Re: [openssl-dev] id-kp-OCSPSigning extended key usage

Bonjour, SHALL is not equivalent to a SHOULD, but to a MUST. See RFC2119. Cordialement, Erwann Abalea Le 12 sept. 2017 à 02:46, Winter Mute mailto:zshr...@gmail.com>> a écrit : Hello, The RFC<https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that: OCSP signing delegat

Re: [openssl-dev] [gnutls-devel] Proposal for the ASN.1 form of TPM1.2 and TPM2 keys

le declared with « EXTENSIBILITY IMPLIED » - they both include the extensibility marker (i.e. they’re slightly modified) If you plan to use BER, CER or DER (and only these), then the parser MUST ignore the extensibility markers (present or not), and work as if they’re present. But that won’t change the ASN.1 definition, only the decoder behaviour. Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ Cordialement, Erwann Abalea -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted -- openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

et are all zero. This is invalid. There is no additional rule for DER on INTEGERs. Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Support for TLS SHA2-512?

dized *SHA512 cipher suite, as you can see. Cordialement, Erwann Abalea ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] 0.9.8 support after 31 Dec 2015

cial release? > > The best thing to do will probably be to fork the branch into a new > repository on github and work there. We will not be checking anything into > the "official" stable branch. > Cordialement, Erwann Abalea _

Re: [openssl-dev] Using keys from a hardware accelerator

You’re looking for ENGINE objects. There’s maybe already an ENGINE directly supporting your hardware module. If your hardware thing has a PKCS#11 library, a PKCS#11 ENGINE exists. Cordialement, Erwann Abalea > Le 20 juil. 2015 à 17:14, Alexander Gostrer a écrit : > > Hi All,

Re: [openssl-dev] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonsoir John, > Le 1 juin 2015 à 17:20, John Lofgren via RT a écrit : > […] > One remaining question. If this extension is "only a helper and MUST NOT be > used to (in)validate a certificate chain" as you say or as the spec says > "non-critical", then why does 'openssl verify' reject this chain?

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, > Le 30 mai 2015 à 09:48, John Lofgren via RT a écrit : > > I believe I have pinpointed a typo-error that may be the cause of one or > two other outstanding bugs related to certificate chain validation. This > bug only occurs in a chain of certs at least 3 deep when the certs use > the

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, > Le 30 mai 2015 à 09:48, John Lofgren via RT a écrit : > > I believe I have pinpointed a typo-error that may be the cause of one or > two other outstanding bugs related to certificate chain validation. This > bug only occurs in a chain of certs at least 3 deep when the certs use > the

Re: [openssl-dev] OID with length zero related bug

0 does not identify a signature algorithm (it's the OID { itu-t recommendation }). The decoding step of the "0600" hex sequence correctly produces a "BAD OBJECT", since it's an invalid encoding of an OID. So having an error when decoding such a CSR is a correct behavi

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

It seems all the tarballs have disappeared. -- Erwann ABALEA Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead

Re: [openssl-dev] openssl x509 -text incorrectly displays non-latin (non-ansi) symbols (missed '-utf8 option?)

Bonjour, Probably an openssl-users question. Use "openssl x509 -text -in localhost-server.crt -nameopt oneline,utf8,-esc_msb" Your terminal must be able to display UTF8 sequences. I sometimes add the "show_type" nameopt option, to check things. -- Erwann ABALEA Le 02/0

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 21/12/2014 21:39, Sean Leonard a écrit : On 12/21/2014 8:33 AM, Kurt Roeckx wrote: On Sat, Dec 20, 2014 at 02:29:44PM +, Dr. Stephen Henson wrote: On Fri, Dec 19, 2014, Sean Leonard wrote: On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: On Fri, Dec 19, 2014 at 03:05:32PM +, Vik

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 17/12/2014 20:17, Viktor Dukhovni a écrit : On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: For reference for the group (in case you didn't take a look at the draft), the draft documents the following labels: CERTIFICATE ... Perhaps also "TRUSTED CERTIFICATE"? crypto/pe

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 17/12/2014 17:34, Salz, Rich a écrit : #define PEM_STRING_X509_PAIR"CERTIFICATE PAIR" (note, this is supposed to encapsulate a CertificatePair structure from X.509) This is not used anywhere in openssl. I just removed it and did a build :) The fact that the fields are named forward

Re: [openssl-dev] Adding GET support to ocsp app

e* URL encoded. And if by chance the request isn't encoded, your test for the presence of a "+" and current urldecode() job will render this request invalid if is contains a "+" (it can happen in a Base64 encoded string). -- Erwann ABALEA Le 26/09/2014 04:56, Salz, Rich a

Re: [openssl-dev] Adding GET support to ocsp app

Le 11/09/2014 19:45, Salz, Rich a écrit : The attached diff adds GET support to ocsp. I'd appreciate any feedback. I don't see where the OCSP request is de-base64-ified, and URL-decoded. In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's done directly on the HTTP re

Re: [openssl-dev] Re: [openssl.org #3525] CRL tool doesn't show leading 0's in output

hen a numeric one. Leading "00" isn't important for the comparison/match. "openssl crl" should print a leading "00" to avoid confusion, but it's not really important. -- Erwann ABALEA __

Re: [openssl-dev] Adding GET support to ocsp app

(trying a resend, my email address has changed) Le 11/09/2014 19:45, Salz, Rich a écrit : The attached diff adds GET support to ocsp. I'd appreciate any feedback. I don't see where the OCSP request is de-base64-ified, and URL-decoded. In both cases, d2i_OCSP_REQUEST_bio is called to get the

Re: [openssl-dev] nameConstraints : leading "." in permission list items

Bonjour, Le 13/08/2014 10:57, John Denker a écrit : 1) There are actually some people who are using v3 nameConstraints. Not a lot, but some. There will probably be more coming, thanks to Mozilla+CABForum. An example can be found in one of the fully-trusted root certificates that is dis

Re: [openssl-dev] SHA-3 availability

Bonjour, SHA3 is not standardized yet. Keccak has been chosen in the end, but its parameters are still debated. I'm pretty sure that once those parameters are fixed in stone, there will be an implementation in OpenSSL. -- Erwann ABALEA Le 12/02/2014 11:29, Francis GASCHET a écrit

Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals

attack on collision of both MD5 and SHA1 at the same time. -- Erwann ABALEA Le 23/04/2013 14:28, David Jacobson a écrit : Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger

Re: [openssl-dev] MD5 in openSSL internals

ut I think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0

Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

The countryName field is a PrintableString, that's mandatory (see X.520). It also MUST be 2 characters long, but that's not enforced by OpenSSL. -- Erwann ABALEA Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit : > Hello, > > I´m using OpenSSL 1.0.1c as a CA

Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

The countryName field is a PrintableString, that's mandatory (see X.520). It also MUST be 2 characters long, but that's not enforced by OpenSSL. -- Erwann ABALEA Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit : Hello, I´m using OpenSSL 1.0.1c as a CA to sign a corporate c

Re: [openssl-dev] Shouldn't CSRs automatically add default version?

sider that explicitely setting the version is the responsibility of the application creating the request. -- Erwann ABALEA Le 16/03/2013 19:22, Ken Smith a écrit : -BEGIN CERTIFICATE REQUEST- MIICbzCCAVcCADArMSkwJwYDVQQDEyBiYjA2NGU1MDIwMTcwOTE4MTY0ZTlmMDY2 [...] 0s8Z -END CERTIFICATE

Re: [openssl-dev] Security of RC4 in TLS

Le 15/03/2013 11:34, Huzaifa Sidhpurwala a écrit : On Fri, Mar 15, 2013 at 3:39 PM, Erwann Abalea wrote: Bonjour, In my understanding, after a fast read of RFC5246, this won't work. If RC4 is finally considered weak (at last), just don't use it anymore. Do you use DES on your serve

Re: [openssl-dev] Security of RC4 in TLS

Bonjour, Le 15/03/2013 09:47, Huzaifa Sidhpurwala a écrit : There are some recent research articles about attack against RC4 in TLS. Some of these attacks were well known earlier, like biases in the first 256 numbers generated from the RC4 PRG, the newer research combines this with statistical p

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

IMHO, it's more OpenSSL users' job (programs and libraries), not directly OpenSSL. -- Erwann ABALEA Le 01/03/2013 16:08, russell.aspinw...@bcs.org.uk via RT a écrit : > Hi, > > Would you consider adding support for RFC6698 Domain Authentication of > Named Entities

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

IMHO, it's more OpenSSL users' job (programs and libraries), not directly OpenSSL. -- Erwann ABALEA Le 01/03/2013 16:08, russell.aspinw...@bcs.org.uk via RT a écrit : Hi, Would you consider adding support for RFC6698 Domain Authentication of Named Entities (DANE) Transport Layer A

Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:

tes are improperly constructed. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : > Using: > Windows 7 Professional SP1 > openssl-1.0.0g > > Build: > perl Configure debug-VC-WIN64A no-asm --prefi

Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:

r certificates are improperly constructed. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a n

Re: [openssl-dev] [RFC] OpenSSL accepts "invalid" server cert chain

Le 12/07/2012 15:36, David Woodhouse a écrit : I have encountered a server which presents an invalid set of certificates in its TLS handshake. This is common. Really common. It's presenting four certificates, where the second cert is *not* the issuer of the first cert in the list. The chain f

Re: [openssl-dev] RE: SHA-256 and SHA-512 doubts in OpenSSL

/fips/fips180-2/fips180-2withchangenotice.pdf -- Erwann ABALEA - atripodanatoclaste: qui ne casse pas trois pattes à un canard __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] Re: SHA-256 and SHA-512 doubts in OpenSSL

Same here. Also with http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf and http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf are OK. -- Erwann ABALEA - nocticonsiliophorisme

Re: [openssl-dev] [openssl.org #2834] bug report: i2d(sign(10)) results in 2573 encoded

n S/MIME semantic is needed? -- Erwann ABALEA - transrhinoscopie: capacité de voir plus loin que son nez Le 14/06/2012 16:56, Yusheng Yang via RT a écrit : > [...] > > This test attempts to sign, encode, decode, and verify messages using > the PKCS7 API. The messages are sing

Re: [openssl-dev] [openssl.org #2834] bug report: i2d(sign(10)) results in 2573 encoded

n S/MIME semantic is needed? -- Erwann ABALEA - transrhinoscopie: capacité de voir plus loin que son nez Le 14/06/2012 16:56, Yusheng Yang via RT a écrit : [...] This test attempts to sign, encode, decode, and verify messages using the PKCS7 API. The messages are single integers. Eve

Re: [FEATURE] OCSP functionality patch

rting OCSP-related failures during verification (obviously, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Erwann ABALEA - Un forum peut répondre à plusieurs besoins à la fois Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur "middle-class" ce qui pro

Re: [openssl-dev] Re: [openssl.org #2782] BUG report: RSA private key serializer

e long ago. Just subscribe to this list, and reply on this other list. It is clear to anybody here that what you spotted is not a bug in OpenSSL but an incomprehension on your side. Cordialement. -- Erwann ABALEA - Ce ne sont que des propositions. Je ne veux pas les faire passer en force. J

Re: [openssl-dev] Re: [openssl.org #2782] BUG report: RSA private key serializer

o. Just subscribe to this list, and reply on this other list. It is clear to anybody here that what you spotted is not a bug in OpenSSL but an incomprehension on your side. Cordialement. -- Erwann ABALEA - Ce ne sont que des propositions. Je ne veux pas les faire passer en force. Je pense q

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

he body of a mail. -- Erwann ABALEA - BC> Merci à tous de me plnnKER que j'ai plus à vous supporter! VR> Du coup, je l'ai déplonké, pour voir. Tiens, moi il est passé de -1000 à -100... -+- ED in GNU : La const

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

body of a mail. -- Erwann ABALEA - BC> Merci à tous de me plnnKER que j'ai plus à vous supporter! VR> Du coup, je l'ai déplonké, pour voir. Tiens, moi il est passé de -1000 à -100... -+- ED in GNU : La constant

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

those number. So integers from RSA key, should be encoded > according ANS1 DER encoding, which means should be have either length > octets or end-of-contents octets > > On Mon, Apr 2, 2012 at 6:56 PM, Erwann Abalea via RT wrote: >> Tamir, >> >> What are you talking ab

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

mber. So integers from RSA key, should be encoded according ANS1 DER encoding, which means should be have either length octets or end-of-contents octets On Mon, Apr 2, 2012 at 6:56 PM, Erwann Abalea via RT wrote: Tamir, What are you talking about? DER encoding doesn't say anything about

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

ttp://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf). > This is why i think there is a bug in ASN.1 encoding of the > certificate > -- Erwann ABALEA - nosovermiculotracter: interroger __ OpenSSL Project

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

com17/languages/X.690-0207.pdf). This is why i think there is a bug in ASN.1 encoding of the certificate -- Erwann ABALEA - nosovermiculotracter: interroger __ OpenSSL Project http://www.openss

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

on because of size optimization), you should use variouse size > serialization. > > This is what is this bug about. > > > On Mon, Apr 2, 2012 at 3:52 PM, Erwann Abalea via RT wrote: >> Bonjour, >> >> Le 02/04/2012 13:21, Tamir Khason via RT a écrit : >>> The

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

you should use variouse size serialization. This is what is this bug about. On Mon, Apr 2, 2012 at 3:52 PM, Erwann Abalea via RT wrote: Bonjour, Le 02/04/2012 13:21, Tamir Khason via RT a écrit : There is a bug in ASN.1 DER serializer used to generate RSA private keys. It trims trai

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

ude can vary. Any "a mod b" number cannot be the same size of "b" (consider for example "2^32+1 mod 2^32", it's not a 32 bits integer). If your "bad" key cannot be used in .NET, there's another reason. -- Erwann ABALEA - podoclaste: casse-pie

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

y "a mod b" number cannot be the same size of "b" (consider for example "2^32+1 mod 2^32", it's not a 32 bits integer). If your "bad" key cannot be used in .NET, there's another reason. -- Erwann ABALEA - podoclaste: casse-pieds __

Re: [openssl-dev] [openssl.org #2746] Bugfix for ASN.1 parser in OpenSSL 0.9.8 and 1.0

;t a valid encoding. The length must be >> expressed in the minimum number of octets possible, that applies to BER >> as well as DER. >> > Hmm... must have confused it with something else. That *is* legal. > No, you were (partly) right. This is legal BER, n

Re: [openssl-dev] [openssl.org #2746] Bugfix for ASN.1 parser in OpenSSL 0.9.8 and 1.0

hing else. That *is* legal. No, you were (partly) right. This is legal BER, not DER. -- Erwann ABALEA - parturiophone: enceinte acoustique __ OpenSSL Project http://www.openssl.org Developme

Re: [openssl-dev] [openssl.org #2595] Capitalize X509 subject key STREET according to rfc1779

Hodie III Id. Sep. MMXI, Peter Sylvester scripsit: >On 09/11/2011 12:12 AM, Erwann ABALEA wrote: > > Hodie IV Id. Sep. MMXI, Maarten Billemont via RT scripsit: > > According to rfc1779, the key STREET in the subject name should be > capitalized. > > obj_dat.h

Re: [openssl-dev] [openssl.org #2595] Capitalize X509 subject key STREET according to rfc1779

hose tokens are case sensitive (you could even use "cn" instead of "CN"). This RFC is defective at least in one aspect: the following names are not considered equal: CN=James Bond, O=MI6, C=UK CN=James \ Bond, O=MI6, C=UK CN=\ \ jAmeS bonD, O=MI

Re: [openssl-dev] openssl.org web site certificate renewed

n. You should also disable SSLv2, and <128bits ciphers. -- Erwann ABALEA Département R&D KEYNECTIS __ OpenSSL Project http://www.openssl.org Development Mailing List

Bug in decoding/printing the authorityKeyIdentifier extension

Bonjour, Given a certificate with an authorityKeyIdentifier extension containing the issuerName and serial fields, with a negative serial number, displaying this certificate (openssl x509 -text -noout ...) doesn't tell that the serial number is negative, and prints its absolute value. -- E

Re: [openssl-dev] Re: Verify X.509 certificate, openssl verify returns bad signature

is is the kind of advice that pushes programmers to allocate fixed size fields in databases, and consider a certificate's serial number to always fit the size. This is also bad in practice. -- Erwann ABALEA Département R&D KEYNECTIS _

Re: [openssl-dev] Re: How to locate the X.509 specifications

u're right, it's worth knowing about. But in addition to the real X.509 standard. [...] > >>Kyle Hamilton wrote: > >>>I was asked this morning where to find the X.509 specification, > >>>since http://itu.int/ is such a messy website. -- Erwann ABALEA Départ

Re: [openssl-dev] Re: How to locate the X.509 specifications

s morning where to find the X.509 specification, > >since http://itu.int/ is such a messy website. It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to he

Re: [openssl-dev] Stuck in France...

ff such as the > VMS build of OpenSSL... > > *sigh* Sorry for this. These are security measures, as volcano ashes are very abrasive for engines. If you're in Paris, I'd be glad to offer you a beer or two, just contact me off-list. -- Erwann ABALEA - It takes 43 muscles to fro

Re: [openssl-dev] [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature

Hodie VII Id. Mar. MMX, Dr. Stephen Henson scripsit: > On Tue, Mar 09, 2010, Erwann ABALEA wrote: > > > I can't verify ecdsa-with-SHA256 certificates, the ones transmitted a > > few days ago (German passports), with the same error > > (d2i_ECPKParameters function).

Re: [openssl-dev] [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature

, without the RSASSA-PSS patch. -- Erwann ABALEA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager

Re: [openssl-dev] Re: Applying the RSASSA-PSS patch

cDovL3d3dy5ic2kuYnVuZC5kZS9jc2NhMCsGCSqG SIb3DQEJFQQeBBwxLjIuMjc2LjAuODAuMS4xMi4wLjIwLjUuMS4wMCsGA1UdEAQk MCKADzIwMDkwNDMwMTM0NzMyWoEPMjAwOTA4MzAxMjMwNTBaMAwGCCqGSM49BAMC BQADSAAwRQIgQYfwgQkqtEPTFWz+/vKQqH7ixuz/dqYbgkhxeisdcvQCIQCN5kAI 7TDnyDJpmli7Ci6cjOIZxNHLFUlV3fGX5JzaJg== -END CERTIFICATE- -

Applying the RSASSA-PSS patch

55: 3085249240:error:100D4010:elliptic curve routines:ECKEY_PARAM_DECODE:EC lib:ec_ameth.c:528: I can provide certificates if necessary (those are passport certificates from different countries) -- Erwann ABALEA - All men can fly, but sadly, only in one direction -- down ___

Re: [openssl-dev] [PATCH]

be sure that dso isn't NULL. Good job for a ladybug :) (that's what "coccinelle" means, in french). -- Erwann ABALEA - OK to continue? __ OpenSSL Project http://w

Re: [openssl-dev] [openssl.org #1854] GeneralizedTime support in openssl ca

Hodie IV Non. Mar. MMIX, Oliver Martin scripsit: > Am Wed, 4 Mar 2009 11:19:09 +0100 schrieb Erwann ABALEA: > > > RFC5280 is a *profile* of X.509, i.e. a subset; it cannot replace > > X.509. > > Non Zulu times, minute accuracy, and fractional seconds are accepted > &

Re: [openssl-dev] [openssl.org #1854] GeneralizedTime support in openssl ca

onds are accepted in X.509, why should it be refused by OpenSSL? -- Erwann ABALEA - I t±ld yo±, "Never±touch ±he flop±y disk s±rface!" __ OpenSSL Project http://www.

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA isrenewed

Hi Dave, Hodie Kal. Feb. MMVIII est, Dave Thompson scripsit: > > From: [EMAIL PROTECTED] On Behalf Of Erwann ABALEA > > Sent: Thursday, 31 January, 2008 13:08 > > > Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: > > > > I disagree with this ide

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA is renewed

Hi Patrick, Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: > Hi Erwann; > > On Thursday 31 January 2008 13:07:32 Erwann ABALEA wrote: > > > Renewal is when you issue a new certificate, but keep the same keys. In > > > this case, the CRL validation in Op

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA is renewed

Hi Patrick, Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: > Hi Erwann: > > On Thursday 31 January 2008 11:23:57 Erwann ABALEA wrote: > > Hello, > > > > OpenSSL doesn't cleanly verify revocation status when a CA is renewed > > (with a key ch

Proposed patch to check a CRL when a CA is renewed

ainst the CRL, because it checks the verification of the CRL against the public key of the certificate that signed the end-user certificate. That's not conformant to the X.509 standard. -- Erwann ABALEA <[EMAIL PROTECTED]> openssl099-crl-renewedca.diff.gz Description: Binary data

Re: [openssl-dev] Regarding extended key usage extension implementation which differs from RFC 2459

13 > Extended key usage field. The corresponding paragraph of the RFC3280 (RFC2459 is obsolete, and superseded by RFC3280) reads: "If the extension is present, then the certificate MUST only be used for one of the purposes indicated." RFC3280 is much more clear and unambigous t

Re: Mail System Error - Returned Mail

, then I'll read your mail. If necessary, please contact Dominique Manenc <[EMAIL PROTECTED]>. You'll receive this message only once. Thanks. -- Erwann ABALEA <[EMAIL PROTECTED]> - It takes months to find a customer, but only seconds to lose one... The good n

Re: [openssl-dev] [openssl.org #551] [Fwd: Bug#186487: openssl:'openssl ca' allows serial 00 which breaks the signed certificate]

d by a CA *must* be unique under this CA. This includes also the CA itself, when it's a self-signed CA. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - If you never try anything new, you'll miss out on many of life's great d

Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?

x27;. RFCs-reading is an art, just like Standards-reading ;) So far, I think that only Microsoft made this mistake, I never found it in any other product I've seen. Based on that, I really don't think it might be necessary to rewrite the RFC, or the X.509 standard (which would involve *m

Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?

ives, not a french law - it takes a lot more than just using the authorityKeyIdentifier extension to have a qualified certificate Hope this helps. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - CJ> Les censeurs agitent plus de vent que les moulins des Pays Bas. Tiens, je sa

Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?

t CA name. You're right, that's how it's done in the SET hierarchy. The keyIdentifier is not used, the only valid content for the authorityKeyIdentifier is the issuer's name of the issuer certificate, packed with the issuer's certificate serial number. -- Erwann ABALEA &

Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ?

's name and the exact number of your father among all your grandfather's children. That's how it's done, and that's how it has to be done. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - Le netétiquette n'est qu'une vaste fumisterie,il

Re: certificate start date difference!

Sorry for this late delivery. It seems pipes can be filled with old stuff sometimes. ;) On Mon, 8 Jul 2002, Erwann ABALEA wrote: > On Mon, 8 Jul 2002, Mehdi Jabal Ameli wrote: [...] -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - J'aurai aimé savoir si e

Re: certificate start date difference!

... What is stored in a certificate is a GMT time. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - Stupidity is no excuse for not thinking. __ OpenSSL Project http://

Re: Questions about PKI

- Algorithm supported > In order to make easy this comparaison I have created a comparaison table. > I've joined this Excel table (tableau_PKI.xls). I would be glade if you could fill >it. > > > Thank you for your time and your interest. > I'm looking foreward to

Virus infected mail, warning

antivirus installed and configured. If you take the time to find technical informations about this virus (named "worm_klez.g" for www.antivirus.com), you'll find that this nasty one does change the From: header. Sadly, I was choosen... :( -- Erwann ABALEA <[EMAIL PROTECTED]&g

Re: problem OpenSA SSL

on't find a file named "mod_ssl.so" in this directory, but a file named "mod_ssl.dll", and that changing the "mod_ssl.so" into "mod_ssl.dll" in the configuration file should do the trick. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EA

Re: your mail

t have enough memory left. I think a good solution would be to call the administrator. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - BC> désolé, mais j'ai pas pû m'empecher. On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore assez. -

Re: Solaris bc

On Tue, 5 Mar 2002, Michael Sierchio wrote: > Erwann ABALEA wrote: > > > dc and bc are linked by some way... > > Yes. Unlink dc and bc won't work. ;-) ;) I read J.P. King's email, and it's more clear now. I should try to learn dc, as I'm more comfortab

Re: Solaris bc

ike syntax that implements functions. bc also provides reasonable control structures for programs. See bc(1). dc and bc are linked by some way... -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 - I'm not dyslexic, thank dog! __

Re: Please help me.

g in *your* configuration or code, not a bug in the OpenSSL library. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``We're operating from a knowledge base that is not very dense.'' Jim Skeen Explaining

RE: PKCS#11 engine support

Thu, 3 May 2001, Erwann ABALEA wrote: > On Thu, 3 May 2001, Reddie, Steven wrote: > > > Zoran, I'd be happy to test your implementation. The PKCS#11 devices that I > > have at my disposal are: > > Eracom CSA7001/7002 > > nCipher nFast SCSI HSM > > &g

RE: PKCS#11 engine support

nSSL Project http://www.openssl.org > > Development Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > __ &

Re: Object names

The SEQUENCE is encapsulated in an OCTET STRING... What you would like is the internal format of this OCTET STRING... Just ask Entrust... How could you force anyone to describe the internal format of every structure they use? Don't even think of it... -- Erwann ABALEA System and Development

OpenSSL-0.9.6-beta1 and Linux Redhat 5.1

md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -- Erwann ABALEA System and Development Engineer - Certplus SA [EMA

Re: OpenSSL

SL for windows (if there is) > > thanx, > audrey -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://

Re: Pseudo Random Number Generator

Does anyone have paid to go through the FIPS-140 evaluation of any part of OpenSSL? ;-) On Thu, 23 Mar 2000, David Ahrens wrote: > Does anyone know if the pseudo random number generator in openssl is > FIPS-140 compliant? -- Erwann ABALEA System and Development Engineer - Certplus SA

Problem under Win32

I get the key on stdout. I found another problem with the command line tool openssl, used in it's "prompt mode"... I'll try to reproduce the behaviour, and I'll post my results. -- Erwann ABALEA System and Development Engineer - Certp

Re: Adding new cipher suites to TLS with 256+ bit session keys.

s with their cracked keys.) But my boss as asked me I (and others too) think that 1024 bits RSA will be broken in less than 10 years... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID

RE: [Fwd: OCSP and CSL]

tificate than the ones used to generate the certificates Basically, you have one certificate to sign the certificates, and one other to sign the CRLs... A different key pair is associated with each certificate. The difference is in the keyUsage extension. -- Erwann ABALEA System and Development

Re: How to build ssleay libraries on WindowsNT

Please read the file INSTALL.W32, everything's described... On Mon, 17 Jan 2000, bhushan wrote: > Could you please explain,how to build static ssleay libraries on > WindowsNT -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID:

Re: Big problem with make

and stdlib.h files, and then you'll be able to add a -Idirectory right into the good place... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Proje

  1   2   >