What OpenSSL functions to use in "Visual Studio 2022" to create a C++ program::
PSK = PBKDF2(Passphrase, SSID, 4096)
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128(PMK,"PMK Name" | MAC_AP | MAC_STA)
Sample test data for PSK (Pre-Shared Key)
Network
On Fri, 2022-02-11 at 08:35 +, Kevin Millson wrote:
> Hello OpenSSL Users,
>
> I’m trying to use SHA1 message digest hashing in combination with the
> FIPS provider, but seem to be running into issues. My code looks like
> the following:
>
> EVP_PKEY* priva
Hello OpenSSL Users,
I’m trying to use SHA1 message digest hashing in combination with the FIPS
provider, but seem to be running into issues. My code looks like the following:
EVP_PKEY* privateKey = getPrivateKey();
EVP_MD_CTX* mdContex = EVP_MD_CTX_new();
if (mdContex != NULL) {
const
t;
> Thanks in advance.
>
> Regards
> Phani
>
> On Mon, Jan 13, 2020 at 5:53 PM Matt Caswell <mailto:m...@openssl.org>> wrote:
>
>
>
> On 13/01/2020 06:20, Phani 2004 wrote:
> > Hi Team,
> >
> > I am trying to add support
hardware engine for aes-cbc-hmac-sha1.
> > I have observed that currently aes-cbc-hmac-sha1 is supported only for
> > x86 architecture.
> > "EVP_aes_128_cbc_hmac_sha1" api returns NULL for non-x86 platforms. The
> > openssl speed app calls the "EVP_get_cipherby
On 13/01/2020 06:20, Phani 2004 wrote:
> Hi Team,
>
> I am trying to add support on an hardware engine for aes-cbc-hmac-sha1.
> I have observed that currently aes-cbc-hmac-sha1 is supported only for
> x86 architecture.
> "EVP_aes_128_cbc_hmac_sha1" api returns NUL
Hi Team,
I am trying to add support on an hardware engine for aes-cbc-hmac-sha1. I
have observed that currently aes-cbc-hmac-sha1 is supported only for x86
architecture.
"EVP_aes_128_cbc_hmac_sha1" api returns NULL for non-x86 platforms. The
openssl speed app calls the "EVP_get_cip
e a large impact.
> >
> > Is it planned to add aes-128-hmac-sha1 encrypt-then-mac?
>
> There are no current plans. You might investigate the impact of using
> AEAD ciphers instead.
>
> Matt
>
> >
> > On Fri, Nov 1, 2019 at 1:32 PM Matt Caswell &g
gt; Is it planned to add aes-128-hmac-sha1 encrypt-then-mac?
There are no current plans. You might investigate the impact of using
AEAD ciphers instead.
Matt
>
> On Fri, Nov 1, 2019 at 1:32 PM Matt Caswell <mailto:m...@openssl.org>> wrote:
>
>
>
>
Thank you for the explanation.
The use case is a WebRTC server (SFU) that encrypts and authenticate SRTP
packets.
Encryption is a major part of CPU load on SFU servers. Reducing it by 50%
will have a large impact.
Is it planned to add aes-128-hmac-sha1 encrypt-then-mac?
On Fri, Nov 1, 2019 at 1
On 01/11/2019 07:56, pablo platt wrote:
> Hi,
>
> Stitching aes-cbc with sha1 can result with x2 performance [1].
> Is there support for stitched aes-128-hmac-sha1 encrypt-then-mac? This
> issue [2] says that only mac-then-encrypt is supported in OpenSSL.
The issue is correct
Hi,
Stitching aes-cbc with sha1 can result with x2 performance [1].
Is there support for stitched aes-128-hmac-sha1 encrypt-then-mac? This
issue [2] says that only mac-then-encrypt is supported in OpenSSL.
Does this implement mac-then-encrypt and relevant [3]?
Is it possible to use the same code
Apologies for my mistake. I think I was profiling the whole CPU instead
of just my process. Please disregard.
Paulo Matos
On 16/11/2018 09:08, Paulo Matos via openssl-users wrote:
> Hi,
>
> I have a program where I am doing millions of calculations of SHA1 per
> second. This is
Hi,
I have a program where I am doing millions of calculations of SHA1 per
second. This is a tight loop with call to SHA1_Init, SHA1_Update and
SHA1_Final. Interestingly when I profile with gperf and visualize with
pprof, I see 64.8% of the time spent in SEED_ofb128_encrypt. I can't se
On 12/09/2017 15:56, Robert Moskowitz wrote:
On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeI
On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too d
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA.
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>
> I would actually really like to have a SIMPLE OCSP responder. But
> so far have not found one. freeIPA has one buried within it, but
> that is too disruptive to install unless you buy into freeIPA.
>
Well the OpenSSL ocsp respoder isn't much u
On 09/11/2017 12:23 PM, Salz, Rich via openssl-users wrote:
Ah, put -sha256 in the CLIENT request. Seems kind of backward. Or at
least the server should have some control over the hash used?
Well, it is the client that is making the request, so therefore the client
n
Ah, put -sha256 in the CLIENT request. Seems kind of backward. Or at
least the server should have some control over the hash used?
Well, it is the client that is making the request, so therefore the client
needs to hash the cert information.
A production-quality OCSP respo
\
-rsigner certs/$ocspurl.cert.pem \
-nrequest 1
What is the SHA1 hash report about? It comes right after the line:
Certificate ID:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
Issuer Key Hash
rts/$ocspurl.cert.pem \
> -nrequest 1
>
>
> What is the SHA1 hash report about? It comes right after the line:
> Certificate ID:
>
> Certificate ID:
> Hash Algorithm: sha1
> Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
> Issuer
I am using the test responder:
openssl ocsp -port 2560 -text -rmd sha256\
-index index.txt \
-CA certs/ca-chain.cert.pem \
-rkey private/$ocspurl.key.pem \
-rsigner certs/$ocspurl.cert.pem \
-nrequest 1
What is the SHA1 hash report about? It
Hello,
> Am 22.11.2016 um 23:25 schrieb Dr. Stephen Henson :
>
> On Tue, Nov 22, 2016, Harald Koch wrote:
>
>> Hello,
>>
>> I???m facing a critical situation in my application when creating a signed
>> SMIME message using SHA1 as message digest algorith
On Tue, Nov 22, 2016, Harald Koch wrote:
> Hello,
>
> I???m facing a critical situation in my application when creating a signed
> SMIME message using SHA1 as message digest algorithm. In openSSL 1.0.2 (i.e.
> 1.0.2h), the following command worked as expected:
>
> /o
Hello,
I’m facing a critical situation in my application when creating a signed SMIME
message using SHA1 as message digest algorithm. In openSSL 1.0.2 (i.e. 1.0.2h),
the following command worked as expected:
/opt/openssl-1.0.2h/bin/openssl smime -sign -in original_message -signer
cert_key.pem
Ok, thanks the help.
Extracting the digest didn't work for me. But I was finally able to
contact a member of that third party who had the knowledge of the
procedure they use. So after some basic questions, I've asked that
person "sure you sign that data with that key you sent us"? The answer
On Mon, Sep 12, 2016, Nikolay Kudryavtsev wrote:
>
> Whenever I try to verify data signed with my own key, everything
> works. But for that data that I got from a third party nothing
> works. That third party is adamant that the signature is correct and
> it's RSA_SHA1, but they've been unwilling
> On Sep 12, 2016, at 1:26 PM, Nikolay Kudryavtsev
> wrote:
>
> The canonical representation is just a single string of data. I've tried
> asking that third party whether they have any line endings at the end when
> they sign it, but received no usable answer. So the most probable is no line
Good question!
The canonical representation is just a single string of data. I've tried
asking that third party whether they have any line endings at the end
when they sign it, but received no usable answer. So the most probable
is no line endings. I've tried all 3 options, gonna try again jus
> On Sep 12, 2016, at 1:07 PM, Nikolay Kudryavtsev
> wrote:
>
> The signature is base64 encoded, so first I do:
> openssl enc -d -A -base64 -in signature.txt -out signature.sha1
> Then I do:
> openssl dgst -verify pubkey.pem -signature signature.sha1 datafile.txt
>
I have some data that was signed with RSA-SHA1
<https://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html>.
What's the proper way of verifying that data with a signature?
The signature is base64 encoded, so first I do:
openssl enc -d -A -base64 -in signature.txt -out signature.sha1
Then I
Afternoon,
I have been running some speed tests of openssl 1.0.1, 1.0.2 and 1.1.0
versions against various compiler optimisations. Special interest was given
to the more commonly used primitives, rsa's, aes's etc.
I noticed that SHA1's have some significant performance improvemen
On Sat, Mar 26, 2016, Glen Matthews wrote:
> No, nothing unusual. Is there anything from the build process that would be
> useful in demonstrating this yes or no? I'm not the person responsible for
> the build process but I'm pretty sure it was followed to the letter - however
> I'll check on t
No, nothing unusual. Is there anything from the build process that would be
useful in demonstrating this yes or no? I'm not the person responsible for the
build process but I'm pretty sure it was followed to the letter - however I'll
check on that. Certainly no engines
I can check back in the d
On Thu, Mar 24, 2016, Glen Matthews wrote:
> Hi
>
> Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
> the dialog box was displayed, and that's how I got the call stack.
>
> if (x->ex_flags & EXFLAG_SET)
> return;
> #ifndef OPENSSL_NO_SHA
> X509_dige
users] [openssl-dev] Low level API call to digest SHA1
forbidden in FIPS mode - within openssl code
Hi
Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
the dialog box was displayed, and that's how I got the call stack.
if (x->ex_flags & EXF
: Thursday, March 24, 2016 1:36 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1
forbidden in FIPS mode - within openssl code
On Wed, Mar 23, 2016, Glen Matthews wrote:
> Hi
>
> Right, sorry about the wrong posting - and thanks
is this:
>
> if (x->ex_flags & EXFLAG_SET)
> return;
> #ifndef OPENSSL_NO_SHA
> X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
> #endif
>
> We haven't disabled SHA1 because we need it for our ssh implementation. From
> what I've been
_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
We haven't disabled SHA1 because we need it for our ssh implementation. From
what I've been reading, the code should not be calling with EVP_sha1().
glen
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of
ocl.h(128):
OpenSSL internal error, assertion failed: Low level API call to digest
SHA1 forbidden in FIPS mode!
I notice the assertion message mentions a header from what looks like a
1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no
idea if this is relevant to the pr
On 03/15/2016 08:38 PM, Satya Das wrote:
> Steve,
>
> How does one get a hold of the embedded signature in libcrypto.so ?
I assume you're referring to the known-good FIPS 140-2 integrity check
digest that is used for the runtime integrity check in the POST.
Several people have already tried to
signature in libcrypto.so ?
>
> Thanks
>
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Steve Marquess
> Sent: Tuesday, March 15, 2016 3:54 PM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Verifying
-users] Verifying the sha1 of fipscanister.o with what is
embedded in libcrypto.so
On 03/15/2016 05:24 PM, Satya Das wrote:
> Hello Steve,
>
> Even if a vendor letter is good for CMVP, how is the vendor supposed
> to know ?
Ummm, because the vendor is the one who created the validated
On 15/03/2016 21:24, Satya Das wrote:
Even if a vendor letter is good for CMVP, how is the vendor supposed to know ?
By remembering whether or not he followed the required procedure; it's
the only way for him to know.
I would say openssl should give such a tool so that vendor and the testin
On 03/15/2016 04:58 PM, Mike Mohr wrote:
> During the linking process, parts of fipscanister.o are removed
> (discarded) by the linker. Also, jumps and call instructions have their
> operands changed (addresses are filled in or relocation information is
> added) and the machine code is fundamentall
On 03/15/2016 05:24 PM, Satya Das wrote:
> Hello Steve,
>
> Even if a vendor letter is good for CMVP, how is the vendor supposed
> to know ?
Ummm, because the vendor is the one who created the validated module.
Only that vendor can know for sure how the module was created, because
the FIPS 140-2
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: Tuesday, March 15, 2016 12:30 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is
embedded in libcrypto.so
In a word, no. In principle a ut
e a post build manual check before using the openssl rpm in rest of
> the product.
>
> Thanks
>
>
> From: openssl-users on behalf of
> Steve Marquess
> Sent: Tuesday, March 15, 2016 6:02 AM
> To: openssl-users@openssl.org
On 03/15/2016 02:22 PM, Satya Das wrote:
> Hello Steve,
>
> Thank you for your comments.
>
> Is there a way to verify that the correct version of object module
> (fipscanister.o) was assimilated into the libcrypto.so ?
> I just need some surefire way to run an engineering check on the build.
>
: openssl-users on behalf of Steve
Marquess
Sent: Tuesday, March 15, 2016 6:02 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is
embedded in libcrypto.so
On 03/14/2016 08:30 PM, Satya Das wrote:
> Hello,
>
>
>
> I have a
On 03/14/2016 08:30 PM, Satya Das wrote:
> Hello,
>
>
>
> I have a simple problem I am trying to solve. I have built a fips
> capable openssl shared object (.so). I also have the sha1 hash of the
> fipscanister.o in a file called fipscanister.o.sha1. I also ha
generate the embedded sha1 sum from a
given fipscanister.o (or other artefacts from object module build process) ?
Also how do I locate the embedded sha1 in so ? Is it a symbol I should look for
in gdb ?
Thanks.
From: openssl-users on behalf of Jakob Bohm
Let me explain this a bit more clearly:
The fipscanister.o file (like any other .o file) contains
two things:
1. The actual code and constant data (if any) that needs
to go in the final .so or program file. This is what
will eventually be hashed to produce the embedded sha1
check.
2
sity Press.
On Mon, Mar 14, 2016 at 9:26 PM, Satya Das wrote:
> Hello Ethan,
>
> I am tweaking the centos rpmspec to use my fips object module. That seems
> to be downloading source tar ball, patching etc.
>
> Please note that the sha1 of the so is not so interesting as the embe
Hello Ethan,
I am tweaking the centos rpmspec to use my fips object module. That seems to
be downloading source tar ball, patching etc.
Please note that the sha1 of the so is not so interesting as the embedded sha1
check inside so (when one calls FIPS_mode_set). Essentially if I can get the
;
> I have a simple problem I am trying to solve. I have built a fips capable
> openssl shared object (.so). I also have the sha1 hash of the
> fipscanister.o in a file called fipscanister.o.sha1. I also have the sha1
> hash of fips_premain.c in a file called fips_premain.c.sha1. In
Hello,
I have a simple problem I am trying to solve. I have built a fips capable
openssl shared object (.so). I also have the sha1 hash of the fipscanister.o in
a file called fipscanister.o.sha1. I also have the sha1 hash of fips_premain.c
in a file called fips_premain.c.sha1. In order to make
Hello,
I am using the Openssl-1.0.2 with openssl-fips-2.0.9 and have a question.
In the FIPS-198-1 document, Chapter 5 discusses truncation with MACs.
http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
I believe HMAC-SHA1-96 falls under this category, but I do not see its
Right, that’s the main point. SKI is just an opaque identifier. It “used to”
“mostly” be SHA1 of the key, but there was never any requirement that it MUST
be so.
--
Principal Security Engineer, Akamai Technologies
IM: rs...@jabber.me<mailto:rs...@jabber.me> Twitter: RichSalz
On 05/11/2014 09:11, Jerry OELoo wrote:
Hi All:
As I know, When calculate Public key in certificate, it's SHA1 value
is equal to Subject Key Identifier in certificate, and I verify this,
and found that some websites are follow this.
But when I go to www.google.com website, I find the
> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
> Sent: Wednesday, November 05, 2014 03:11
> But when I go to www.google.com website, I find the leaf certificate
> and intermediate certificate is ok, but root CA certificate (GeoTrust
> Global CA) is not.
> Pub
Hi All:
As I know, When calculate Public key in certificate, it's SHA1 value
is equal to Subject Key Identifier in certificate, and I verify this,
and found that some websites are follow this.
But when I go to www.google.com website, I find the leaf certificate
and intermediate certificate
The official version of OpenSSL works fine when compiled against the
upstream FIPS module.
Yes, It's distribution specific and reverting the file fixed the issue.
Thanks for your time.
Regards,
Abdul
On 13-Aug-14 7:02 PM, Dr. Stephen Henson wrote:
On Wed, Aug 13, 2014, Abdul Anshad wrote:
On Wed, Aug 13, 2014, Abdul Anshad wrote:
> I use the src rpm downloaded from
> http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 .
>
> Inquired about this issue with one of the package maintainers from
> koji.fedoraproject.org and following was his comment.
>
> "Apparently the Known a
Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library
Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test
failure (Type=RSA SHA1 X931)
[Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312:
Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Fai
nature_test:test
> failure (Type=RSA SHA1 X931)
> [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312:
> Fatal error initialising mod_ssl, exiting.
> AH00016: Configuration Failed
>
> Could somebody help me out with this issue ? Thanks in advance.
>
Which vers
On Tue, Aug 12, 2014, Thulasi Goriparthi wrote:
> $ openssl genrsa 2048 > key.pem
> $ openssl req -new -x509 -key key.pem -out cert.pem -sha256
>
You also need to set the environment variable OPENSSL_FIPS=1 so the operations
are performed in FIPS mode.
Steve.
--
Dr Stephen N. Henson. OpenSSL pr
t;> [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232:
>>> suEXEC
>>> mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec)
>>> [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS
>>> mode
>>> failed
>>> [M
apache/2.4.10/bin/suexec)
[Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode
failed
[Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error:
error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA
SHA1 X931)
[Mon Aug 11 14:39:2
On Tue, Aug 12, 2014 at 11:24:40AM +0530, Thulasi Goriparthi wrote:
> $ openssl genrsa 2048 > key.pem
Don't forget "umask 077" before that. Otherwise, the key file is often
world-readable. With AFS, "fs setacl . ..." to restrict access to the
containing directory.
--
Viktor.
_
g 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS
>>> mode
>>> failed
>>> [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library
>>> Error:
>>> error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure
>>> (Type=RSA
>>> SHA1 X9
)
[Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS
mode failed
[Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library
Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test
failure (Type=RSA SHA1 X931)
[Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid
On Wed, Jul 16, 2014, Jason Schultz wrote:
> According to this wiki page:
>
> http://wiki.openssl.org/index.php/FIPS_mode_and_TLS
>
> When in FIPS mode, SHA1 signatures can not be used when using the TLS 1.2
> protocol: "If that wasn't enough there's another
Another follow up question. The Wiki page refers to FIPS 186-4. Are these
restrictions only for FIPS 186-4, or FIPS 140-2 as well?
From: jetso...@hotmail.com
To: openssl-users@openssl.org
Subject: SHA1 signatures in FIPS mode w/ TLS 1.2
Date: Wed, 16 Jul 2014 13:31:35 +
According to this
According to this wiki page:
http://wiki.openssl.org/index.php/FIPS_mode_and_TLS
When in FIPS mode, SHA1 signatures can not be used when
using the TLS 1.2 protocol:
"If that wasn't enough there's another complication. For TLS v1.2 you have to
restrict the supported signatur
> The command line is using salt as the HMAC key and "password" as the data
to
> be HMACed while your program has those reversed.
Funny thing is, this is all part of trying to build a PBKDF2
implementation, but the way I read the RFC regarding the calculation of
U_1, I was certain that the comma
; explain to me why they're different.
>
> Attempt 1: Command Line
> $ echo -n 'password' | openssl dgst -sha1 -mac HMAC -macopt
> hexkey:73616c740001
> (stdin)= 110e10a574ba31387e22a939db0c580f94822262
>
> This is wrong.
>
> Attempt 2: C Program
>
mmand Line
$ echo -n 'password' | openssl dgst -sha1 -mac HMAC -macopt
hexkey:73616c740001
(stdin)= 110e10a574ba31387e22a939db0c580f94822262
This is wrong.
Attempt 2: C Program
#include
#include
#include
int main(void)
{
char pass[8];
unsigned char salt[8];
unsigned char pbDK[20];
i
Mea Culpa. I had a bad 1.0.1g gzip file. Having found the right gzip file,
both MD5 and SHA1 match now.
For those who answered off-list, thanks very much.
+-+-+-+-+-+-+-+-+-
Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
I searched the archives (having recalled something about this over the last
three weeks) but found no specific answer.
After download of the .gz file for OpenSSL 1.0.g and the MD5 and SHA1 files, I
have found that the actual MD5 over the .gz doesn't match the downloaded
checksum, nor doe
Okay, thanks for all the information, here's what I did and what will go into
testing:
-Recreated a CSR from the root CA cert using
openssl x509 -x509toreq -in cacert.crt -signkey cakey.key -sha1 -out newcert.csr
Set the system date back to the startday of the old root cert
Recreated t
ay, wouldn't it confuse the
> client when the start date of the cert is older than that of the root cert ?
>
> Also I managed to convert the existing root cert from md5 to sha1 with
>
> openssl x509 -sha1 -inform pem -outform pem -in cacert.pem -out
> cacertsha1.pem -s
replace the old root cert with the
new one on all clients ? I have certificates that are already in use and the
new root cert would have a start date of today, wouldn't it confuse the client
when the start date of the cert is older than that of the root cert ?
Also I managed to convert the
n little CA and the root certificate was created using md5:
>
> Signature Algorithm: md5WithRSAEncryption
>
> I need to change this do sha1 because I have clients that do not accept md5
> anymore. Is there any way to convert the existing cert from md5 to sha1 ? I
> tried converting it
I don't know the answer to your main question, but:
On Tue, 15 Apr 2014 10:41:20 +0200
steff...@gmx.de wrote:
> I need to change this do sha1 because I have clients that do not
> accept md5 anymore.
If you use SHA256 you won't have to do this again in a few years.
(Micros
Hello world,
I am running my own little CA and the root certificate was created using md5:
Signature Algorithm: md5WithRSAEncryption
I need to change this do sha1 because I have clients that do not accept md5
anymore. Is there any way to convert the existing cert from md5 to sha1 ? I
tried
Hello Team,
Does Openssl has definition for SHA1_Init() , SHA1_Update() etc functions?
If present, which file i can refer? I see only declarations for SHA1xxx
functions. But no definition. Can you please direct?
And also i would like to know one more thing that, is there any
implementation differ
Amit writes:
>
> Hello,
>
> Looking at *crypto/sha/asm/sha1-x86_64.pl*, there is a measurement that
> states 5.3 cycles / byte when computing the sha1.
>
> How was this measurement obtained? I tried using linux perf tools and
> got close to this figure but I am not sur
Hello,
Looking at *crypto/sha/asm/sha1-x86_64.pl*, there is a measurement that
states 5.3 cycles / byte when computing the sha1.
How was this measurement obtained? I tried using linux perf tools and
got close to this figure but I am not sure if I am performing the
correct test.
Thanks,
Amit
I'm trying to use OpenSSL to do RSA-SHA1(RSASSA-PKCS1-v1_5), which is used
in xml signature.
But the result doesn't match with the one comes from xmlsec.
How I did it:
RSA_sign(NID_sha1, *digestvalue*, 20, signvalue, siglen, *rsa*);
where *digestvalue* is the direct output of SHA1
To clean up, just call MD5_Final and ignore the result.
When I said it depended on which OpenSSL API you were
using, it was less about the version of OpenSSL and more
about the specific function names, as there is more than
one set of functions that can do the MD5. I see from
your latest mail be
Hi Jakob,
Thanks for your info. The openssl version currently we used to is 0.9.8r.
Also we need a clarification for one more thing.
Is there a way to cleanup the missed CTX from memory? Consider the below
scenario.
*File 1*
--> MD5_Init
--> MD5_Update
--> MD5_Update
--> MD5
Depends which of the OpenSSL APIs you use to do the hashing. Some give
you a usable context pointer where you can access the bytes that need
saving by following pointers into "internal" structures, others do not.
However note that there is another problem in such cases: When a
connection is i
Hi Jakob,
Thanks for your reply and we will try as you say. Is there any other way to
store the CTX at block level in RDBMS like MySQL? Say if the transfer is
interrupted at 500 MB and i know at which block the transfer has been
interrupted. In same scenario if i know the CTX of already sent block
On 1/26/2012 7:25 AM, Prabu RM wrote:
Hi,
We have been used to CRC via MD5 hash algorithm for a file to be
transferred in socket we kepp below steps.
_*At Client side:*_
1.Md5 Init()
2.MD5 Update
MD5 Update
MD5 Update
MD5 Update
.
.
.
3.MD5 Final
4.Get Checksum *C1*
_*At
Hi,
We have been used to CRC via MD5 hash algorithm for a file to be
transferred in socket we kepp below steps.
*At Client side:*
1.Md5 Init()
2.MD5 Update
MD5 Update
MD5 Update
MD5 Update
.
.
.
3.MD5 Final
4.Get Checksum *C1*
*At Server side:*
1.Md5 Init()
2.MD5 Update
M
I am writing a program to upload file to Amazon S3 in C with libCurl and
OpenSSL. To send a request to amazon I have to sign it - with
HMAC-SHA1
http://docs.amazonwebservices.com/fws/latest/DeveloperGuide/index.html?SummaryOfAuthentication.html
- here amazon doc that explain it. Help
> Is there a target for x86_64 with icc? I could not find one in the
> Configure script, therefore I assume icc is not supported, or is it?
Try creating your own, base it off the linux-ia64-icc and the linux-x86_64
If it works out fine and passes make test submit a patch, please.
i
--
Igor Gal
> From: Philipp Berger
>
> I am trying to compile OpenSSL 0.9.8r on Debian 6.01 AMD64
> (2.6.32-5-amd64) using the Intel C++ Compiler (icc version 12.0.4).
> My ./Configure command was: ./Configure linux-ia64-icc shared
> enable-static-engine
>
> When I try to "make" it fails ...
>
> Additionall
1 - 100 of 279 matches
Mail list logo
