Does anyone know how to approach generating certificates to be used with
Elliptic Curve Cryptography (TLS) and OpenVPN? The normal generation process
for RSA certificates does not work, so it looks like there is a different
procedure (as with Apache and ECC certificates). I compiled openvpn
Krzysztof Koston wrote:
Thank you for quick answer. We are actually planning to submit our
final product for validation so my understanding is that it needs to
be validated again with all the modifications we have made. Am I
correct?
Correct. The existing v1.2 and earlier validations don't
Hi there,
I followed the instructions given in this HowTo:
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
and came smooth and with no probs to the point where I should create a
master certificate using this command:
openssl req -config openssl.conf -new -x509 -days 1001 -key
Mike Frysinger wrote:
On Mon, Jul 20, 2009 at 09:51, Fred Keet wrote:
I'm in the process of writing an application that signs binary data for
loading
onto a Analog Devices BlackFin microprocessor. These chips have built in
support for verification of code. The chip gets loaded with the EC
Is there any documentation on the conversion from a hex public key to
the EC_POINT struct? I assume I just need to split the key into the
three BIGNUM coordinates, but where do I split my key? I'm using a
664bit public key.
I can't find an implementation of an oct2point method (like the one
Running into a problem at here at work where we have a daemon process that was
converted to use BIO's for SSL support. Since then we are occassionally seeing
a problem where if a subprocess executed manages to hang, closing down the
daemon and restarting it will run into a problem with binding
Andreas Wagner wrote:
Hi guys i want to sign a message (an array of char) out of my source
code. The problem is that i do not know exactly how to sign this message.
There are two possibilites (ECDSA_do_sign or the
EVP_DigestSignFinal(...) functions). which do i have to use? where is
the
Bailey, Darragh wrote:
Running into a problem at here at work where we have a daemon process that was
converted to use BIO's for SSL support. Since then we are occassionally seeing
a problem where if a subprocess executed manages to hang, closing down the
daemon and restarting it will run
Thank you David for your bluntness. Trust me, I'm aware of how significant
making wpa_supplicant FIPSable is. I've been working on it for several
months. Over the past few months I've been in the process of removing
non-compliant code, updating MD5 to SHA-1, etc. I'm close for the AP side
with
I'm not going to comment on David's assertion's or anything about
wpa_supplicants, but lets take a step back:
SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS
140-2 when using FIPS-approved security functions (see the FIPS 140-2
implementation guide).
TLS 1.0 is
On Tue, Jul 21, 2009, carlyo...@keycomm.co.uk wrote:
TLS 1.0 DOES use MD5 and SHA-1 in combination, and - despite MD5 not being
allowed by the FIPS 140-2 standard - it is allowed in this case because the
combined 'strength of the two, when used in unison, is not less than SHA-1
itself. I
Hello Everyone
I am currently looking at a SSL solution for a client and need to do the
following:
They want a unique ca per client to be able to sign certs for each client using
their own CA.
Can anybody point me in the direction of some docs that will help me to set
this up.
I have
On Tue, Jul 21, 2009, Fred Keet wrote:
At this point I've got code that generates the ec keys from the sect163k1
curve, and then signs a block of data. When I compare this with the ecsign
utility they provide (apparently built on Miracl) the two signatures do not
match, so it seems that
Check the man pages (man req), the -x509 option is for a self signed cert
(root), while the -new option produces a new cert request (so you are asking
for conflicting tasks). In this case no request is needed because the it's
the root cert. Your config option is ok.
This way a root and its
Kobus Bensch - No Sig wrote:
They want a unique ca per client to be able to sign certs for each client
using their own CA.
Hi Kobus:
CA allow CA chains, this is, only one CA being a true root signing sub-CA
certs. Having many root CA's create the feeling of disorganization, though
Title: Fullnet Solutions Limited
Hi
Thank you for this, this is great. So to recap.
I have on CA
That one CA can generate multiple Certs that can then be used per
apache virtual host to allow only that one client to connect to that
virtual host with a specified port number?
End result =
Hi Again:
Not exactly to associate one CA pero virtual host. This all can be done by
only one virtual host, even though you can have all the VH you need. Apache
allows you to do many things with just one virtual host.
For example, If you notice the directive SSL_Require, it is inside a
Title: Fullnet Solutions Limited
No this is great thanks.
My ultimate aim is to create certs for a site. Then to distribute the
certs to only those I want to be able to access the site, any other
attempted access need to be denied and do this for each virt host.
Sounds like it is possible,
I thought I should be specific about cert creation because I've seen big
corporations issueing pure CA certs for all, and they actually never create
a client cert. And no matter how many approaches one take to explain that
such thing is not right, they keep issueing CA'sCerts for all purposes,
Very good.
In case you need a CA outside of your company saying we know those guys
(instead of I know myself) you can count on our company (energiash.com) of
course without any cost involved, or buy your first CA with signing
attributes from a well known source that is already in the browsers'
Title: Fullnet Solutions Limited
Hi
Thank you for all the help. You have been most kind
Kobus
javierm wrote:
Very good.
In case you need a CA outside of your company saying "we know those guys"
(instead of "I know myself") you can count on our company (energiash.com) of
course without
On Tue, Jul 21, 2009 at 10:46, Dr. Stephen Henson wrote:
On Tue, Jul 21, 2009, Fred Keet wrote:
At this point I've got code that generates the ec keys from the sect163k1
curve, and then signs a block of data. When I compare this with the ecsign
utility they provide (apparently built on Miracl)
Michael Kurecka wrote:
Thank you David for your bluntness. Trust me, I'm aware of how
significant making wpa_supplicant FIPSable is. I've been working
on it for several months. Over the past few months I've been in
the process of removing non-compliant code, updating MD5 to SHA-1,
etc. I'm
Never mind my question. Apparently the Base64 interpreter only accepts
data if it's newline-terminated. Sorry for the bother.
On 21-Jul-09, at 5:59 PM, Jeremy R. wrote:
Hello:
I'm trying to do something that should be fairly simple: read Base64-
encoded data in memory block A and write it
24 matches
Mail list logo
