On Fri, Aug 26, 2022 at 01:28:21PM -0700, radiatejava wrote:
> >> and then the same ECDSA key verified by the CA to sign a hash over the
> >> transcript of the handshake itself
>
> Which part of the TLS handshake you are talking about? Are you talking
> about the three messages from the client to
r secret ECDSA key).
>
> Therefore ECDHE provides key exchange and ECDSA authentication for the
> handshake, while RSA guarantees the authenticity of the Certificate.
>
>
> Best regards,
>
> Nicola Tuveri
>
> On Fri, Aug 26, 2022, 20:49 radiatejava wrote:
>>
>> I a
handshake, while RSA guarantees the authenticity of the Certificate.
Best regards,
Nicola Tuveri
On Fri, Aug 26, 2022, 20:49 radiatejava wrote:
> I am a bit confused when an RSA signed ECDSA certificate is being used in
> TLS.
> For example, if you run the test for facebook.com, you will s
I am a bit confused when an RSA signed ECDSA certificate is being used in TLS.
For example, if you run the test for facebook.com, you will see that
the certificate has ECDSA key but signed with Signature Algorithm:
sha256WithRSAEncryption.
$ openssl s_client -connect www.facebook.com:443
The
ec_pmeth.c:331:
-Original Message-
From: Michael Richardson
Sent: Tuesday, September 22, 2020 4:36 PM
To: Yan, Bob
Cc: openssl-users@openssl.org
Subject: Re: ECDSA certificate question
Yan, Bob via openssl-users wrote:
> Is there a way to generate a ECDSA certificate with SM2
Hello everybody,
Is there a way to generate a ECDSA certificate with SM2 typed public key and
ecdsa-with-SM3 as the signature algorithm in openssl 1.1.1x version?
Thank you very much!
Bob
On 2016-04-28, Viktor Dukhovni wrote:
> On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
>
>> I've been trying to get an ECDSA certificate to work with a Postfix
>> installation lately.
>
> See also http://www.postfix.org/postfix-tls.1.html, which does all
>
iktor Dukhovni wrote:
> On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
>
>> I've been trying to get an ECDSA certificate to work with a Postfix
>> installation lately.
>
> See also http://www.postfix.org/postfix-tls.1.html, which does all
> the magic to cre
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
> I've been trying to get an ECDSA certificate to work with a Postfix
> installation lately.
See also http://www.postfix.org/postfix-tls.1.html, which does all
the magic to create RSA and/or ECDSA keys for Postfix 3
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
> Dear OpenSSL users,
>
> I've been trying to get an ECDSA certificate to work with a postfix
> installation lately.
> , however, it seems that when I try to use the aECDSA protocol with a
> client the server gives &q
Dear OpenSSL users,
I've been trying to get an ECDSA certificate to work with a postfix
installation lately.
, however, it seems that when I try to use the aECDSA protocol with a
client the server gives "no shared cipher" errors.
I had created the certificate like the following:
> From: openssl-users On Behalf Of Rajeswari K
> Sent: Monday, February 02, 2015 22:17
> Thanks for responding. Following is the output printed by openssl
> ./openssl req -in csr.csr -noout -text
>Subject Public Key Info:
>Public Key Algorithm: id-ecPublicKey
>
t; > Have updated with temporary ECDH callback during SSL Server
> initialization.
>
> > ECDSA certificate is being signed using openssl commands.
>
> How was the keypair and CSR generated? In particular, check the
> publickey in the CSR, and thus in the cert, has the curve encod
t hello C
> *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines:
> SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381:
> Have updated with temporary ECDH callback during SSL Server initialization.
> ECDSA certificate is being signed using openssl commands.
How was the key
in SSLv3 read client hello C
*Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381:
Have updated with temporary ECDH callback during SSL Server initialization.
ECDSA certificate is being signed using openssl commands.
Am not seeing
> and how do I generate an ECDSA certificate?
To generate a selfsigned ECDSA cert the same ways you do RSA,
except use EC instead of RSA.
- use req -new with EC key or -newkey with EC parms and -x509
to generate selfsigned cert directly.
- use req -new with key or -newkey to generate
and how do I generate an ECDSA certificate?
On 10.08.2014 14:12, Dave Thompson wrote:
Both of those are using an RSA certificate; DHE or ECDHE is
key-exchange only
not authentication. However the servers must configure **parameters** for
"temp DH" and "temp ECDH" r
ves this meant
the Certicom patents, although I don't think they ever confirmed it.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H.
Sent: Sunday, August 10, 2014 02:39
To: openssl-users@openssl.org
Cc: Dr. Stephen Henson
Subject:
;t include an ECDSA certificate.
can you please give an example of an ECDSA certificate, Thanks
I'm asking this, because
one Web-Server connects with
|SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
and one with
||SSL_CIPHER=DHE-RSA-AES256-GCM-SHA384|
both with the same client;
and both Web-Serve
On Tue, Mar 4, 2014 at 3:26 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
>> ...
>> >
>> int nid = ...
>> EC_KEY* key = EC_KEY_new_by_curve_name(nid);
>> int rc = EC_KEY_generate_key(key);
>>
>> E
On Tue, Mar 4, 2014 at 3:26 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
>> ...
>> > It is stored in the private key when the key is generated. How did you
>> > generate it?
>> >
>> int nid = ...
>>
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Jeffrey Walton
> Sent: Tuesday, 04 March, 2014 13:43
>
> On Tue, Mar 4, 2014 at 1:33 PM, Viktor Dukhovni
> wrote:
> >
> > The wireshark gui decodes SSL handshakes everywhere I've tried it,
> > but you
On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> >
> >> If that's the case, then that's probably it. Below is a sample.
> >>
> >> I've been using PEM_write_PKCS8PrivateKey and PEM_write_X509.
On Tue, Mar 4, 2014 at 2:25 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> If that's the case, then that's probably it. Below is a sample.
>>
>> I've been using PEM_write_PKCS8PrivateKey and PEM_write_X509. What
>> does one use to write the named curve?
>>
>
> It
On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> If that's the case, then that's probably it. Below is a sample.
>
> I've been using PEM_write_PKCS8PrivateKey and PEM_write_X509. What
> does one use to write the named curve?
>
It is stored in the private key when the key is generated. How did you
On Tue, Mar 4, 2014 at 2:00 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Tuesday, March 04, 2014 12:34
>> ...
>
> but that reminds me: does your ECDSA cert have the publickey in
> named=OID format, NOT explicit (prime + coefficients + poin
On Tue, Mar 4, 2014 at 6:35 AM, Jeffrey Walton wrote:
> I've got a server that can't negotiate a cipher suite with a client
> when using ECDSA certificates. When using ECDSA, the server reports
> 0x1408a0c1 (no shared cipher).
>
> The same server can consume RSA and DSA certificates. (In fact, all
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Tuesday, March 04, 2014 12:34
> The Wireshark trace is useless (to me) because its only displaying TCP
> traffic (and not breaking out the SSL/TLS protocol). I can't break the
> bits out in my head.
>
right-click one of
On Tue, Mar 4, 2014 at 1:33 PM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 12:34:22PM -0500, Jeffrey Walton wrote:
>
>> > I'm setting up Wireshark now on another machine to get the trace.
>>
>> The Wireshark trace is useless (to me) because its only displaying TCP
>> traffic (and not breakin
On Tue, Mar 4, 2014 at 12:34 PM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:41 AM, Jeffrey Walton wrote:
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>>> ...
>>
>> I'm setting up Wireshark now on another machine to get the trace.
> The Wireshark trace is useless (to m
On Tue, Mar 4, 2014 at 1:28 PM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 11:59:42AM -0500, Jeffrey Walton wrote:
>
>> > Perhaps the server's EC private key is not being set correctly, so it
>> > can't use the certificate.
>> Is there a way to test this?
>
> Usually, after setting a key and
On Tue, Mar 04, 2014 at 12:34:22PM -0500, Jeffrey Walton wrote:
> > I'm setting up Wireshark now on another machine to get the trace.
>
> The Wireshark trace is useless (to me) because its only displaying TCP
> traffic (and not breaking out the SSL/TLS protocol). I can't break the
> bits out in my
On Tue, Mar 04, 2014 at 11:59:42AM -0500, Jeffrey Walton wrote:
> > Perhaps the server's EC private key is not being set correctly, so it
> > can't use the certificate.
> Is there a way to test this?
Usually, after setting a key and a certificate chain, one calls
SSL_CTX_check_private_key(ct
On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:41 AM, Jeffrey Walton wrote:
> > On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
> > wrote:
> >> ...
> >
> > I'm setting up Wireshark now on another machine to get the trace.
> The Wireshark trace is useless (to me) bec
On Tue, Mar 4, 2014 at 11:41 AM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
>> ...
>
> I'm setting up Wireshark now on another machine to get the trace.
The Wireshark trace is useless (to me) because its only displaying TCP
traffic (and not breaking out the
On Tue, Mar 4, 2014 at 11:46 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>> >
>> >> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
>> >> wrote:
>>
On Tue, Mar 4, 2014 at 11:51 AM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 05:46:45PM +0100, Dr. Stephen Henson wrote:
>
>> > NistCurveToNidByBits(256) returns NID_X9_62_prime256v1. I also tried
>> > returning NID_secp256k1 with the same result.
>> >
>> > I'm setting up Wireshark now on ano
On Tue, Mar 4, 2014 at 11:46 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson
>> wrote:
>> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>> >
>> >> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
>> >> wrote:
>>
On Tue, Mar 04, 2014 at 05:46:45PM +0100, Dr. Stephen Henson wrote:
> > NistCurveToNidByBits(256) returns NID_X9_62_prime256v1. I also tried
> > returning NID_secp256k1 with the same result.
> >
> > I'm setting up Wireshark now on another machine to get the trace.
> >
>
> Can you check to see i
On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
> > On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> >
> >> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
> >> wrote:
> >> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
> >
On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson wrote:
> On Tue, Mar 04, 2014, Jeffrey Walton wrote:
>
>> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
>> wrote:
>> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>> >
>> >> I've got a server that can't negotiate a cipher s
On Tue, Mar 04, 2014, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
> wrote:
> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
> >
> >> I've got a server that can't negotiate a cipher suite with a client
> >> when using ECDSA certificates. When using EC
On Tue, Mar 04, 2014 at 10:03:54AM -0500, Jeffrey Walton wrote:
> > What is in the (non-extended) keyUsage extension of the certificate?
> > IIRC with EC, if the keyUsage extension is present, the certificate
> > needs to be marked usable for keyAgreement. From ssl/ssl_lib.c:
> >
> >
On Tue, Mar 4, 2014 at 10:03 AM, Jeffrey Walton wrote:
> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
> wrote:
>> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>>...
>> What is in the (non-extended) keyUsage extension of the certificate?
>> IIRC with EC, if the keyUsage exten
On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
wrote:
> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>
>> I've got a server that can't negotiate a cipher suite with a client
>> when using ECDSA certificates. When using ECDSA, the server reports
>> 0x1408a0c1 (no shared cipher).
On Tue, Mar 04, 2014, Viktor Dukhovni wrote:
> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>
> > I've got a server that can't negotiate a cipher suite with a client
> > when using ECDSA certificates. When using ECDSA, the server reports
> > 0x1408a0c1 (no shared cipher).
>
>
On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
> I've got a server that can't negotiate a cipher suite with a client
> when using ECDSA certificates. When using ECDSA, the server reports
> 0x1408a0c1 (no shared cipher).
Did you configure an EECDH (aka ECDHE) curve? With OpenSSL
I've got a server that can't negotiate a cipher suite with a client
when using ECDSA certificates. When using ECDSA, the server reports
0x1408a0c1 (no shared cipher).
The same server can consume RSA and DSA certificates. (In fact, all
the public key and certificate routines are generic and only di
On Fri, Feb 26, 2010, Alexei Soloview wrote:
> Hello!
>
>
>
> I try to check signature on PKCS7-structure(see attached file pkcs7.bin).
>
> The following sequence of commands is performed:
>
> openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM
>
> openssl smime -verify -in
Hello!
I try to check signature on PKCS7-structure(see attached file pkcs7.bin).
The following sequence of commands is performed:
openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM
openssl smime -verify -in pkcs7.PEM -inform pem -noverify 1>pkcs7.data
Verification failur
Hi ,I was looking for a client which can support my https server which uses ECDSA. I have looked into http://dev.experimentalstuff.com:8082/mozilla/index.html
but the link to download the binaries are down. If anyone can provide me a browser with that cipher suite supported so that a handshake wit
[EMAIL PROTECTED] wrote:
Hi Nils,
Appreciate your kind help.
I just want to generate the ECC certificate in command line, use it for a web server.
use apps/ecparam.c to create a private ec key or just ec parameters
(see ecparam manpage [1]) and then use this key/params in "openssl req
-newke
AIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Thu, 16 Dec 2004 11:32:26 +0100
Subject: Re: How to generate ECDSA certificate in OPenssl
> [EMAIL PROTECTED] wrote:
> >Hi,
> >
> > I want to try generate ECDSA certificate and set up ECDH in key agreement,
> > usin
[EMAIL PROTECTED] wrote:
Hi,
I want to try generate ECDSA certificate and set up ECDH in key agreement,
using Openssl.
command line or c code ? note: to be honest I'm not sure
in how far the current openssl ecc tls implementation is
complying with the latest ecc tls draft.
1.
Hi,
I want to try generate ECDSA certificate and set up ECDH in key agreement,
using Openssl.
1. Which version of OPenssl should I install?
2. Where can I get the document or examples?
Hung-Yu Chien
55 matches
Mail list logo