RE: Is Sha2 supported for signing certs?
> From: owner-openssl-us...@openssl.org On Behalf Of Patrick Patterson > Sent: Wednesday, 13 June, 2012 15:59 > To: openssl-users@openssl.org > Subject: Re: Is Sha2 supported for signing certs? > > Hi Pushkar, > > Don't use the -md option - just use -sha256 directly. Nope. -sha256 is correct for commandline req including req -x509, and x509 including x509 -req, but not ca. ca uses -md sha256. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Sha2 supported for signing certs?
Hi Pushkar, Don't use the -md option - just use -sha256 directly. Have fun. Patrick. On 2012-06-13, at 2:11 PM, Pushkar Pathak wrote: > Hi All, > > I am trying to sign a certificate with SHA2. I have my own CA certificate > and want to sign an end entity certificate with sha2. Is SHA 2 supported? > > The commands that I tried were > > openssl ca -md sha2 > openssl ca -md sha256 > > I am using openssl versioned OpenSSL 1.0.1c 10 May 2012. > > Let me know. > > thanks > Pushkar --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Sha2 supported for signing certs?
Yes it worked this time, may be I was picking up the older openssl. FYI - On Wed, Jun 13, 2012 at 3:06 PM, Dr. Stephen Henson wrote: > On Wed, Jun 13, 2012, Pushkar Pathak wrote: > > > Hi All, > > > > I am trying to sign a certificate with SHA2. I have my own CA certificate > > and want to sign an end entity certificate with sha2. Is SHA 2 supported? > > > > The commands that I tried were > > > > openssl ca -md sha2 > > openssl ca -md sha256 > > > > I am using openssl versioned OpenSSL 1.0.1c 10 May 2012. > > > > As others have indicated it should be possible to use -md sha256. Another > option is the default_md option in openssl.cnf. See the ca manual page for > more details. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Is Sha2 supported for signing certs?
On Wed, Jun 13, 2012, Pushkar Pathak wrote: > Hi All, > > I am trying to sign a certificate with SHA2. I have my own CA certificate > and want to sign an end entity certificate with sha2. Is SHA 2 supported? > > The commands that I tried were > > openssl ca -md sha2 > openssl ca -md sha256 > > I am using openssl versioned OpenSSL 1.0.1c 10 May 2012. > As others have indicated it should be possible to use -md sha256. Another option is the default_md option in openssl.cnf. See the ca manual page for more details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Sha2 supported for signing certs?
On Wed, 13 Jun 2012 11:11:50 -0700 Pushkar Pathak wrote: > openssl ca -md sha256 This one works - however openssl ca --help doesn't mention it. So it's undocumentet, but works. I've used it to do this test installation: https://sha2.hboeck.de/ "sha2" can't work, because there is no sha2-algorithm. sha2 is an (afaik inofficial) name for a whole number of functions - sha256, sha384, sha512 and sha224. -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature
Re: Is Sha2 supported for signing certs?
Thanks Josh! On Wed, Jun 13, 2012 at 12:13 PM, Joshua Bowman wrote: > On 6/13/2012 11:11 AM, Pushkar Pathak wrote: > > Hi All, > > > > I am trying to sign a certificate with SHA2. I have my own CA > certificate and want to sign an > > end entity certificate with sha2. Is SHA 2 supported? > > > > The commands that I tried were > > > > openssl ca -md sha2 > > openssl ca -md sha256 > > > > I am using openssl versioned OpenSSL 1.0.1c 10 May 2012. > > > > Let me know. > > > > thanks > > Pushkar > > There are patches sitting on the bugtracker to enable that functionality, > but right now the only > way to do it is to use the API, as far as I know. > > Joshua Bowman > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Is Sha2 supported for signing certs?
On 6/13/2012 11:11 AM, Pushkar Pathak wrote: > Hi All, > > I am trying to sign a certificate with SHA2. I have my own CA certificate and > want to sign an > end entity certificate with sha2. Is SHA 2 supported? > > The commands that I tried were > > openssl ca -md sha2 > openssl ca -md sha256 > > I am using openssl versioned OpenSSL 1.0.1c 10 May 2012. > > Let me know. > > thanks > Pushkar There are patches sitting on the bugtracker to enable that functionality, but right now the only way to do it is to use the API, as far as I know. Joshua Bowman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to use ecdsa-with-sha2 algorithm with ecdsa signature algorithm
Hi Rajan, Bad stuck at the ecdsa with sha256 and sha384 cert and key generation. Have really short deadlines. Tried hunting lots Finally found this but didnt see any reply to your query. Hope you got your answer.. Can you please help me in generating this cert and key? Regards, -Amol rajanchittil wrote: > > Hi all, > > I tried to generate certificate with ecdsa algorithm . but whenever i > displayed the certificate, i can see the > following signtaure algorithm > > X509v3 extensions: > X509v3 Subject Key Identifier: > > 58:7C:AD:AF:E4:4D:AF:E8:37:E8:81:DC:49:C8:B0:6F:2D:CD:A4:18 > X509v3 Authority Key Identifier: > > keyid:58:7C:AD:AF:E4:4D:AF:E8:37:E8:81:DC:49:C8:B0:6F:2D:CD:A4:18 > DirName:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, > Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve > secp160r1) > serial:E3:87:8E:A5:E8:D7:9C:23 > > X509v3 Basic Constraints: > CA:TRUE > Signature Algorithm: ecdsa-with-SHA1 > > I want to use ecdsa-with-SHA2 algorithm . > > This is the step i followed to generate the certificate > > 1. Generating curve parameters > > openssl ecparam -name prime192v2 -out server.pem > > 2. Generate a new certificate request > > openssl req -nodes -keyout server.key.pem -newkey ec:server.pem -new -out > server.req.pem > > 3. Sign the certificate request using the CA certificate > > openssl x509 -req -in server.req.pem -CA CA_File.cert.pem -CAkey > CAFile.key.pem -out server.cert.pem -CAcreateserial > > 4. Display the certificate > > openssl x509 -in server.cert.pem -text > > Can you guide me how to use to ecdsa-with-SHA2 algorithm . Please help > > Thanks > > Rajan > > -- View this message in context: http://old.nabble.com/how-to-use-ecdsa-with-sha2-algorithm-with-ecdsa-signature-algorithm-tp23254140p29815743.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to use ecdsa-with-sha2 algorithm with ecdsa signature algorithm
Hi all, I tried to generate certificate with ecdsa algorithm . but whenever i displayed the certificate, i can see the following signtaure algorithm X509v3 extensions: X509v3 Subject Key Identifier: 58:7C:AD:AF:E4:4D:AF:E8:37:E8:81:DC:49:C8:B0:6F:2D:CD:A4:18 X509v3 Authority Key Identifier: keyid:58:7C:AD:AF:E4:4D:AF:E8:37:E8:81:DC:49:C8:B0:6F:2D:CD:A4:18 DirName:/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1) serial:E3:87:8E:A5:E8:D7:9C:23 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: ecdsa-with-SHA1 I want to use ecdsa-with-SHA2 algorithm . This is the step i followed to generate the certificate 1. Generating curve parameters openssl ecparam -name prime192v2 -out server.pem 2. Generate a new certificate request openssl req -nodes -keyout server.key.pem -newkey ec:server.pem -new -out server.req.pem 3. Sign the certificate request using the CA certificate openssl x509 -req -in server.req.pem -CA CA_File.cert.pem -CAkey CAFile.key.pem -out server.cert.pem -CAcreateserial 4. Display the certificate openssl x509 -in server.cert.pem -text Can you guide me how to use to ecdsa-with-SHA2 algorithm . Please help Thanks Rajan -- View this message in context: http://www.nabble.com/how-to-use-ecdsa-with-sha2-algorithm-with-ecdsa-signature-algorithm-tp23254140p23254140.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: No NID for SHA2 (was Re: unable to verify PKCS#7 objects signed with BC(CMS))
On Wed, May 28, 2008 at 02:23:44PM -0500, [EMAIL PROTECTED] wrote: > On Tue, May 27, 2008 at 03:23:27PM -0500, [EMAIL PROTECTED] wrote: > > So a developer at my company is having a problem. > > > > When our business partner signs a data object using Bouncy Castle > > (PKCS#7 CMS), outputs PEM, and we use OpenSSL and read it in, that > > works fine, but when we try to get the data out of it, we're getting a > > null string. > > > > My hunch is that PKCS7_dataDecode(p7, NULL, NULL, NULL) is returning > > null, but our library code is not throwing an exception. > > > > Does anyone have any experience with OpenSSL being unable to parse > > PKCS#7 objects created by BouncyCastle? > > Problem is that remote peer is using DIGEST::SHA256. > > EVP_get_digestbynid() is failing, apparently lacking support for SHA256. > > I examined the latest OpenSSL distro and can't find any reference to > SHA256 in object.h; does anyone know if this is supported? You need 0.9.8 and SSL_library_init() is not sufficient, this adds only the SSL algorithms, you need to also call: void OpenSSL_add_all_algorithms(void); OR void OpenSSL_add_all_digests(void); -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
No NID for SHA2 (was Re: unable to verify PKCS#7 objects signed with BC(CMS))
On Tue, May 27, 2008 at 03:23:27PM -0500, [EMAIL PROTECTED] wrote: > So a developer at my company is having a problem. > > When our business partner signs a data object using Bouncy Castle > (PKCS#7 CMS), outputs PEM, and we use OpenSSL and read it in, that > works fine, but when we try to get the data out of it, we're getting a > null string. > > My hunch is that PKCS7_dataDecode(p7, NULL, NULL, NULL) is returning > null, but our library code is not throwing an exception. > > Does anyone have any experience with OpenSSL being unable to parse > PKCS#7 objects created by BouncyCastle? Problem is that remote peer is using DIGEST::SHA256. EVP_get_digestbynid() is failing, apparently lacking support for SHA256. I examined the latest OpenSSL distro and can't find any reference to SHA256 in object.h; does anyone know if this is supported? -- Crypto ergo sum. https://www.subspacefield.org/~travis/ Truth does not fear scrutiny or competition, only lies do. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: default cipher is SHA2
On Fri, Apr 25, 2008 at 05:54:05PM -0700, PoWah Wong wrote: > http://www.openssl.org/docs/apps/ciphers.html has these cipher suites using > SHA: > TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, etc. > Are the SHA in them all SHA1? Yes. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: default cipher is SHA2
http://www.openssl.org/docs/apps/ciphers.html has these cipher suites using SHA: TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, etc. Are the SHA in them all SHA1? --- On Fri, 4/25/08, Victor Duchovni <[EMAIL PROTECTED]> wrote: > From: Victor Duchovni <[EMAIL PROTECTED]> > Subject: Re: default cipher is SHA2 > To: openssl-users@openssl.org > Received: Friday, April 25, 2008, 12:48 PM > On Fri, Apr 25, 2008 at 09:26:45AM -0700, PoWah Wong wrote: > > > For openssl 0.9.8e or higher, the default cipher is > SHA2 instead of SHA1, isn't it? > > Neither is a cipher, and the default digest algorithm in > 0.9.8 is "SHA1" > as opposed to "md5" in 0.9.7 and earlier. There > are no TLS ciphers that > use SHA2, so it is premature to make SHA2 the default > digest. > > -- > Viktor. > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] __ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: default cipher is SHA2
On Fri, Apr 25, 2008 at 09:26:45AM -0700, PoWah Wong wrote: > For openssl 0.9.8e or higher, the default cipher is SHA2 instead of SHA1, > isn't it? Neither is a cipher, and the default digest algorithm in 0.9.8 is "SHA1" as opposed to "md5" in 0.9.7 and earlier. There are no TLS ciphers that use SHA2, so it is premature to make SHA2 the default digest. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
default cipher is SHA2
For openssl 0.9.8e or higher, the default cipher is SHA2 instead of SHA1, isn't it? __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SHA2 support with mod_ssl
Hello, I don't know where to submit this, either to the OpenSSL camp, or the mod_ssl camp, but as Ralf Engelschall also reads this list, I think it's the right way to go. A certificate chain with sha224withRSA can't be used for client authentication, Apache claims that the signature is invalid. I've read the source, this error is triggered because OpenSSL can't find the digest algorithm (ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM). It has been corrected in the Apache2 2.2.x branch, but is still present in the Apache2 2.0.x one. The problem is that SSL_library_init() doesn't add all the algorithms added by OPENSSL_add_all_algorithms(), and particularly not the SHA2 series. Unfortunately, Apache2 2.0.x calls the former, Apache2 2.2.x the later. So, basically, Apache2 is corrected (but an additional call to OPENSSL_add_all_algorithms() could be a good thing to do), but that leaves the SSL_library_init() problem, this function should do what is necessary, and an additional *init* function shouldn't be required. -- Erwann ABALEA <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: SHA2
[EMAIL PROTECTED] wrote: Is there already a stable version of OpenSSL in the field that supports SHA256? yep, 0.9.8 Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: SHA2
Is there already a stable version of OpenSSL in the field that supports SHA256? Best regards Thomas > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Nils Larsch > Gesendet: Donnerstag, 12. Mai 2005 09:33 > An: openssl-users@openssl.org > Betreff: Re: SHA2 > > Milan Tomic wrote: > > > > I'm trying to generate self signed certificates with sha256, sha384 > > and > > sha512 algorithms for testing purposes. It seems > openssl.exe doesn't > > understand it, although I have downloaded latest version > (openssl-0.9.7g). > > try a recent snapshot from 0.9.8-dev (the cvs head) > > Nils > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA2
Milan Tomic wrote: I'm trying to generate self signed certificates with sha256, sha384 and sha512 algorithms for testing purposes. It seems openssl.exe doesn't understand it, although I have downloaded latest version (openssl-0.9.7g). try a recent snapshot from 0.9.8-dev (the cvs head) Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SHA2
Title: SHA2 I'm trying to generate self signed certificates with sha256, sha384 and sha512 algorithms for testing purposes. It seems openssl.exe doesn't understand it, although I have downloaded latest version (openssl-0.9.7g). If openssl.exe can't create it then please tell me (if somebody knows) where can I download test certificates with sha2 algorithm. Thank you in advance, Milan
