. The requirement for the input file that I have to sign is : it has to be a DER-encoded PKCS #7 ContentInfo. That's how PKCS#7 signedData is normally encapsulated, the signed data is another PKCS#7 ContentInfo which is of type data for OpenSSLs smime command. Or do you want to obtain the PKCS#7 data ContentInfo from the binary file too? If so there isn't an OpenSSL command that can do that at present, though it is possible to do that with the API albeit a bit messily. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing a binary file
Thank you very much Danny -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 12:46 PM To: [EMAIL PROTECTED] Subject: Re: Signing a binary file On Wed, Aug 20, 2003, Danny Joseph wrote: Dr. Henson, following your last e-mail. Yes, I would like to obtain a PKCS#7 data ContentInfo from my binary file: so can you tell me more about the API albeit function? Actually this is *very* messy at present. If you look at crypto/pkcs7/pkcs7.h you'll see OpenSSLs C structure representing the PKCS#7 structure. For many types the fields are filled in automatically, either by high level API or at least the low level API. Things get a bit messier for the data type because it isn't handled by either API at present. Fortunately the type is very simple and something like this should do the trick (error checking omitted for clarity): PKCS7 *p7; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_data); ASN1_set_string(p7-d.data, data, datalen); At that point 'p7' should be a valid PKCS#7 data type. And another question : what is the input file format with - signer in smime function. I have an .509 extension and I have an error message saying unable to load certificate. Following the examples, I guess it takes a PEM format. Do you know how to translate a .509 format to a PEM format? It does indeed expect PEM format. The .x509 may be in DER format. If the file looks binary then you can try: openssl x509 -in file.x509 -out file.pem -inform DER Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing a binary file
What I want to do is to take my binary file, encapsulate it in a PKCS #7 data message (without signing) and then, take this last one and, along with the cert and private key, create a PKCS #7 signed data message. The requirement for the input file that I have to sign is : it has to be a DER-encoded PKCS #7 ContentInfo. -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: Re: Signing a binary file On Tue, Aug 05, 2003, Danny Joseph wrote: Thank you for the information but my signed content need to already be in pkcs#7 format before beeing signed, not in binary. That is why I am trying to encapsulate it in pkcs#7. What do you mean? Do you mean that the PKCS#7 signedData must include the content? If so the -nodetach option will do that. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing a binary file
Thank you for the information but my signed content need to already be in pkcs#7 format before beeing signed, not in binary. That is why I am trying to encapsulate it in pkcs#7. Danny Electroline Equipment Inc, Montreal * Tel: (514) 374-6204 #447 * Fax:(514) 374-8901 *E-mail: [EMAIL PROTECTED] -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 2:59 PM To: [EMAIL PROTECTED] Subject: Re: Signing a binary file On Tue, Aug 05, 2003, Danny Joseph wrote: Thank you Mr. Henson, I only have one problem: it takes a PKCS#7 file in input but mine is binary. I tried with the -binary command but it still say that it can not read the S/MIME message, so it does not recognise my file as a binary one. Any suggestion? If you are using 'openssl smime -sign -binary ...' it takes the content to be signed as its input which can be in any format. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing a binary file
Thank you Mr. Henson, I only have one problem: it takes a PKCS#7 file in input but mine is binary. I tried with the -binary command but it still say that it can not read the S/MIME message, so it does not recognise my file as a binary one. Any suggestion? Danny Electroline Equipment Inc, Montreal Tel: (514) 374-6204 #447 Fax:(514) 374-8901 E-mail: [EMAIL PROTECTED] -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: Re: Signing a binary file On Mon, Aug 04, 2003, Danny Joseph wrote: I am new in the openssl world so my questions migth be basic. I have a binary code file that I have to sign (using a private key and one or more certificat). It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data. So : 1- I have to create a PKCS#7 data message from my binary file. 2- Sign this last PKCS#7 file - In my signed data, there will be one (or more) certificats along with their Signing Info. I need to put a signing time as well. There is the pkcs7 to create a PKCS#7 fiel from my binary file but it has to be PEM or DER input. Then, there is the crl2pkcs7 function to add certificats to the PKCS#7 file, without crl in my case. Then, I have to sign the whole thing with a SigningTime. I read on the x509(1) function along with the req. I saw rsault as well as dgst(1) but I am a little bit lost in all those functions and their differences. Any suggestions to help me through this Tx You should look at the smime command, it does most or all of what you want. By default it uses S/MIME format and text translation but if you use the -binary and -outform DER options it should be more suited to your needs. Signing time is added automatically. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Signing a binary file
I am new in the openssl world so my questions migth be basic. I have a binary code file that I have to sign (using a private key and one or more certificat). It has to be PKCS#7(SHA1 with RSA encryption) DER encoded Signed Data. So : 1- I have to create a PKCS#7 data message from my binary file. 2- Sign this last PKCS#7 file - In my signed data, there will be one (or more) certificats along with their Signing Info. I need to put a signing time as well. There is the pkcs7 to create a PKCS#7 fiel from my binary file but it has to be PEM or DER input. Then, there is the crl2pkcs7 function to add certificats to the PKCS#7 file, without crl in my case. Then, I have to sign the whole thing with a SigningTime. I read on the x509(1) function along with the req. I saw rsault as well as dgst(1) but I am a little bit lost in all those functions and their differences. Any suggestions to help me through this Tx Danny Joseph Electroline Equipment Inc, Montreal * Tel: (514) 374-6204 #447 * Fax:(514) 374-8901 *E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
