Re: [EXTERNAL] Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?.

or this failure correct? > > Why is OpenSSL 1.0.2 verifying successfully? Does it not check the path > length constraint or is it actually picking the depth 2 chain instead of > the depth 3? > > > > Regards, > > Andrew. > > > -- Cordialement, Erwann Abalea.

Re: [EXTERNAL] Keytool issue with version 3.0.2.

ng keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks... > keytool error: java.io.IOException: keystore password was incorrect > > ``` > -- Cordialement, Erwann Abalea.

Re: [EXTERNAL] Using openssl-rsautl for verifying signatures.

: OBJECT:sha1 >11:d=2 hl=2 l= 0 prim: NULL >13:d=1 hl=2 l= 20 prim: OCTET STRING > - 4e 07 b8 c7 aa f2 a4 ed-4c e3 9e 76 f6 5d 2a 04 > N...L..v.]*. > 0010 - bd ef 57 00 ..W. > > Why is RSA_sign() wrapping the signature in ASN.1? > > Or, put a different way, how do I reproduce what RSA_sign() is doing from > the command line? > > Is there another command that does RSA signing besides rsautl? > > Thanks, > > -Philip > > > -- Cordialement, Erwann Abalea.

Re: [EXTERNAL] Re: odd error for ECDSA key in REQ.

ength, and the encoded public key), and finally the BIT STRING encapsulation. The OCTET STRING is wrong here. Cordialement, Erwann Abalea Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » a écrit : The key is generated by a lovely HSM - which is by its nature a bit

Re: [EXTERNAL] Re: Unusual certificates

The second certificate seems garbaged at the 4th RDN of the issuerName. The Base64 edition might have added or deleted some characters. Cordialement, Erwann Abalea Le 25/06/2020 16:00, « openssl-users au nom de Angus Robertson - Magenta Systems Ltd » a écrit : More information, the

Re: client certs with no subjectName only SAN

s non critical (it's a SHOULD in PKIX) A quick reading of RFC8002 tells me that you may need to include the IssuerAltName extension as well? Cordialement, Erwann Abalea Le 16/08/2019 17:11, « openssl-users au nom de Robert Moskowitz » a écrit : Viktor, On 8/16/19 8:41

Re: client certs with no subjectName only SAN

n a certificate, the field is not OPTIONAL. Cordialement, Erwann Abalea Le 15/08/2019 22:13, « openssl-users au nom de Salz, Rich via openssl-users » a écrit : subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical"

Re: Why were edwards curves given distinct key types, aren't they EC keys?

Maybe because EVP_PKEY_EC designates an ECDSA key, that an EdDSA key is not generated the same way (particularly the public part), and that the encodings are different? Cordialement, Erwann Abalea Le 15/03/2019 19:20, « openssl-users au nom de Sam Roberts » a écrit : It seems like they

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

d can exist and is supposed to be produced). Cordialement, Erwann Abalea Le 06/03/2019 16:38, « openssl-users au nom de Jakob Bohm via openssl-users » a écrit : On 06/03/2019 16:17, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org]

Re: [openssl-users] RSA Public Key error

want Cordialement, Erwann Abalea De : prithiraj das Date : lundi 17 décembre 2018 à 08:23 À : Erwann Abalea , "openssl-users@openssl.org" Objet : Re: [openssl-users] RSA Public Key error Hi Erwann/All, Thank you for your earlier response. I have done a couple of tests on the

Re: [openssl-users] RSA Public Key error

beginning by my own, and now I can’t open the file again ». Those bytes are there for a reason. A quick solution would be to *add* your 16 bytes before the public key, and remove them when passing the rest of the bytes to OpenSSL. Cordialement, Erwann Abalea De : openssl-users au nom de prithiraj

Re: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate

Bonjour, The prospective certification path excludes the Trust Anchor. Therefore, the « max_path_length=0 » step is attained only when dealing with your EvilCA cert. Cordialement, Erwann Abalea > Le 8 oct. 2018 à 14:47, Peter Magnusson a > écrit : > > That is not correct behavio

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

ng second 59 completely. Just think of this as a magical value. Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using set_serial to control serial number size directly

, serial number}. Cordialement, Erwann Abalea > Le 21 août 2017 à 15:44, Robert Moskowitz a écrit : > > > > On 08/21/2017 09:36 AM, Salz, Rich wrote: >> ➢ Thus how large does this random number have >> >> It’s also to protect against predicting serial numbe

Re: [openssl-users] More on cert serialnumbers

> Le 18 août 2017 à 15:18, Mark H. Wood a écrit : > > On Thu, Aug 17, 2017 at 03:29:56PM +0000, Erwann Abalea via openssl-users > wrote: >> The BR are for public CAs, not private CAs; even if some of those >> requirements are considered « good practice » (the 64 bit

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

> Le 17 août 2017 à 17:36, Jeffrey Walton a écrit : > > On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea > wrote: >> >>> Le 17 août 2017 à 17:26, Jeffrey Walton a écrit : >>> >>>>> When you see a name like "example.com" in the

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

er CA/B policies, and CN=example.com but > it _lacks_ SAN=example.com, then its a not a hostname and it should > not be matched. Such a certificate would be mis-issued and be revoked immediately. CN MUST be an FQDN (or a wild carded FQDN, or an IP address), and a copy of the value in CN MUS

Re: [openssl-users] More on cert serialnumbers

et of some browsers for private CAs; it may require more work for you, but there’s a benefit. CN has been populated with too much garbage (FQDN, domain, service name, IP address, person name, …), the SAN extension has nice baskets to put your eggs in (dNSName and iPAddress), and it works bea

Re: [openssl-users] keyusage digitalSignature in CA certs

an issuing CA can issue different certificates for the same CA (they all have the same Subject, which is different from the issuing’s Subject) but for different purposes (and thus different keyUsage bits). Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Personal CA: are cert serial numbers critical?

line (standard trick: > Issue 3-month non-revocable OCSP-signing certificates and provide the > corresponding private key to the server running the OCSP responder program). > I would recommend to also implement traditional CRLs, since for smaller CAs > it is a better solution for browser

Re: [openssl-users] Understanding RSA_sign and type argument

Bonjour, Add « -sigalgs SHA256+RSA » to one of your command lines. Cordialement, Erwann Abalea Le 9 juin 2017 à 09:45, Ignacio Alamo Corsino mailto:nacao2...@hotmail.com>> a écrit : Hello everyone, i am having some issues understanding the RSA_sign function: RSA_sign(int type,

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

Why not? This serial number could also be displayed as 3203232750, or 000BEED73EE, or 03203232750. Cordialement, Erwann Abalea Le 30 janv. 2017 à 11:03, Matthias Ballreich mailto:matthias.ballre...@outlook.de>> a écrit : thanks for explanation. But why did Windows Cert Manager and F

Re: [openssl-users] ECDSA_SIG_new and ECDSA_SIG_free details

null pointer. Cordialement, Erwann Abalea > Le 11 janv. 2017 à 17:18, Jeffrey Walton a écrit : > >> Could someone from the OpenSSL team please explain the rationale for this >> decision? What is the problem with using assignments with 0 or NULL to >> initialize pointer

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

Bonjour, The root certificate is not expected to be sent by the server, as it already needs to be known and trusted by the client. However, you’re free to configure your server to send it, for debugging or informational purposes. Cordialement, Erwann Abalea Le 8 nov. 2016 à 03:36, Mofassir Ul

Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

N(MYSTRUCT) Now you can call i2d_MYSTRUCT()/d2i_MYSTRUCT() to encode/decode such a data type, and similar _bio, _fp, _dup functions as well. Cordialement, Erwann Abalea Le 20 sept. 2016 à 11:45, Aleksandr Konstantinov mailto:aleksandr.v.konstanti...@gmail.com>> a écrit : Hello, Thanks

Re: [openssl-users] openssl crl fails to parse a CRL file, which seems correct

That’s a bug in the Issuer name length check. Use the 1.1.0 version. Cordialement, Erwann Abalea > Le 14 sept. 2016 à 14:31, Wouter Verhelst a écrit > : > > Hi, > > (this is a resend because my MUA crashed while I tried to send this mail > earlier. If you get i

Re: [openssl-users] Openssl software failure for RSA 16K modulus

Bonjour, Le 22 juil. 2016 à 08:44, Gupta, Saurabh mailto:saurabh.gu...@cavium.com>> a écrit : 1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake? It should fail for other ciphers also. Ciphers: working DHE-RSA-AES128-SHA ECDHE-RS

Re: [openssl-users] Openssl software failure for RSA 16K modulus

> Le 21 juil. 2016 à 15:08, Salz, Rich a écrit : > >> By raising the limit, you don’t suddenly put every application at risk of a >> DoS, >> because these applications won’t suddenly use a 16k RSA key. > > Yes we do, because the other side could send a key, not local config. Server A code is

Re: [openssl-users] Openssl software failure for RSA 16K modulus

> Le 21 juil. 2016 à 14:17, Salz, Rich a écrit : > >> We have to make trade-offs. Who uses a 16K RSA key? > > Let me add some clarification. Is it worth putting every application that > uses OpenSSL at risk for a DoS attack with a 16K RSA key? By raising the limit, you don’t suddenly put e

Re: [openssl-users] Openssl software failure for RSA 16K modulus

Largest accepted client key exchange message length seems to be set to 2048 bytes. Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes of pure crypto payload, plus a few bytes of overhead). OpenSSL is too conservative here. Cordialement, Erwann Abalea Le 21 juil. 2016

Re: [openssl-users] Creating an X25519-based Certificate

Maybe we just didn’t. At least not with the command line tools. The CHANGES file lists a merge between « dh », « gendh », and « dhparam » in 2000, but no evolution since then. The oldest version I could find is 0.9.6, and there’s no command-line DH key generation. Cordialement, Erwann Abalea

Re: [openssl-users] Creating an X25519-based Certificate

Ok, you’re talking about OpenSSL command line tool only, I missed that part. The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired. Cordialement, Erwann Abalea Le 29 juin 2016 à 19:17, Michael Scott mailto:mike.sc

Re: [openssl-users] Creating an X25519-based Certificate

are defined for this OID -> cert.signatureAlgorithm.parameters * a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue All this is being discussed at CFRG. Cordialement, Erwann Abalea Le 29 juin 2016 à 16:46, Michael Scott mailto:m

Re: [openssl-users] (SPAM) I: Question on ccm mode in openssl

Bonjour, CCM mode is already implemented in OpenSSL. Cordialement, Erwann Abalea Le 24 mai 2016 à 17:43, Christian Adja mailto:christian_a...@yahoo.it>> a écrit : Il Martedì 24 Maggio 2016 17:21, Christian Adja mailto:christian_a...@yahoo.it>> ha scritto: Good morning,

Re: [openssl-users] Is the structure of this CMS object correct?

Bonjour Stephan, Le 9 févr. 2016 à 12:29, Stephan Mühlstrasser mailto:s...@pdflib.com>> a écrit : Am 09.02.16 um 11:53 schrieb Erwann Abalea: Bonjour, Le 9 févr. 2016 à 10:15, Stephan Mühlstrasser mailto:s...@pdflib.com> <mailto:s...@pdflib.com>> a écrit : ...

Re: [openssl-users] Is the structure of this CMS object correct?

Bonjour, Le 9 févr. 2016 à 10:15, Stephan Mühlstrasser mailto:s...@pdflib.com>> a écrit : Hi, I'm trying to decrypt a DER-encoded CMS object (created by Adobe Acrobat) with OpenSSL 1.0.2d: $ openssl cms -decrypt -in recipient.bin -inform DER -inkey atssecp521r1.key -recip atssecp521r1.pem E

Re: [openssl-users] OCSP service dependant on time valid CRLs

revoked. Such an OCSP service, responding « Revoked », wouldn’t be strictly compliant. Erwann Abalea erwann.aba...@docusign.com<mailto:erwann.aba...@docusign.com> Le 10 déc. 2015 à 20:07, socket mailto:danbrya...@gmail.com>> a écrit : Thanks for chiming in Erwann. This OCSP se

Re: [openssl-users] OCSP service dependant on time valid CRLs

certificate as revoked. « tryLater » is also a correct answer, even « internalError » if we consider the CRL as part of the internal state of the responder. Erwann Abalea erwann.aba...@docusign.com<mailto:erwann.aba...@docusign.com> Le 10 déc. 2015 à 18:29, socket mailto:danbrya...@gma

Re: [openssl-users] using openssl to validate an external AES program

a7b0430d8cdb78070b4c55a > > i get the following > > :~/git/aes/openssl$ od -x clear2.txt > 000 1100 3322 5544 7766 9988 bbaa ddcc ffee > 020 > :~/git/aes/openssl$ openssl enc -nosalt -in clear2.txt -out encrypted.dat -e > -aes-1

Re: [openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Bonjour, > Le 9 sept. 2015 à 14:17, Georgi Guninski a écrit : > > On Wed, Sep 09, 2015 at 12:07:43PM +, Viktor Dukhovni wrote: >>> >>> Are you saying I can't sign the cert with another cert >>> (the pubkey is easy to extract from the cert) with openssl? >> >> If you control a trusted root

Re: [openssl-users] Converting Bin format to X509 format

want to sign certificates (either subCA or subscriber, it doesn’t matter). That’s how I understood your question. If you want to do all this using only openssl CLI, that’s doable with a specially crafted config file declaring your engine and its parameters. Cordialement, Erwann Abalea > Le

Re: [openssl-users] Converting Bin format to X509 format

» element (not its BIT STRING structure, only the inner content). What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement, Erwann Abalea > Le 22 juil. 2015 à 11:17, Anirudh Raghunath > a écrit : > > H

Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?

Bonjour, Le 30/04/2015 19:44, Tomasz Chmielewski a écrit : This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] "GET /b

Re: [openssl-users] NID_Name equivalent in a certificate

Bonjour, NID_name correspond to the OID id-at-name. There's no "equivalent field in a certificate" that maps to an OID. The OID id-at-name designs the attribute supertype "name", which shouldn't be present in a certificate, but can nevertheless be present. Anywh

Re: [openssl-users] Delete a post to openssl-user mailing list

Bonjour, The password "pwd1234" is obviously a test one, as is the file path "c:/work/mypemfile.pem". Knowing that you're using OpenSSL 1.0.2a shouldn't be a problem either. What is the security risk? -- Erwann ABALEA Le 22/04/2015 15:55, Vollaro, John a écrit

Re: [openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

ed to the validation algorithm. On 03/04/2015 10:56, Erwann Abalea wrote: > (Forwarded to openssl-users) > > The subjectName of file4.pem matches the issuerName of > file3.pem, the signature block in file3.pem, when verified > with the public key of file4.pem, gives a correct si

[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

.pem.SKI matches file3.pem.AKI, and refuses to go further (here, AKI doesn't match SKI). -- Erwann ABALEA Le 03/04/2015 03:10, Yuting Chen a écrit : I used OpenSSL to verify a certificate file (file3.pem) against another certificate file (file4.pem). OpenSSL reports that it cannot fin

[openssl-users] Fwd to openssl-users, Re: [openssl-dev] Reminder: OpenSSL's EC private key encoding is broken

The private key is a random integer in [1, p-1], not in [2^(log2(p)-1), (2^log2(p))-1]. In DER, an INTEGER is always expressed using the smallest possible number of octets. "001a" is an integer equal to "001a", but it will be represented as "1a". -- Erwa

Re: [openssl-users] [openssl-dev] [openssl.org #3726] Cocoapods install BUG

It seems all the tarballs have disappeared. -- Erwann ABALEA Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead

Re: [openssl-users] S/MIME mime type application/octet-stream

27;m pretty sure it's ugly, suboptimal, and whatever. It WORKSFORME, on an indefinite length signature as well as the corresponding definite one recreated by OpenSSL. I haven't contempted the idea of parsing ASN.1/BER in magic(5) parlance. -- Erwann ABALEA Le 06/11/2014 17:24, Jan Hejl

Re: [openssl-users] OpenSSL X509 Parse Error with Elliptice curve Public Key

Your EC point is on the brainpoolP256r1 curve. This curve isn't supported by OpenSSL (yet). -- Erwann ABALEA Le 20/10/2014 10:16, Harakiri a écrit : Im getting the following error using openssl x509 -inform DER -in cms_cert.der -text 140026491385512:error:100D7010:elliptic

Re: [openssl-users] Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?

Would you like all your OpenSSL-enabled applications to be configured all the same, with the same protocols and same ciphersuites? -- Erwann ABALEA Le 15/10/2014 23:56, Todd Pfaff a écrit : I'd like to be able to disable SSLv3 for all openssl-enabled applications in a single configur

Re: Query reg multiple CA-Cert in list with same subject

ven a set of CA certificates. If your gateway software is a commercial software, please report this misbehaviour to the vendor. -- Erwann ABALEA Le 10/06/2014 09:08, Mukesh Yadav a écrit : Hi, I have a query for Ca-Cert list. If at gateway we have configured two CA-certs A1 and A2 both h

Re: [openssl-users] OpenSSL on Mac

Darwinports. -- Erwann ABALEA Le 31/03/2014 21:18, Landen Landens a écrit : My Mac still has OpenSSL 0.9.8. How may I update this to the latest stable version? I believe the latest stable version is at least 1.0.01

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

Le 27/03/2014 11:14, Jeffrey Walton a écrit : On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek wrote: On 25.03.2014, at 17:44, Zack Williams wrote: ... 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one layer of CA's bel

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

Le 25/03/2014 23:08, Zack Williams a écrit : On Tue, Mar 25, 2014 at 10:54 AM, Erwann Abalea wrote: 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit history. Could you

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

Le 25/03/2014 17:44, Zack Williams a écrit : On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek wrote: I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides three complete PKI examples you can play through and the prettiest configuration files this side of Neptune. Ch

Re: [openssl-users] openssl-0.9.8j has problem with Google HTTPS using SSLv3

Bonjour, It seems OpenSSL 0.9.8j doesn't like receiving a "New Session Ticket" message over an SSLv3 session, even when it sends an empty session ticket in its ClientHello message. Possible solutions: -tls1 instead of -ssl3 add -no_ticket -- Erwann ABALEA Le 21/02/2014

Re: [openssl-users] MODSSL: RFC 2560

Bonsoir, Le 14/01/2014 19:44, socket a écrit : Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having. According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

Don't regret it, it wasn't that bad ;) -- Erwann ABALEA Le 13/12/2013 20:39, andrew cooke a écrit : sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: it dpends how many characters differ when sorted. in this ca

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

Le 13/12/2013 19:30, Walter H. a écrit : On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you ge

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. -- Erwann ABALEA Le 11/12/2013 22:34, Walter H. a écri

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

t - setup your server to only allow (EC)DHE key exchange mechanisms, by tweaking its acceptable ciphersuites -- Erwann ABALEA Le 11/12/2013 20:29, Walter H. a écrit : [...] can please someone tell me why I get in FF (in an old 3.6 and in an relatively actual one 24.2esr) This Connection is

Re: [openssl-users] Re: Bad OIDs

Le 29/11/2013 17:53, Erwann Abalea a écrit : Le 29/11/2013 16:25, Dr. Stephen Henson a écrit : Changing OIDs in the table is problematical. If anything uses them it could break them in all sorts of ways. The NID_* entries would change and text based lookup would no longer work. The reference

Re: [openssl-users] Re: Bad OIDs

Le 29/11/2013 16:25, Dr. Stephen Henson a écrit : On Thu, Nov 28, 2013, Erwann Abalea wrote: How nice, they're asking for a self-signed certificate to include a specific EKU to indicate it's a Trust Anchor, and the OID used for this has never been allocated. Crazy. I just looked at

Re: [openssl-users] Re: Bad OIDs

Le 28/11/2013 22:18, Rob Stradling a écrit : On 28/11/13 15:14, Erwann Abalea wrote: How nice, they're asking for a self-signed certificate to include a specific EKU to indicate it's a Trust Anchor, and the OID used for this has never been allocated. Crazy. It's crazier than

Bad OIDs (was: Re: Verification of a x509 certificate signature)

t have never been defined by PKIX. RFC5906 uses a "trustRoot" EKU, without any OID being proposed or referenced. Your certificate includes the later one in the EKU extension. -- Erwann ABALEA Le 28/11/2013 14:26, Dereck Hurtubise a écrit : It is NTP indicating that this certificate

Re: [openssl-users] CA certificate bundle bogus certs

d as a result explicitely distrusted certificates, such as bogus live.com cert, but also DigiNotar CA certificates, MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA certificates not trusted for SSL use. Don't use that file, at all. -- Erwann ABALEA

Re: [openssl-users] Need to send CN attribute in TeletexString/T61String format for ASN1DN Id and certificate

efer UTF8String. -- Erwann ABALEA Le 25/11/2013 15:15, Sanjay Kumar (sanjaku5) a écrit : Hi, We need to send CN attribute in TeletexString format for ASN1DN Id and certificate. Does openssl support for TeletexString/ T61String(T61String, an arbitrary string of T.61 (eight-bit) characters

Re: [openssl-users] OpenSSL doesn't treat RFC 3280 validations as an error?

Le 13/11/2013 13:30, Igor Sverkos a écrit : Hello, thank you for your response. There's one thing in your reply I don't understand: Erwann Abalea wrote: >> It seems to be a valid certificate for OpenSSL, right? > > OpenSSL can parse it, yes. > > [...] >

Re: [openssl-users] Re: OpenSSL doesn't treat RFC 3280 validations as an error?

UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } Nearly every attribute type is encoded as a DirectoryString. An empty element doesn't respect the size constraint, so is invalid. -- Erwann ABALEA Le 13/11/2013 11:48, Ben Laurie a écrit : On 13 Nov

Re: [openssl-users] OpenSSL doesn't treat RFC 3280 validations as an error?

Bonjour, Le 13/11/2013 11:35, Igor Sverkos a écrit : Hi, please see the following certificate: -BEGIN CERTIFICATE- MIIEbTCCA1WgAwIBAgICLgAwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx [...] uKnvqzQP10A7f3PBsGYRA2DCeMDavaEoizJnNyjCOQx4 -END CERTIFICATE- It seems to be a valid certi

Re: [openssl-users] Is aesni-intel module required for openssl

The Linux kernel module isn't necessary for OpenSSL. -- Erwann ABALEA Le 07/11/2013 06:48, sarav.sars a écrit : Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ? Loading this module makes no difference in opens

Re: [openssl-users] Re: connection problem with the version 1.0.1e

Le 11/10/2013 19:57, nehakochar a écrit : Erwann ABALEA wrote The server and client are both compliant. With the first command, you tell the client to use TLS1.0 only. No more, no less. The server is ok with it, and both negociate TLS1.0. With the second command, you tell the client to use

Re: [openssl-users] Re: connection problem with the version 1.0.1e

Bonjour, Le 11/10/2013 03:35, nehakochar a écrit : Rajesh Malepati wrote On Wed, Jul 24, 2013 at 9:30 PM, kirpit < kirpit@ > wrote: The server doesn't seem to care to respond to clients supporting TLS 1.2 ok: openssl s_client -tls1 -connect emea.webservices.travelport.com:443 no reply: ope

Re: [openssl-users] Updating key size - security related questions

Bonjour, Le 10/10/2013 18:29, int0...@safe-mail.net a écrit : Hi, I've been asking this on the OpenVPN mailinglist, but didn't get an answer so far. Therefore I hope you can help me. We use OpenVPN in our company with the default cipher suite, which should be: DHE_RSA_BF_CBC_SHA So RSA is us

Re: [openssl-users] Re: adding certificate policies extension in CSR

The requestor is allowed to ask for any extension it wants. The CA will do its job, ignore those requested extensions, and place the good ones in the certificate. It can also change the subject name contained in the certificate. -- Erwann ABALEA Le 09/09/2013 11:21, phildoch a écrit : Oh I

Re: [openssl-users] Precedence of URL between configured one and provided in AIA filed.

That's software dependant. Either one is a valid responder, and either response has the same value, there's no "priority". -- Erwann ABALEA Le 02/09/2013 10:27, deepak.kathuria a écrit : Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. At OCSP Req

Re: [openssl-users] X509 CRLs

Bonjour, Le 27/08/2013 18:14, Thaddeus Fuller a écrit : Hello all, I had a couple questions about X509 CRLs. 1) It appears that OpenSSL does not check my tree against the CRLs I provide. If I revoke my own leaf certificate, and establish mutually-authenticated SSL, OpenSSL does not prevent t

Re: [openssl-users] RE: CA hierarchy / pathlen:0

Bonjour, Le 22/08/2013 14:56, Peter1234 a écrit : You misunderstand how it’s supposed to work. OpenSSL does not prevent you from signing anything. It can’t; for example, you could use other software and generate the signature. Instead, when the recipient gets a certificate, and verifies the ch

Re: [openssl-users] Re: Displaying cert with ecdsa

Le 16/08/2013 20:10, Robert Moskowitz a écrit : On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: op

Re: [openssl-users] Country Name field in CA generated by openssl is encoded as PRINTABLESTRING

countryName is ALWAYS a PrintableString, and is ALWAYS 2 characters long. See X.520 for a normative definition, included in RFC5280 for information. -- Erwann ABALEA Le 20/06/2013 18:33, phildoch a écrit : Country Name field in CA generated by openssl is encoded as PRINTABLESTRING while other

Re: [openssl-users] Certificate chain issue

Try these: - split the certificates from your CA/cecert.pem into individual files with correct hashes - run "strace -eopen openssl verify -CApath client.cert" -- Erwann ABALEA Le 04/06/2013 09:02, Leon Brits a écrit : Hi all, I have just created a new CA which has the ex

Re: [openssl-users] Display CSR w/ subjectAltName

Are you sure there's a SAN extension in the displayed CSR? Dump the entire content with asn1parse. -- Erwann ABALEA Le 23/05/2013 17:41, Craig White a écrit : I want to be able to view CSR's with subjectAltName's but I can't figure out any way to make it happen. I have

Re: [openssl-users] How to create CSR with SN attribute

That question has been answered a few days ago. Here's an example: openssl req -new -newkey rsa:2048 -keyout dumb.key -nodes -out dumb.req -subj "/C=UT/O=Whatever/GN=Per/SN=Edlund" -- Erwann ABALEA Le 20/05/2013 16:47, Per Edlund a écrit : Hello! I need to create a key an

Re: [openssl-users] openssl req -x509 Serial Number

Le 28/04/2013 20:26, redpath a écrit : When an x509 is created using the openssl command it creates a default serial number if one not supplied How is this serial number created (algorithm) in general. A 64bits random number. openssl req -x509 etcetera The default serial number is quite lon

Re: [openssl-users] RE: extended x509 custom, Attributes and BEGIN Certificate size

Okay but it seems duplicate in information. The extended attributes have > information and the PEM has the base64 encoding below. Is there a way not to > have this duplicate info for efficient size? -- Erwann ABALEA __

Re: [openssl-users] X509 custom extension

Bonjour, Le 26/04/2013 15:15, redpath a écrit : I am adding a custom extension to an x509 a png icon basically (bytes). Since the png icon is too large to post the data I have subsituted it with a file called sample.txt that has a text line "This is a sample". The code excerpt to add the extensi

Re: [openssl-users] handling of expired certificates

vents that may now declare your certificate as revoked. Verify the validity of the certificate at the current time. If you want to periodically check for the validity of the certificate because you're using it for a looong session, that's up to you. -- Erwann ABALEA Le 23/0

Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals

attack on collision of both MD5 and SHA1 at the same time. -- Erwann ABALEA Le 23/04/2013 14:28, David Jacobson a écrit : Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger

Re: [openssl-dev] MD5 in openSSL internals

ut I think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0

Re: [openssl-users] Re: SSL / SMTP

Le 17/04/2013 18:40, Joan Moreau a écrit : Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_

Re: [openssl-users] how to STORE encrypted string in database

store your encrypted value as binary data. In fact, following your link, those are the first 2 answers... -- Erwann ABALEA Le 28/03/2013 19:08, Jevin Sonut a écrit : hi, i have encrypted a string using Blowfish from Openssl library i got the following string A▓☼LÝ$øä²↓j╗ú¤Ä:ðï▲ i inserted the d

Re: [openssl-users] Offline Root CA and CRL generation

Le 15/03/2013 17:01, Sven Dreyer a écrit : Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your cl

Re: [openssl-users] Offline Root CA and CRL generation

C5280, but you'll have to check with your clients. And find a way to distribute this certificate. -- Erwann ABALEA Le 15/03/2013 15:53, Sven Dreyer a écrit : Hi List, I would like to setup an OpenSSL-based offline Root CA. Certificates issued by this Root CA contain a CDP. I would lik

Re: [openssl-users] Validation error on generated csr

Bonjour, Le 15/03/2013 14:07, Tim Tassonis a écrit : Hi I am trying to generate a csr in a c program by having the signing part done by pkcs11 calls, and while I get no errors, the resulting csr fails upon validation: $ openssl req -verify -in wltx.csr verify failure 2948:error:0D07207B:asn

Re: [openssl-users] using multiple keys

Le 15/03/2013 13:54, Ewen Chan a écrit : Sorry, my bad. Wrong terminology. (The AES wiki says that it uses a key.) But I was really thinking about multiple passphrases. And from this passphrase, a key and IV can be generated. It's more easy to remember a passphrase than a bunch of hex digits

Re: [openssl-users] Re: having a lot of troubles trying to get AES-NI working

D result (only inside OpenSSL), and alter its behaviour. It's not resistant to a reboot, it's only process dependant. Compare the following results: * OPENSSL_ia32cap="~0x202" openssl speed -elapsed -evp aes-128-cbc * openssl speed -elapsed -evp aes-128-c

Re: [openssl-users] using multiple keys

"openssl enc" encrypts one file at a time, and can read the first line of a file to get the passphrase (in order to derive key and iv). If you want to provide your own key and iv, you have to do it as command line arguments. Key management is out of scope. -- Erwann ABALEA Le 15/03/

Re: [openssl-users] specifying the number of rounds that I would like to use with AES-192-CBC

Le 13/03/2013 20:06, Ewen Chan a écrit : I'm asking about the '-engine aesni' flag because when I google "openssl aes-ni" - that's what comes up. I've never used it before, but I'm about to as I've recently aquired a system that supports AES-NI. I'm also asking because I'm about to encrypt a w

  1   2   3   4   >