Re: [openssl-users] openssl req -x509 Serial Number
Le 28/04/2013 20:26, redpath a écrit : When an x509 is created using the openssl command it creates a default serial number if one not supplied How is this serial number created (algorithm) in general. A 64bits random number. openssl req -x509 etcetera The default serial number is quite long so just using time_t (long) to set the serial number is not very long (four bytes). So I am interested in what it does. You could also read apps/req.c source code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES wrap APIs in FIPS mode
Hi OpenSSL Users, I am using OpenSSL 1.0.1c with OpenSSL FIPS module 2.0.2. I need a API similar to AES_wrap_key() and AES_unwrap_key() in crypto/aes/aes_wrap.c that will work in FIPS mode. The functions in aes_wrap.c use low level AES functions ( and not EVP ) that are not supported in FIPS mode. Can someone please suggest me the relevant AES wrap API? Thanks in advance for your help! Rahul Godbole
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we will upgrade to 2.3.x since we need OCSP support as well. Any idea which is the stable version in 2.3.x? Hi Viktor, /And then protocols here. Which do you want, the protocol or the ciphers?/ Sorry, i was under the impression that Selecting TLS version automatically sets the same versioned ciphers. I may be mistaken here. Jakobs mail clears the confusion for me. Thanks! Cipher. -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-possible-to-configure-only-TLSv1-2-ciphers-for-FIPS-tp44905p44946.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
Please refer to http://httpd.apache.org for the current version numbers. Note that 2.3.x was a beta series for the current 2.4.x releases. On 4/29/2013 2:22 PM, Cipher wrote: Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we will upgrade to 2.3.x since we need OCSP support as well. Any idea which is the stable version in 2.3.x? Hi Viktor, /And then protocols here. Which do you want, the protocol or the ciphers?/ Sorry, i was under the impression that Selecting TLS version automatically sets the same versioned ciphers. I may be mistaken here. Jakobs mail clears the confusion for me. Thanks! Cipher. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why Openssl s_server is allowing Session Reuse on the same tcp connection
-Original Message- From: sajualways But what Use Case does this have, where client tells the server to resume the ssl session on the same tcp connection. The use case is changing the keys for securing long-standing connections. Of course this is in the server's responsibility, but the mechanism is the same for client and server. HTH, Patrick Eisenacher
Re: OpenSSL PKI Tutorial updated
In the Simple PKI example, step 5.4 View PKCS#7 bundle, the -in option points to ca directory, but the bundle was created in step 4.3 Create PKCS#7 bundle in the certs directory. I.e.: Step 4.3: openssl crl2pkcs7 -nocrl \ -certfile ca/signing-ca.crt \ -certfile ca/root-ca.crt \ -out certs/signing-ca-chain.p7c \ certs directory -outform der Step 5.4: openssl pkcs7 \ -in ca/signing-ca-chain.p7c \ ca directory -inform der \ -noout \ -text \ -print_certs So far though, this has been a helpful tutorial for a noob to PKI. Thanks! Kevin On Sun, Apr 21, 2013 at 5:56 AM, Stefan H. Holek ste...@epy.co.at wrote: Hi All! I have updated the OpenSSL PKI tutorial at readthedocs. The tutorial takes a novel approach without ever referring to openssl.cnf or CA.pl (yuck). You can find it here: https://pki-tutorial.readthedocs.org/ Thanks to everyone who has provided feedback for the first version. I heard your call for more verbosity! The first two examples now have much more detailed instructions, and I hope that by the third example you won't need instructions anymore. ;-) Cheers, Stefan -- Stefan H. Holek ste...@epy.co.at __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CApath in the config file
Good evening everyone, Please excuse me if it has already been asked but is there a way to make openssl s_client use my directory with every certificates (as with -CApath) once and for all ? Claws-mail is relying on it and doesn't manage to automatically asses good certificates whereas /etc/ssl/certs is populated with certs from common CA (verysign etc...). Thanks in advance ! Arthur Carcano __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org