On 3/17/21 9:48 PM, tincanteksup wrote:
On 18/03/2021 01:22, Robert Moskowitz wrote:
On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
Well, CSRs are self-signed, and X25519 does not support signing, so
you CANNOT have an X25519 CSR.
Slap myself on the forehead
Of course I know that
On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
On Wed, Mar 17, 2021 at 07:44:05PM -0400, Robert Moskowitz wrote:
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
Are you sure you didn't want ed25519 in
On 3/17/21 7:22 PM, Viktor Dukhovni wrote:
On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
Are you sure you didn't want ed25519 in
I have created my X25519 pub/priv keypair with:
openssl genpkey -algorithm X25519\
-out $dir/private/$clientemail-X.key.$format
And displays properly with:
openssl pkey -in $dir/private/$clientemail-X.key.$format -text -noout
So now to make the csr with:
openssl req -config $dir/openssl-
On 8/29/19 9:20 AM, Michael Richardson wrote:
Robert Moskowitz wrote:
> I am writing an Internet Draft that will include transmission of a CSR,
so I
> need to reference the proper source. No more sloppy, "well it works...".
> Some digging said it is in PK
On 8/29/19 11:20 AM, Salz, Rich wrote:
A CSR is most commonly a PKCS#10 object and therefore defined in ASN.1
and encoded in DER.
https://github.com/openssl/openssl/blob/master/crypto/include/internal/x509_int.h#L53
thanks, Rich
It all fits together now
here was a reference point to Grace Hopper saying this in '58.
Regards,
Uri
Sent from my iPhone
On Aug 28, 2019, at 17:49, Robert Moskowitz <mailto:r...@htt-consult.com>> wrote:
CSR is an object in a container that goes over a 'wire'. Sometimes
the wire is very small
is basically an assertion that includes pubkey,
proof of possession of the private key, and any request elements
required by policy. It's a one-time document that needs to be
validated precisely once.
On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz <mailto:r...@htt-consult.com>>
ng a SPKAC formatted
request instead. See `openssl spkac` and https://en.wikipedia.org/wiki/SPKAC
for more info.
Considering the process, the PKCS10 fits better.
thanks for the references.
On 8/28/19, 6:49 AM, "openssl-users on behalf of Robert Moskowitz"
wrote:
I am writi
I am writing an Internet Draft that will include transmission of a CSR,
so I need to reference the proper source. No more sloppy, "well it
works...".
Some digging said it is in PKCS#10 - CSR. But I did not stop with that.
A bit more googling lead me to RFC 4211...
When I create a CSR with:
Does openssl (and the CLI) support cSHAKE (NIST SP800-185)?
Or is there a way to use the SHAKE support to get cSHAKE behavior?
thanks
development to closely follow
8002. Still thinking on all this.
Thank you on your help
Cordialement,
Erwann Abalea
Le 16/08/2019 17:11, « openssl-users au nom de Robert Moskowitz »
a écrit :
Viktor,
On 8/16/19 8:41 AM, Viktor Dukhovni wrote:
>> On Aug
Viktor,
On 8/16/19 8:41 AM, Viktor Dukhovni wrote:
On Aug 16, 2019, at 6:13 AM, Salz, Rich via openssl-users
wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
This is wrong. When the subject DN is empty, the subjectAl
I run CentOS on them, so all I need to find
are rpms for something to test it out...
Pauli
--
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations
Phone +61 7 3031 7217
Oracle Australia
On 16 Aug 2019, at 7:31 pm, Robert Moskowitz <mailto:r...@htt-consult.com>> wro
On 8/16/19 7:58 AM, Salz, Rich wrote:
In the same paragraph, the sentence before the one you're quoting says "If the
subject field contains an empty sequence, then the issuing CA MUST include a
subjectAltName extension that is marked as critical."
I will run another test today an
On 8/16/19 5:26 AM, Chitrang Srivastava wrote:
Hi,
I am working on an embedded platform and now ported openssl 1.1.1b
TLS 1.2/1.3 is working fine.
While analysing random number , Rand pool initialization calls where I
am returning like this ,
size_t *rand_pool_acquire_entropy*(RAND_POOL *poo
hierarchies run by the hypothetical EXample conglomerate in
THailand, where the xy part is a very short name assigned by that
conglomerate to the issuing central CA or factory intermCA.
On 15/08/2019 18:49, Robert Moskowitz wrote:
On 8/14/19 6:47 PM, Michael Richardson wrote:
Robert Moskowit
On 8/15/19 4:13 PM, Salz, Rich wrote:
subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark
subjectAltName as non-critical"
Fine with me.
I can believe that OpenSSL doesn't support empty subjectName's. An empty one,
with no relative disintuished name compone
There are a number of things I am not clear on, and so far my searching
and reading is coming up short.
If there is no subjectName, only subjectAltName, is the subjectName
still present in the cert only empty or is it totally gone.
I have found that if I put
-subj /
in the openssl req, I en
On 8/14/19 6:47 PM, Michael Richardson wrote:
Robert Moskowitz wrote:
> I am fiddling around with an intermediate CA signing cert that the CA's
> 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address. Actually a
> Hierarchical HIT as in draft-mo
Developing saga on creating an intermediate CA cert with only CN and
said CN should be:
CN=IPv6::2001:24:28:24/64
Note that / in CN that seems to be a challenge.
commonName="/CN=IPv6::2001:24:28:24/64"
DN=$commonName
echo $DN
openssl req -config $cadir/openssl-root.cnf\
-ke
On 8/14/19 3:26 PM, Salz, Rich wrote:
RFC 8002 (with a null subjectName), but a CA cert MUST have a non-empty
subjectName.
Non-empty subjectName or non-empty commonName within the subject name?
Shrug. Doesn't matter, I guess. Just populate it with the string version of
the HIT n
On 8/14/19 11:21 AM, Jakob Bohm via openssl-users wrote:
On 14/08/2019 04:55, Robert Moskowitz wrote:
I am fiddling around with an intermediate CA signing cert that the
CA's 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address.
Actually a Hierarchical HIT as in
On 8/14/19 8:42 AM, Matt Caswell wrote:
On 14/08/2019 13:21, Robert Moskowitz wrote:
On 8/14/19 6:22 AM, Matt Caswell wrote:
On 14/08/2019 11:06, Robert Moskowitz wrote:
I googled how to convert a PEM public key to DER and only found examples for RSA
keys. Mine are ed25519. I thought
On 8/14/19 6:22 AM, Matt Caswell wrote:
On 14/08/2019 11:06, Robert Moskowitz wrote:
I googled how to convert a PEM public key to DER and only found examples for RSA
keys. Mine are ed25519. I thought it would be a simple algorithm substitution:
$ openssl ed25519 -pubin -inform PEM -in
I googled how to convert a PEM public key to DER and only found examples
for RSA keys. Mine are ed25519. I thought it would be a simple
algorithm substitution:
$ openssl ed25519 -pubin -inform PEM -in $dir/private/intermediate.key.pem\
> -outform DER -out $dir/private/intermediate.key.der
I
I am fiddling around with an intermediate CA signing cert that the CA's
'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address. Actually
a Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised
soon).
For a client cert, it would be easy to put the HIT in subjectAltName p
Fedora 29 beta just provided (in testing-update repo):
openssl-1.1.1-2.fc29.armv7hl.rpm
Against this version, I successfully produced by ED25519 pki per:
https://github.com/rgmhtt/draft-moskowitz-eddsa-pki
I have some minor textual edits to make in the draft and then submit
it. Then I can al
/2018 10:19 AM, Jakob Bohm wrote:
On 04/09/2018 15:43, Robert Moskowitz wrote:
And I seem to recall that one bit is for compact representation. That
is, is y positive or negative. With p256, you have to transmit x and
y or deal with the compact representation patent.
Not sure if this appli
And I seem to recall that one bit is for compact representation. That
is, is y positive or negative. With p256, you have to transmit x and y
or deal with the compact representation patent.
On 09/04/2018 08:00 AM, Kyle Hamilton wrote:
Probably because the definition of X25519 requires that bits
On 08/27/2018 04:55 PM, Benjamin Kaduk via openssl-users wrote:
On Mon, Aug 27, 2018 at 04:38:24PM -0400, Robert Moskowitz wrote:
On 08/27/2018 04:07 PM, Hubert Kario wrote:
On Monday, 27 August 2018 20:57:53 CEST Robert Moskowitz wrote:
On 08/27/2018 02:33 PM, Hubert Kario wrote:
On
On 08/27/2018 04:07 PM, Hubert Kario wrote:
On Monday, 27 August 2018 20:57:53 CEST Robert Moskowitz wrote:
On 08/27/2018 02:33 PM, Hubert Kario wrote:
On Thursday, 23 August 2018 16:35:01 CEST Robert Moskowitz wrote:
On 08/23/2018 09:00 AM, Tomas Mraz wrote:
On Wed, 2018-08-22 at 20:08
On 08/27/2018 02:33 PM, Hubert Kario wrote:
On Thursday, 23 August 2018 16:35:01 CEST Robert Moskowitz wrote:
On 08/23/2018 09:00 AM, Tomas Mraz wrote:
On Wed, 2018-08-22 at 20:08 -0400, Robert Moskowitz wrote:
On 08/22/2018 11:48 AM, Matt Caswell wrote:
On 22/08/18 00:53, Robert Moskowitz
On 08/23/2018 09:00 AM, Tomas Mraz wrote:
On Wed, 2018-08-22 at 20:08 -0400, Robert Moskowitz wrote:
On 08/22/2018 11:48 AM, Matt Caswell wrote:
On 22/08/18 00:53, Robert Moskowitz wrote:
On 08/21/2018 06:31 PM, Matt Caswell wrote:
On 21/08/18 16:24, Robert Moskowitz wrote:
Thanks!
Once
On 08/22/2018 11:48 AM, Matt Caswell wrote:
On 22/08/18 00:53, Robert Moskowitz wrote:
On 08/21/2018 06:31 PM, Matt Caswell wrote:
On 21/08/18 16:24, Robert Moskowitz wrote:
Thanks!
Once Fedora beta picks this up, I will run my scripts against it and see
if all cases of hash with ED25519
On 08/21/2018 06:31 PM, Matt Caswell wrote:
On 21/08/18 16:24, Robert Moskowitz wrote:
Thanks!
Once Fedora beta picks this up, I will run my scripts against it and see
if all cases of hash with ED25519 are fixed.
Unfortunately the command line usability changes for this didn't make it
On 08/21/2018 11:29 AM, Viktor Dukhovni wrote:
On Aug 21, 2018, at 11:27 AM, Robert Moskowitz wrote:
Was thinking about ED488 last night. I am personally not interested in these
larger curves, but perhaps I can make my draft 'more complete' if I include 488
along with 25519.
Was thinking about ED488 last night. I am personally not interested in
these larger curves, but perhaps I can make my draft 'more complete' if
I include 488 along with 25519.
Are there any parameters beyond changing the algorithm from ed25519 to
ed488? Is a hash needed for the version of ed4
Thanks!
Once Fedora beta picks this up, I will run my scripts against it and see
if all cases of hash with ED25519 are fixed.
On 08/21/2018 08:36 AM, OpenSSL wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 pre release 9 (beta)
===
Oops. That is the Fedora 29 beta...
On 08/10/2018 04:44 PM, Robert Moskowitz wrote:
I have followed the procedure I made for ECDSA certs in:
draft-moskowitz-ecdsa-pki (an update is pending on typos I encountered
in this run through)
But making ED25519 certs instead.
Other than obvious
I have followed the procedure I made for ECDSA certs in:
draft-moskowitz-ecdsa-pki (an update is pending on typos I encountered
in this run through)
But making ED25519 certs instead.
Other than obvious changes (e.g. -algorithm ed25519) and hash
specification, I was successful.
My testing w
On 08/09/2018 09:34 AM, Matt Caswell wrote:
On 08/08/18 20:49, Robert Moskowitz wrote:
Finally back on working on my EDDSA pki.
Working on beta Fedora29 which now ships with:
OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
To recap, there are challenges on hash specification. In creating
Finally back on working on my EDDSA pki.
Working on beta Fedora29 which now ships with:
OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
To recap, there are challenges on hash specification. In creating
certs, I cannot have default_md line in my .cnf file, or at least for it
to = sha256. And in
On 07/27/2018 01:26 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 1:20 PM, Robert Moskowitz wrote:
On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote:
Error Loading extension section server_cert
3065065488:error:0E06D06C:configuration file
On 07/27/2018 01:14 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote:
Error Loading extension section server_cert
3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
The hits just keep on coming. Made my cert req,
openssl req -config $dir/openssl-intermediate.cnf\
-key $dir/private/$serverfqdn.key.$format \
-subj "$DN" -new -out $dir/csr/$serverfqdn.csr.$format
DN='/C=US/ST=MI/L=Oak Park/O=HTT Consulting'
then tried to make the cert with:
On 07/27/2018 12:35 PM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 11:25 AM, Robert Moskowitz wrote:
3064446992:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
variable lookup failed for CA_default::default_md
3064446992:error:0E06D06C:configuration file
on a default_md error:
openssl req -config $cadir/openssl-root.cnf\
-key $dir/private/intermediate.key.$format \
-keyform $format -outform $format -subj "$DN" -new\
-out $dir/csr/intermediate.csr.$format
format=pem
openssl rand -hex $sn > $dir/serial # hex 8 is minimu
On 07/27/2018 10:43 AM, Viktor Dukhovni wrote:
On Jul 27, 2018, at 10:36 AM, Robert Moskowitz wrote:
nyway error on the next step:
# openssl req -config $dir/openssl-root.cnf\
-set_serial 0x$(openssl rand -hex $sn)\
-keyform pem -outform pem\
-key $dir/private
genpkey worked without those options. I am going to have to look at the
RFC again, as there are different types of ed25519 certs, but how will
that work out in openssl? I will have to remember back to a
conversation at had at IETF 100...
Anyway error on the next step:
# openssl req -config
Here we go again with figuring out what to put in the command lines.
Dr. Google is not giving up enough answers.
For ecdsa I started with:
openssl genpkey -aes256 -algorithm ec\
-pkeyopt ec_paramgen_curve:prime256v1\
-outform pem -pkeyopt ec_param_enc:named_curve\
-out $dir/private/ca.key.p
On 07/26/2018 11:59 AM, Tomas Mraz wrote:
On Thu, 2018-07-26 at 10:33 -0400, Robert Moskowitz wrote:
On 07/26/2018 10:19 AM, Tomas Mraz wrote:
On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote:
On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
On Jul 26, 2018, at 9:01 AM, Robert
On 07/26/2018 11:59 AM, Tomas Mraz wrote:
On Thu, 2018-07-26 at 10:33 -0400, Robert Moskowitz wrote:
On 07/26/2018 10:19 AM, Tomas Mraz wrote:
On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote:
On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
On Jul 26, 2018, at 9:01 AM, Robert
On 07/26/2018 10:19 AM, Tomas Mraz wrote:
On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote:
On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
On Jul 26, 2018, at 9:01 AM, Robert Moskowitz wrote:
My Fedora 28 shipped with:
OpenSSL 1.1.0h-fips 27 Mar 2018
Does that have ED25519
On 07/26/2018 10:07 AM, Viktor Dukhovni wrote:
On Jul 26, 2018, at 9:01 AM, Robert Moskowitz wrote:
My Fedora 28 shipped with:
OpenSSL 1.1.0h-fips 27 Mar 2018
Does that have ED25519 support?
No. You'd need 1.1.1 for that, it is currently in beta.
No wonder Dr. Google failed m
My Fedora 28 shipped with:
OpenSSL 1.1.0h-fips 27 Mar 2018
Does that have ED25519 support?
It takes real time to set up my full test environment, and I really
don't have the time right now if I am going to have to see what is in
store for Fedora 29...
Thanks
--
openssl-users mailing list
On 09/28/2017 01:25 PM, Stuart Marsden wrote:
Hi
thanks for all the comments and suggestions, especially the ones I
could understand
centos 7
yum upgrade
openssl version gives:
OpenSSL 1.0.2k-fips 26 Jan 2017
it looks like
echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings
a
On 09/27/2017 08:07 AM, Stuart Marsden wrote:
Hi
I think I know what you are going to say - MD5?
Lots of problems with that cert. If you have some connection with the
vendor, have them read IEEE 802.1AR-2009 standard for Device Identity
credentials. You will be supporting this phone diff
On 09/26/2017 08:04 PM, Kyle Hamilton wrote:
openssl x509 -noout -text -in clientcertificate.pem
You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.
Specifically, that error message is suggesting that there's a message
digest encoded
On 09/26/2017 11:26 AM, Stuart Marsden wrote:
Hi
I have Centos/Apache servers for securely provisioning IP phones using hardware
client certificates embedded in the phones.
for this test I have allowed all protocols and ciphers
on Centos 6 this works fine, the rpms are:
openssl098e-0.9.8e-
On 09/15/2017 11:57 AM, Michael Richardson wrote:
The PEM_* routines, as documented at:
https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
do not claim to read DER format input. (Actually they don't say anything about
DER).
Ruby's library uses:
pkey = PEM_read_bio_
On 09/13/2017 09:31 AM, Michael Richardson wrote:
Robert Moskowitz wrote:
> The devices never test out the lifetime of their certs. That is up to
Exactly...
(Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
plot line that goes along with each engineer
On 09/13/2017 09:39 AM, Salz, Rich via openssl-users wrote:
An X509v3 certificate has “notBefore” and “notAfter” fields. If either of
those is not present, then it is not an X509v3 certificate. The time marked by
those fields is the validity period.
If you want “never expires” X509v3 certi
situations with scaled down CPUs, long device lifespans and support
requirements, functional validation with future time settings would
definitely be a good idea on the test plan.
Frank
Robert Moskowitz <mailto:r...@htt-consult.com>
Wednesday, September 13, 2017 12:57 AM
IEEE 802.1ARce
only possibility is to set the
duration (in days) with the command, but the command doesn't allow to
put other value rather an integer.
Thanks again
*/Alejandro J Pulido Duque/*
*De:* Robert Moskowitz
*Enviado:* m
Depends on the question
'Infinite' duration is used in IEEE 802.1AR Device Identities. The
concept is the vendor installs the certificate in read-only memory. It
is expected to be good for the life of the device.
On 09/11/2017 05:32 AM, Alejandro Pulido wrote:
Dear team of OpenSSL,
Firs
On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA
On 09/11/2017 12:23 PM, Salz, Rich via openssl-users wrote:
Ah, put -sha256 in the CLIENT request. Seems kind of backward. Or at
least the server should have some control over the hash used?
Well, it is the client that is making the request, so therefore the client
n
On 09/08/2017 10:08 PM, Dr. Stephen Henson wrote:
On Fri, Sep 08, 2017, Robert Moskowitz wrote:
I am using the test responder:
openssl ocsp -port 2560 -text -rmd sha256\
-index index.txt \
-CA certs/ca-chain.cert.pem \
-rkey private/$ocspurl.key.pem
-ecdsa-pki-01.txt
Date: Fri, 08 Sep 2017 12:26:36 -0700
From: internet-dra...@ietf.org
To: Robert Moskowitz , Liang Xia
, Henk Birkholz
, Liang Xia
A new version of I-D, draft-moskowitz-ecdsa-pki-01.txt
has been successfully submitted by Robert Moskowitz and posted to the
IETF repository
I am using the test responder:
openssl ocsp -port 2560 -text -rmd sha256\
-index index.txt \
-CA certs/ca-chain.cert.pem \
-rkey private/$ocspurl.key.pem \
-rsigner certs/$ocspurl.cert.pem \
-nrequest 1
What is the SHA1 hash report about? It come
On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:
On Thu, Sep 07, 2017, Robert Moskowitz wrote:
Good progress. A few questions:
on
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
The sample server test command is:
openssl ocsp -port
Good progress. A few questions:
on
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
The sample server test command is:
openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chai
On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:
…
$crlDP
$ocspIAI
This is not supported. You can only put variables in *values*
OK. But now I have to work out values.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
nt to have to use SED to edit the config file based on what
the goal is...
thanks
Bob
On 09/06/2017 12:23 PM, Robert Moskowitz wrote:
I am trying to use an environment variable to add a whole line to the
config file. This is to control adding (or not providing) CRL and/or
OCSP su
I am trying to use an environment variable to add a whole line to the
config file. This is to control adding (or not providing) CRL and/or
OCSP support.
export shows:
declare -x crlDP="crlDistributionPoints =
URI:http://www.htt-consult.com/pki/intermediate.crl.pem";
declare -x default_crl_d
On 09/05/2017 11:59 AM, Dr. Stephen Henson wrote:
On Tue, Sep 05, 2017, Robert Moskowitz wrote:
Jamie Nugyen's guide uses openssl to test OCSP with 'openssl ocsp':
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
What is
sl.org] On Behalf
Of Robert Moskowitz
Sent: Tuesday, September 05, 2017 08:43
Also he recommends password protecting the keypair. That results in
needing to provide the password at responder startup. Is this the
'normal' approach? Is the password provided in some other file (like a
respon
Jamie Nugyen's guide uses openssl to test OCSP with 'openssl ocsp':
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
What is unclear here is:
Does openssl read the index.txt file once at startup, or does it read it
with each query. From the way
Here is the URL for the paper fromusenix:
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf
I would like to find a more recent work as well.
On 09/01/2017 06:32 PM, Salz, Rich via openssl-users wrote:
FWIW, there’s a ‘libtls’ library from the libre folks that
On 09/01/2017 04:30 PM, Blumenthal, Uri - 0553 - MITLL wrote:
On 9/1/17, 16:26, "openssl-users on behalf of Michael Wojcik"
wrote:
Bob, I just want to say thanks for producing this. Even if it never makes
it out of I-D stage, there's a lot of useful information here.
It would
On 08/30/2017 09:22 PM, Michael Richardson wrote:
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
On 08/30/2017 10:33 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
I woke up a little clearer head, and realized, that a truly
constrained device won't even bother with DER, but just store the raw
keypair.
FWIW, Apple's boot firmware
ew Version Notification for draft-moskowitz-ecdsa-pki-00.txt
Date: Wed, 30 Aug 2017 06:53:03 -0700
From: internet-dra...@ietf.org
To: Robert Moskowitz , Liang Xia
, Henk Birkholz
, Liang Xia
A new version of I-D, draft-moskowitz-ecdsa-pki-00.txt
has been successfully submitted by Robert Moskowitz
Viktor,
On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
Not really a deficiency, as the certificates in question need
Dukhovni wrote:
On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:
Another problem. It is almost like it is not reading the CA selction?
Not "almost", but actually as expected, since "openssl x509 -req"
is not the ca(1) application.
openssl x509 -req -
On 08/29/2017 07:24 PM, Dr. Stephen Henson wrote:
On Tue, Aug 29, 2017, Robert Moskowitz wrote:
I started out making certs from csrs with:
openssl ca -config $dir/openssl-intermediate.cnf -extensions
usr_cert -days 375 -notext -md sha256 \
-in $dir/csr/$clientemail.csr.$format -out
Another problem. It is almost like it is not reading the CA selction?
openssl ca -config $dir/openssl-8021AR.cnf -extensions 8021ar_idevid
-notext -md sha256 \
-in $dir/csr/$DevID.csr.pem -out $dir/certs/$DevID.cert.pem
processes the default_enddate
default_enddate= 1231235959Z # p
I started out making certs from csrs with:
openssl ca -config $dir/openssl-intermediate.cnf -extensions usr_cert
-days 375 -notext -md sha256 \
-in $dir/csr/$clientemail.csr.$format -out
$dir/certs/$clientemail.cert.$format
And that worked well enough, but I found some limitations (DER)
On 08/28/2017 09:44 AM, Alan Buxey wrote:
hi,
2) How can i get the list of ciphers supported by openssl 01.01.0f ?
openssl ciphers -v ???
These question looks to be very basic but i could not find any concrete
information regarding the same googling.
Google provides the answers if your
On 08/28/2017 09:07 AM, Viktor Dukhovni wrote:
On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:
1) What happens to the existing SSL connections on certification expiry?
Does the openssl disconnects the existing connection?
No, once authenticated, TLS connections continue
On 08/28/2017 06:13 AM, Robert Moskowitz wrote:
On 08/28/2017 01:09 AM, mahesh gs wrote:
Hello All,
We are using openssl for providing the secured communication for our
application. I have some basic queries about the openssl behaviour.
1) What happens to the existing SSL connections on
On 08/28/2017 01:09 AM, mahesh gs wrote:
Hello All,
We are using openssl for providing the secured communication for our
application. I have some basic queries about the openssl behaviour.
1) What happens to the existing SSL connections on certification
expiry? Does the openssl disconnects
Ed25519; I am concerned about the computational cost, though (still
not clear why SHA512 and not SHAKE128). Meanwhile P256 is what is fielded.
Bob
On 08/23/2017 03:52 PM, Jakob Bohm wrote:
On 22/08/2017 22:26, Robert Moskowitz wrote:
Want to continue this thread but with new information. I built
On 08/23/2017 03:52 PM, Jakob Bohm wrote:
On 22/08/2017 22:26, Robert Moskowitz wrote:
Want to continue this thread but with new information. I built a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version
1.1.0f
I built my DER root cert (and private key) no problem.
I built
lding into a complex
bootstrap process that I don't totally agree with. And NETCONF is doing
their flavor of it. Sigh.
The IETF CORE wg is looking at this too.
I have to munch on this problem a lot more.
Bob
On 08/22/2017 10:19 AM, Viktor Dukhovni wrote:
On Aug 21, 2017, at 9:02
Want to continue this thread but with new information. I built a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version 1.1.0f
I built my DER root cert (and private key) no problem.
I built my DER Intermediate cert private key and CSR no problem.
For the following command:
sn=8
f
On 08/22/2017 10:53 AM, Salz, Rich via openssl-users wrote:
> SHA256 is not listed as a valid hash.
Many more X.509 digest algorithms are supported in this context
than (sadly) are listed in the manpage. Perhaps there should
be a command that lists all supported x.509 hash
I had a frustrating day. I looked at the documentation at:
https://www.openssl.org/docs/man1.0.2/apps/x509.html
My Fedora24 reports that I am at version 1.0.2k
I made the following comand:
openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\
-in $dir/csr/intermediate.
1 - 100 of 190 matches
Mail list logo