Re: [openssl-users] PRNG is not seeded
Hi Scott I don’t know your OS or environment, have you tried the ‘openssl rand’ functionality as a random source to seed your entropy issues ? openssl rand 102400 > some named pipe file that you can call as your random source. perhaps rather than pseudo random, try a hardware device ? > On 30 May 2018, at 8:58 AM, Scott Neugroschl wrote: > > Hi, > > I’m using PRNGD to seed my random numbers (I’m on a system without > /dev/random and /dev/urandom). I occasionally get the dreaded “PRNG is not > seeded” error. > > I know this is caused by a lack of available entropy in the system; but what > can I do to address this? Is it just a matter of waiting until enough > entropy has been collected? Is there any kind of workaround? > > Thanks > > ScottN > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] PRNG is not seeded
>I know this is caused by a lack of available entropy in the system; but what >can I do to address this? Is it just a matter of waiting until enough entropy >has been collected? Is there any kind of workaround? Assuming you don’t have another source of randomness that you can add in, then you should wait. IF you don’t, you run the risk that your random numbers (session keys, RSA or other long-term keys, etc) could be guessed by an attacker. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] PRNG is not seeded
Hi, I'm using PRNGD to seed my random numbers (I'm on a system without /dev/random and /dev/urandom). I occasionally get the dreaded "PRNG is not seeded" error. I know this is caused by a lack of available entropy in the system; but what can I do to address this? Is it just a matter of waiting until enough entropy has been collected? Is there any kind of workaround? Thanks ScottN -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Blog post on the new LTS release
>This didn't show up in my RSS client. Is the RSS feed not working, or is > it just my client? It probably sat in draft form for too long, and went out with the old date. Oops. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Blog post on the new LTS release
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Salz, Rich via openssl-users > Sent: Tuesday, May 29, 2018 11:12 > To: openssl-users; openssl-annou...@openssl.org > Subject: [openssl-users] Blog post on the new LTS release > We just posted a new blog entry on long-term support, the different phases, > and so on. It’s here: This didn't show up in my RSS client. Is the RSS feed not working, or is it just my client? -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Call for testing TLS 1.3
(For those who are not Jouni, there is some spec work needed for TLS 1.3/EAP integration as well, occurring in the IETF EMU working group. I assume Jouni is on the mailing list and knows this already) -Ben On Mon, May 28, 2018 at 03:28:13PM +0300, Jouni Malinen wrote: > On Sun, Apr 29, 2018 at 12:43:26PM +0200, Kurt Roeckx wrote: > > We are considering if we should enable TLS 1.3 by default or not, > > or when it should be enabled. For that, we would like to know how > > applications behave with the latest beta release. > > It looks like couple of TLS 1.3 changes result in breaking functionality > for various EAP methods that are based on TLS unless significant changes > in both the EAP method definition and implementations are done before > enabling the new TLS version. This seems to have an impact to at least > EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST. > > As far as wpa_supplicant (EAP peer) and hostapd (EAP server) > implementations are concerned, I've prepared changes to make EAP-TLS > work with TLS 1.3, but the other EAP methods are still failing for > various known (and to some extend, unknown) issues. Anyway, I'm > currently explicitly disabling TLS 1.3 support with OpenSSL by default > in these application due to these issues and the expected > interoperability issues and as such, the OpenSSL 1.1.1 release default > behavior regarding TLS 1.3 support should not have impact for these > applications. That said, other EAP implementations may want to do > something similar or face possibility of breaking functionality if > OpenSSL 1.1.1 does go out with TLS 1.3 enabled by default and both ends > of the EAP connection have TLS 1.3 enabled. > > -- > Jouni MalinenPGP id EFC895FA > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Unexpected difference between version 10x and 11x
Hi, Certificate included here is only for testing. I use EasyRSA to build my PKI -- This all works well. So, now I have a client cert but, depending on which version of openssl I use, I get different output in the Issuer line from the same cert. The difference is: openssl 101f: Issuer: C=00, ST=home, L=tct, O=tct.org, OU=tct.v304.secp384r1.20180529, CN=Easy-RSA CA/emailAddress=m...@example.net openssl 110h Issuer: C = 00, ST = home, L = tct, O = tct.org, OU = tct.v304.secp384r1.20180529, CN = Easy-RSA CA, emailAddress = m...@example.net Note the extra spaces which are inserted around '=' (cat of the original certificate does not show those spaces) My question: Is this change intentional ? I did not feel confident to report this as a bug without asking here first. Thanks for your time and any help/advice you can offer. tct ** Please find full details of output below: $ cat tct.v304.secp384r1.c01.crt Certificate: Data: Version: 3 (0x2) Serial Number: 48:07:85:ec:c8:78:e6:e3:ac:91:54:b3:91:07:83:d5 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=00, ST=home, L=tct, O=tct.org, OU=tct.v304.secp384r1.20180529, CN=Easy-RSA CA/emailAddress=m...@example.net Validity Not Before: May 29 14:01:00 2018 GMT Not After : May 28 14:01:00 2028 GMT Subject: C=00, ST=home, L=tct, O=tct.org, OU=tct.v304.secp384r1.20180529, CN=tct.v304.secp384r1.c01/emailAddress=m...@example.net Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:b2:d4:42:ab:b7:bd:ba:d6:52:b6:9a:ca:30:50: 48:34:5b:72:bf:77:60:c3:7b:4b:fb:18:0f:90:27: a3:bf:f6:db:8b:47:be:04:1f:2a:10:b2:de:7f:6b: f5:e3:5b:12:11:8e:08:85:7c:5b:e8:27:3c:07:fc: 2f:cf:96:50:65:96:60:38:4e:49:ed:d5:b4:23:8e: 7a:64:d8:29:af:e2:c8:4a:49:31:2f:fe:3b:50:99: a1:7d:3b:30:bd:c4:d4 ASN1 OID: secp384r1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 08:C1:03:47:D4:8E:FD:47:80:6B:33:33:D9:53:97:AF:75:BB:72:20 X509v3 Authority Key Identifier: keyid:3D:05:4B:95:5E:EF:C9:CF:73:00:3B:84:25:F6:65:35:8F:57:A8:F7 DirName:/C=00/ST=home/L=tct/O=tct.org/OU=tct.v304.secp384r1.20180529/CN=Easy-RSA CA/emailAddress=m...@example.net serial:E7:DD:3B:6D:9E:E9:FD:58 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: ecdsa-with-SHA256 30:64:02:30:4e:39:9a:4b:b0:f9:86:23:00:a1:82:76:8f:ed: e5:3f:20:af:a8:64:f1:b2:10:98:75:ab:64:31:38:a5:bf:a2: ca:be:18:54:12:b5:8c:1d:c9:91:8a:e6:09:c5:16:a3:02:30: 5b:32:d4:7a:d0:2e:97:86:65:51:4f:60:16:51:71:bd:ca:7a: 90:31:5c:0d:62:19:1e:86:29:0c:94:32:1f:33:ce:db:db:b9: 1e:40:0b:55:17:f1:6c:9e:ff:d2:52:03 -BEGIN CERTIFICATE- MIIDljCCAx2gAwIBAgIQSAeF7Mh45uOskVSzkQeD1TAKBggqhkjOPQQDAjCBlzEL MAkGA1UEBhMCMDAxDTALBgNVBAgTBGhvbWUxDDAKBgNVBAcTA3RjdDEQMA4GA1UE ChMHdGN0Lm9yZzEkMCIGA1UECxMbdGN0LnYzMDQuc2VjcDM4NHIxLjIwMTgwNTI5 MRQwEgYDVQQDEwtFYXN5LVJTQSBDQTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs ZS5uZXQwHhcNMTgwNTI5MTQwMTAwWhcNMjgwNTI4MTQwMTAwWjCBojELMAkGA1UE BhMCMDAxDTALBgNVBAgTBGhvbWUxDDAKBgNVBAcTA3RjdDEQMA4GA1UEChMHdGN0 Lm9yZzEkMCIGA1UECxMbdGN0LnYzMDQuc2VjcDM4NHIxLjIwMTgwNTI5MR8wHQYD VQQDExZ0Y3QudjMwNC5zZWNwMzg0cjEuYzAxMR0wGwYJKoZIhvcNAQkBFg5tZUBl eGFtcGxlLm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLLUQqu3vbrWUraayjBQ SDRbcr93YMN7S/sYD5Ano7/224tHvgQfKhCy3n9r9eNbEhGOCIV8W+gnPAf8L8+W UGWWYDhOSe3VtCOOemTYKa/iyEpJMS/+O1CZoX07ML3E1KOCAR8wggEbMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFAjBA0fUjv1HgGszM9lTl691u3IgMIHMBgNVHSMEgcQw gcGAFD0FS5Ve78nPcwA7hCX2ZTWPV6j3oYGdpIGaMIGXMQswCQYDVQQGEwIwMDEN MAsGA1UECBMEaG9tZTEMMAoGA1UEBxMDdGN0MRAwDgYDVQQKEwd0Y3Qub3JnMSQw IgYDVQQLExt0Y3QudjMwNC5zZWNwMzg0cjEuMjAxODA1MjkxFDASBgNVBAMTC0Vh c3ktUlNBIENBMR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxlLm5ldIIJAOfdO22e 6f1YMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQD AgNnADBkAjBOOZpLsPmGIwChgnaP7eU/IK+oZPGyEJh1q2QxOKW/osq+GFQStYwd yZGK5gnFFqMCMFsy1HrQLpeGZVFPYBZRcb3KepAxXA1iGR6GKQyUMh8zztvbuR5A C1UX8Wye/9JSAw== -END CERTIFICATE- ** Now usiing openssl v101f I get $ openssl x509 -in /home/arby/sources/easyrsa/ersa304-1/pki/issued/tct.v304.secp384r1.c01.crt -textCertificate: Data: Version: 3 (0x2) Serial Number: 48:07:85:ec:c8:78:e6:e3:ac:91:54:b3:91:07:83:d5 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=00, ST=home, L=tct, O=tct.org, OU=tct.v304.secp384r1.20180529, CN=Easy-RSA CA/emailAddress=m...@example.net Validity Not Before: May 29 14:01:00 2018 GMT Not
[openssl-users] Blog post on the new LTS release
We just posted a new blog entry on long-term support, the different phases, and so on. It’s here: https://www.openssl.org/blog/blog/2018/05/18/new-lts/ TL;DR is that the upcoming 1.1.1 will be our next LTS release. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.1.1 pre release 7 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 7 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 7 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre7.tar.gz Size: 8308876 SHA1 checksum: 1879b688f9e36665f82bda8cac4f392029683bd0 SHA256 checksum: e4a54e1eba294a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre7.tar.gz openssl sha256 openssl-1.1.1-pre7.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsNRX8ACgkQ2cTSbQ5g RJG5OwgAhQ1fmHrG57u3jCfhKn7r2t1c6CxnSfZRn7hRc1He772R3iwi9A3i6AO3 9BlEj16V8bQ/2DF6vH31FzBnPjfnP8QENDC3btwdQOdufkQLyeqvgMIjdj42VFS6 E803eCRE1fN6w0LZzVoP8TarWCIifD+Wb3c9VfFsTDWzfQ2TMQz3SKsVqhRA9m0e +xKpkFkJNHw7MQw5B7EomuJYwCVZpERDQAJMlh78uQK5SCoLFw3f14+2C0IzLIBn 6fKVbC546TJgflWoR2uGjOSgYKZqxysya1ZcKfGTOuRy4YiBMkCxX/n0GNEEJFoy gKxJYtMXHCmudlcEjvqcXqO0schzRw== =HTbt -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] database openssl
On 29/05/2018 10:43, Jan Just Keijser wrote: Hi, On 29/05/18 09:47, Sampei wrote: I'm using Linux server to create temporary CA and I know openssl maintains a text database of issued certificates and their status. Now I need to migrate this server to another one, so I ask myself how can I export this db. thanks the openssl CA "database" usually consists of two files. The location of these files is specified in the openssl.cnf file. The files are serial - containing the last issued serial number index.txt - containing the list of all issued, expired and revoked certificates. As I said, the location of these files is depending on how you set up your temporary CA. Additionally, the openssl ca command stores the complete value of each issued certificate in a subdirectory specified in openssl.cnf, this may be needed/useful when importing to other CA software. Also note that unless a special setting is included (I forget where), the openssl ca database will be in a different (older) format that only remembers the most recently issued certificate for a given subject distinguished name. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] database openssl
Hi, On 29/05/18 09:47, Sampei wrote: I'm using Linux server to create temporary CA and I know openssl maintains a text database of issued certificates and their status. Now I need to migrate this server to another one, so I ask myself how can I export this db. thanks the openssl CA "database" usually consists of two files. The location of these files is specified in the openssl.cnf file. The files are serial - containing the last issued serial number index.txt - containing the list of all issued, expired and revoked certificates. As I said, the location of these files is depending on how you set up your temporary CA. HTH, JJK -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] database openssl
I'm using Linux server to create temporary CA and I know openssl maintains a text database of issued certificates and their status. Now I need to migrate this server to another one, so I ask myself how can I export this db. thanks Con Mobile Open 6 GB hai 6 Giga, 600 minuti e 300 SMS per il tuo smartphone a 9€ al mese per sempre. Passa ora a Tiscali Mobile, il nostro mese è vero! http://tisca.li/Open6GB0318 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
