Re: disabling encryption
Yeah, it does seems to do that. I tested it with s_client and s_server, (s_server with -cipher eNULL),and if client also were not with -cipher -eNULL, then connection failed.So, there might be need to explicitly configure both ends of connection. Citējot navin gopalakrishnan k_nav...@yahoo.com: Hi, I am using openssl-1.0.0d. I would prefer to disable encryption in the ssl protocol and have only authentication integrity. ie application data is sent without encryption. Is there a way to do this is in openssl? Does usage of eNULL in the default cipherlist provides this? Thanks. have a nice day, navin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: revoking crt
Revoking CA issued certificate requires CA private key. It is necessary to sign CRL. Maybe on that other machine were located your CA? Citējot *Daniel Spannbauer d...@marco.de [1]*: Am 07/18/2011 08:09 PM, schrieb y...@inbox.lv: is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). yes, I think its a self-signed certificate. I did this years ago with a HowTo for OpenVPN. I revoked a certificate 2 years ago on an other machine There the entry in index.txt lokks like this: R 191122112605Z 100607152858Z 0B unknown /C=DE/ST=BY/O=xxx/OU=Ben Zuhause/CN=Ben Zuhause/Email=xxx Regards Daniel Citējot *Daniel Spannbauer d...@marco.de mailto:d...@marco.de*: Hello, I use self-signed certificates for my VPN. Now, I try to revoke a crt. I called: openssl ca -revoke edge.crt -config vpn.conf But I get the error: ERROR:name does not match /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/emailAddress=xxx The header of the crt: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=BY, L=yyy, O=xxx, OU=gate tun1, CN=gate tun1/Email=xxx Validity Not Before: May 14 11:12:27 2010 GMT Not After : May 11 11:12:27 2020 GMT Subject: C=DE, ST=BY, O=xxx, OU=edge am, CN=edge am/Email=xxx Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) The entry in index.txt: V 20051227Z 08 unknown /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Links: -- [1] mailto:d...@marco.de
Re: revoking crt
is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). Citējot *Daniel Spannbauer d...@marco.de [1]*: Hello, I use self-signed certificates for my VPN. Now, I try to revoke a crt. I called: openssl ca -revoke edge.crt -config vpn.conf But I get the error: ERROR:name does not match /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/emailAddress=xxx The header of the crt: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=BY, L=yyy, O=xxx, OU=gate tun1, CN=gate tun1/Email=xxx Validity Not Before: May 14 11:12:27 2010 GMT Not After : May 11 11:12:27 2020 GMT Subject: C=DE, ST=BY, O=xxx, OU=edge am, CN=edge am/Email=xxx Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) The entry in index.txt: V 20051227Z 08 unknown /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Links: -- [1] mailto:d...@marco.de
RE: revoking crt
If that CRL is trying to revoke that root certificate, what in that CRL could ber forged? CRL can only revoke a CRT, not unrevoke, right? I know, that when revoking a certificate, CRL is signed by certificate issuer (CA), is there a reason, why a (small) CRL could not be signed by cartificate itself? (after all, anyone using leaked private key would be intereseted to delay revocation, but they have no means of preventing it) Citējot *Erik Tkal et...@juniper.net [1]*: Self-signed certs cannot be revoked, because if the private key were compromised then CRLs could be forged. Trusted roots by definition are explicitly trusted, and are usually placed in a secure location (e.g. local system trusted root store), and this set is usually updated as part of the OS. *Erik Tkal* Juniper OAC/UAC/Pulse Development *From:* owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] *On Behalf Of* y...@inbox.lv *Sent:* Monday, July 18, 2011 2:10 PM *To:* openssl-users@openssl.org *Subject:* Re: revoking crt is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). Links: -- [1] mailto:et...@juniper.net
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
sha256 worked. (both for dgst and for req) If i understand correctly, ECDSA algorithm only needs hash as a defined length bitstring, so adapting ripemd in place of sha1 should have been easier than sha256 (because ripemd has the same length as sha1, sha256 is longer). Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Sat, Jul 16, 2011, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1 and SHA2 algorithms with ECC. So if you used -sha256 it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). ECDH and ECDSA are not guaranteed to use the same curve. At least with s_server curve for ECDSA is specified in certificate, but curve for ECDH is specified by -named_curve argument. Other programs probably use something similar. Last time i searched openvpn forums for anything ECC related, did not found anything (probably bad keywords, but also might be lack of ECC support). Citējot *Kyle Hamilton aerow...@gmail.com [1]*: ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. 1.2.840.10045.4.3. and then one of the following: 1: ECDSA with SHA-224 2: with SHA-256 3: SHA-384 4: SHA-512 The information on the curve in use is part of subjectPublicKeyInfo: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37: a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0: 69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9: cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6: 40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d: b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa: 65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7: 01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9: 07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35 Field Type: prime-field Prime: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff A: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:fc B: 51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85: 40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e: f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd: 3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f: d4:6b:50:3f:00 Generator (uncompressed): 04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66: 23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af: 60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d: c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9: 7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b: c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57: 9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99: 5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70: 86:a2:72:c2:40:88:be:94:76:9f:d1:66:50 Order: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01: 48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f: b7:1e:91:38:64:09 Cofactor: 1 (0x1) Seed: d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84: aa:a0:da:64:ba Signature Algorithm: ecdsa-with-SHA256 30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c: f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7: 06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c: ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42: 01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82: ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3: 12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45: 3f:5f:da:cd:80:45:c9:79:58:d3:79:a2 The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above). (I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: Also, in documentation on pkeyutl program is mentioned, that ECDSA supports only sha1 http://www.openssl.org/docs/apps/pkeyutl.html# (subsection EC ALGORITHM) Documentation on dgst program did not mention any limitations for choice of hash, there only was said, that sha1 is preferred choice. That EC key used in failed example above is based on secp521r1 and was generated by openssl. Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Fri, Jul 15, 2011, y...@inbox.lv wrote: Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in things like certificates but 1.0.0 and later should support other hashes such as SHA256. Can you give an example where 1.0.0 is failing? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot *Gaglia san...@paranoici.org [1]*: On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( Links: -- [1] mailto:san...@paranoici.org