Re: [openssl-dev] id-kp-OCSPSigning extended key usage

Bonjour, SHALL is not equivalent to a SHOULD, but to a MUST. See RFC2119. Cordialement, Erwann Abalea Le 12 sept. 2017 à 02:46, Winter Mute <zshr...@gmail.com<mailto:zshr...@gmail.com>> a écrit : Hello, The RFC<https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states

Re: [openssl-dev] [gnutls-devel] Proposal for the ASN.1 form of TPM1.2 and TPM2 keys

one the following conditions is true: - they’re defined in a module declared with « EXTENSIBILITY IMPLIED » - they both include the extensibility marker (i.e. they’re slightly modified) If you plan to use BER, CER or DER (and only these), then the parser MUST ignore the extensibility markers (present or not), and work as if they’re present. But that won’t change the ASN.1 definition, only the decoder behaviour. Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

eral in what you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

eral in what you accept, when dealing with crypto, gives you stuff like this: https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ Cordialement, Erwann Abalea -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted --

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

and bit 8 of the second octet are all zero. This is invalid. There is no additional rule for DER on INTEGERs. Cordialement, Erwann Abalea -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Support for TLS SHA2-512?

eters-4> and there’s no standardized *SHA512 cipher suite, as you can see. Cordialement, Erwann Abalea ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] 0.9.8 support after 31 Dec 2015

be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. Cordialement, Erwann Abalea ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo

Re: [openssl-dev] Using keys from a hardware accelerator

You’re looking for ENGINE objects. There’s maybe already an ENGINE directly supporting your hardware module. If your hardware thing has a PKCS#11 library, a PKCS#11 ENGINE exists. Cordialement, Erwann Abalea Le 20 juil. 2015 à 17:14, Alexander Gostrer agost...@gmail.com a écrit : Hi All

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, Le 30 mai 2015 à 09:48, John Lofgren via RT r...@openssl.org a écrit : I believe I have pinpointed a typo-error that may be the cause of one or two other outstanding bugs related to certificate chain validation. This bug only occurs in a chain of certs at least 3 deep when the

Re: [openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier

Bonjour, Le 30 mai 2015 à 09:48, John Lofgren via RT r...@openssl.org a écrit : I believe I have pinpointed a typo-error that may be the cause of one or two other outstanding bugs related to certificate chain validation. This bug only occurs in a chain of certs at least 3 deep when the

Re: [openssl-dev] OID with length zero related bug

not identify a signature algorithm (it's the OID { itu-t recommendation }). The decoding step of the 0600 hex sequence correctly produces a BAD OBJECT, since it's an invalid encoding of an OID. So having an error when decoding such a CSR is a correct behaviour and should be expected. -- Erwann

Re: [openssl-dev] openssl x509 -text incorrectly displays non-latin (non-ansi) symbols (missed '-utf8 option?)

Bonjour, Probably an openssl-users question. Use openssl x509 -text -in localhost-server.crt -nameopt oneline,utf8,-esc_msb Your terminal must be able to display UTF8 sequences. I sometimes add the show_type nameopt option, to check things. -- Erwann ABALEA Le 02/03/2015 06:58, Ikonta

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

It seems all the tarballs have disappeared. -- Erwann ABALEA Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 17/12/2014 17:34, Salz, Rich a écrit : #define PEM_STRING_X509_PAIRCERTIFICATE PAIR (note, this is supposed to encapsulate a CertificatePair structure from X.509) This is not used anywhere in openssl. I just removed it and did a build :) The fact that the fields are named forward

Re: [openssl-dev] Adding GET support to ocsp app

() job will render this request invalid if is contains a + (it can happen in a Base64 encoded string). -- Erwann ABALEA Le 26/09/2014 04:56, Salz, Rich a écrit : I don't see where the OCSP request is de-base64-ified, and URL-decoded. In both cases, d2i_OCSP_REQUEST_bio is called to get the request

Re: [openssl-dev] Re: [openssl.org #3525] CRL tool doesn't show leading 0's in output

isn't important for the comparison/match. openssl crl should print a leading 00 to avoid confusion, but it's not really important. -- Erwann ABALEA __ OpenSSL Project http://www.openssl.org

Re: [openssl-dev] Adding GET support to ocsp app

Le 11/09/2014 19:45, Salz, Rich a écrit : The attached diff adds GET support to ocsp. I'd appreciate any feedback. I don't see where the OCSP request is de-base64-ified, and URL-decoded. In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's done directly on the HTTP

Re: [openssl-dev] Adding GET support to ocsp app

(trying a resend, my email address has changed) Le 11/09/2014 19:45, Salz, Rich a écrit : The attached diff adds GET support to ocsp. I'd appreciate any feedback. I don't see where the OCSP request is de-base64-ified, and URL-decoded. In both cases, d2i_OCSP_REQUEST_bio is called to get

Re: [openssl-dev] SHA-3 availability

Bonjour, SHA3 is not standardized yet. Keccak has been chosen in the end, but its parameters are still debated. I'm pretty sure that once those parameters are fixed in stone, there will be an implementation in OpenSSL. -- Erwann ABALEA Le 12/02/2014 11:29, Francis GASCHET a écrit

Re: [openssl-dev] MD5 in openSSL internals

think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone

Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals

on collision of both MD5 and SHA1 at the same time. -- Erwann ABALEA Le 23/04/2013 14:28, David Jacobson a écrit : Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger of the two

Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

The countryName field is a PrintableString, that's mandatory (see X.520). It also MUST be 2 characters long, but that's not enforced by OpenSSL. -- Erwann ABALEA Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit : Hello, I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate

Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

The countryName field is a PrintableString, that's mandatory (see X.520). It also MUST be 2 characters long, but that's not enforced by OpenSSL. -- Erwann ABALEA Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit : Hello, I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate

Re: [openssl-dev] Security of RC4 in TLS

Le 15/03/2013 11:34, Huzaifa Sidhpurwala a écrit : On Fri, Mar 15, 2013 at 3:39 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: Bonjour, In my understanding, after a fast read of RFC5246, this won't work. If RC4 is finally considered weak (at last), just don't use it anymore. Do you use

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

IMHO, it's more OpenSSL users' job (programs and libraries), not directly OpenSSL. -- Erwann ABALEA Le 01/03/2013 16:08, russell.aspinw...@bcs.org.uk via RT a écrit : Hi, Would you consider adding support for RFC6698 Domain Authentication of Named Entities (DANE) Transport Layer Association

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

IMHO, it's more OpenSSL users' job (programs and libraries), not directly OpenSSL. -- Erwann ABALEA Le 01/03/2013 16:08, russell.aspinw...@bcs.org.uk via RT a écrit : Hi, Would you consider adding support for RFC6698 Domain Authentication of Named Entities (DANE) Transport Layer

Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:

constructed. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source file

Re: [openssl-dev] [openssl.org #2879] Bug report - X509_check_akid() incorrectly handles dirName:

. -- Erwann ABALEA - yachtitropicomythivorotrièdre: triangle des Bermudes Le 13/09/2012 09:15, David Shambroom via RT a écrit : Using: Windows 7 Professional SP1 openssl-1.0.0g Build: perl Configure debug-VC-WIN64A no-asm --prefix=c:\openssl ms\do_win64a nmake -f ms\nt.mak source

Re: [openssl-dev] [RFC] OpenSSL accepts invalid server cert chain

Le 12/07/2012 15:36, David Woodhouse a écrit : I have encountered a server which presents an invalid set of certificates in its TLS handshake. This is common. Really common. It's presenting four certificates, where the second cert is *not* the issuer of the first cert in the list. The chain

Re: [openssl-dev] Re: SHA-256 and SHA-512 doubts in OpenSSL

Same here. Also with http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf and http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf are OK. -- Erwann ABALEA - nocticonsiliophorisme

Re: [openssl-dev] RE: SHA-256 and SHA-512 doubts in OpenSSL

/fips/fips180-2/fips180-2withchangenotice.pdf -- Erwann ABALEA - atripodanatoclaste: qui ne casse pas trois pattes à un canard __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] [openssl.org #2834] bug report: i2d(sign(10)) results in 2573 encoded

is needed? -- Erwann ABALEA - transrhinoscopie: capacité de voir plus loin que son nez Le 14/06/2012 16:56, Yusheng Yang via RT a écrit : [...] This test attempts to sign, encode, decode, and verify messages using the PKCS7 API. The messages are single integers. Every integer works as expected

Re: [openssl-dev] [openssl.org #2834] bug report: i2d(sign(10)) results in 2573 encoded

is needed? -- Erwann ABALEA - transrhinoscopie: capacité de voir plus loin que son nez Le 14/06/2012 16:56, Yusheng Yang via RT a écrit : [...] This test attempts to sign, encode, decode, and verify messages using the PKCS7 API. The messages are single integers. Every integer works

Re: [FEATURE] OCSP functionality patch

, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Erwann ABALEA - Un forum peut répondre à plusieurs besoins à la fois Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur middle-class ce qui provoque inévitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte

Re: [openssl-dev] Re: [openssl.org #2782] BUG report: RSA private key serializer

that what you spotted is not a bug in OpenSSL but an incomprehension on your side. Cordialement. -- Erwann ABALEA - Ce ne sont que des propositions. Je ne veux pas les faire passer en force. Je pense que si mes idées doivent être reprises, elles ne doivent pas passer au vote, pour plusieurs

Re: [openssl-dev] Re: [openssl.org #2782] BUG report: RSA private key serializer

you spotted is not a bug in OpenSSL but an incomprehension on your side. Cordialement. -- Erwann ABALEA - Ce ne sont que des propositions. Je ne veux pas les faire passer en force. Je pense que si mes idées doivent être reprises, elles ne doivent pas passer au vote, pour plusieurs raison

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

another reason. -- Erwann ABALEA - podoclaste: casse-pieds __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

another reason. -- Erwann ABALEA - podoclaste: casse-pieds __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

. On Mon, Apr 2, 2012 at 3:52 PM, Erwann Abalea via RTr...@openssl.org wrote: Bonjour, Le 02/04/2012 13:21, Tamir Khason via RT a écrit : There is a bug in ASN.1 DER serializer used to generate RSA private keys. It trims trailing zeros despite the DER specification. Please see the full info

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

. On Mon, Apr 2, 2012 at 3:52 PM, Erwann Abalea via RTr...@openssl.org wrote: Bonjour, Le 02/04/2012 13:21, Tamir Khason via RT a écrit : There is a bug in ASN.1 DER serializer used to generate RSA private keys. It trims trailing zeros despite the DER specification. Please see the full info

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

/languages/X.690-0207.pdf). This is why i think there is a bug in ASN.1 encoding of the certificate -- Erwann ABALEA - nosovermiculotracter: interroger __ OpenSSL Project http://www.openssl.org

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

/com17/languages/X.690-0207.pdf). This is why i think there is a bug in ASN.1 encoding of the certificate -- Erwann ABALEA - nosovermiculotracter: interroger __ OpenSSL Project http

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

, should be encoded according ANS1 DER encoding, which means should be have either length octets or end-of-contents octets On Mon, Apr 2, 2012 at 6:56 PM, Erwann Abalea via RTr...@openssl.org wrote: Tamir, What are you talking about? DER encoding doesn't say anything about how the length of RSA key

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

, should be encoded according ANS1 DER encoding, which means should be have either length octets or end-of-contents octets On Mon, Apr 2, 2012 at 6:56 PM, Erwann Abalea via RTr...@openssl.org wrote: Tamir, What are you talking about? DER encoding doesn't say anything about how the length of RSA

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

of a mail. -- Erwann ABALEA - BC Merci à tous de me plnnKER que j'ai plus à vous supporter! VR Du coup, je l'ai déplonké, pour voir. Tiens, moi il est passé de -1000 à -100... -+- ED in GNU : La constante de plonk en solde à -100

Re: [openssl-dev] [openssl.org #2782] BUG report: RSA private key serializer

of a mail. -- Erwann ABALEA - BC Merci à tous de me plnnKER que j'ai plus à vous supporter! VR Du coup, je l'ai déplonké, pour voir. Tiens, moi il est passé de -1000 à -100... -+- ED in GNU : La constante de plonk en solde à -100

Re: [openssl-dev] [openssl.org #2746] Bugfix for ASN.1 parser in OpenSSL 0.9.8 and 1.0

. That *is* legal. No, you were (partly) right. This is legal BER, not DER. -- Erwann ABALEA - parturiophone: enceinte acoustique __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] [openssl.org #2746] Bugfix for ASN.1 parser in OpenSSL 0.9.8 and 1.0

. That *is* legal. No, you were (partly) right. This is legal BER, not DER. -- Erwann ABALEA - parturiophone: enceinte acoustique __ OpenSSL Project http://www.openssl.org Development Mailing

Re: [openssl-dev] [openssl.org #2595] Capitalize X509 subject key STREET according to rfc1779

Hodie III Id. Sep. MMXI, Peter Sylvester scripsit: On 09/11/2011 12:12 AM, Erwann ABALEA wrote: Hodie IV Id. Sep. MMXI, Maarten Billemont via RT scripsit: According to rfc1779, the key STREET in the subject name should be capitalized. obj_dat.h specifies it as a lower-cased

Re: [openssl-dev] [openssl.org #2595] Capitalize X509 subject key STREET according to rfc1779

in one aspect: the following names are not considered equal: CN=James Bond, O=MI6, C=UK CN=James \ Bond, O=MI6, C=UK CN=\ \ jAmeS bonD, O=MI6, C=UK these examples are equal, following X.520 rules. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS

Re: [openssl-dev] openssl.org web site certificate renewed

, and 128bits ciphers. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org

Bug in decoding/printing the authorityKeyIdentifier extension

Bonjour, Given a certificate with an authorityKeyIdentifier extension containing the issuerName and serial fields, with a negative serial number, displaying this certificate (openssl x509 -text -noout ...) doesn't tell that the serial number is negative, and prints its absolute value. -- Erwann

Re: [openssl-dev] Re: Verify X.509 certificate, openssl verify returns bad signature

that pushes programmers to allocate fixed size fields in databases, and consider a certificate's serial number to always fit the size. This is also bad in practice. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS

Re: [openssl-dev] Re: How to locate the X.509 specifications

. [...] Kyle Hamilton wrote: I was asked this morning where to find the X.509 specification, since http://itu.int/ is such a messy website. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07

Re: [openssl-dev] Re: How to locate the X.509 specifications

.509 specification, since http://itu.int/ is such a messy website. It's sad the 2008 version is only available for a fee. I always thought the free 2005 version (and corresponding X.5xx standards covering other important aspects) was a good thing to help development. -- Erwann ABALEA erwann.aba

Re: [openssl-dev] Stuck in France...

of OpenSSL... *sigh* Sorry for this. These are security measures, as volcano ashes are very abrasive for engines. If you're in Paris, I'd be glad to offer you a beer or two, just contact me off-list. -- Erwann ABALEA erwann.aba...@keynectis.com - It takes 43 muscles to frown and 17 to smile

Re: [openssl-dev] [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature

Hodie VII Id. Mar. MMX, Dr. Stephen Henson scripsit: On Tue, Mar 09, 2010, Erwann ABALEA wrote: I can't verify ecdsa-with-SHA256 certificates, the ones transmitted a few days ago (German passports), with the same error (d2i_ECPKParameters function). The verification of the root

Re: [openssl-dev] [openssl.org #1951] [patch] verification of X.509 certificates that contain an RSASSA-PSS signature

. -- Erwann ABALEA erwann.aba...@keynectis.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager

Re: [openssl-dev] Re: Applying the RSASSA-PSS patch

SIb3DQEJFQQeBBwxLjIuMjc2LjAuODAuMS4xMi4wLjIwLjUuMS4wMCsGA1UdEAQk MCKADzIwMDkwNDMwMTM0NzMyWoEPMjAwOTA4MzAxMjMwNTBaMAwGCCqGSM49BAMC BQADSAAwRQIgQYfwgQkqtEPTFWz+/vKQqH7ixuz/dqYbgkhxeisdcvQCIQCN5kAI 7TDnyDJpmli7Ci6cjOIZxNHLFUlV3fGX5JzaJg== -END CERTIFICATE- -- Erwann ABALEA erwann.aba...@keynectis.com

Applying the RSASSA-PSS patch

can provide certificates if necessary (those are passport certificates from different countries) -- Erwann ABALEA erwann.aba...@keynectis.com - All men can fly, but sadly, only in one direction -- down __ OpenSSL Project

Re: [openssl-dev] [PATCH]

coccinelle means, in french). -- Erwann ABALEA erwann.aba...@keynectis.com - OK to continue? Yes No Maybe __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] [openssl.org #1854] GeneralizedTime support in openssl ca

should it be refused by OpenSSL? -- Erwann ABALEA erwann.aba...@keynectis.com - I t±ld yo±, Never±touch ±he flop±y disk s±rface! __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl-dev] [openssl.org #1854] GeneralizedTime support in openssl ca

Hodie IV Non. Mar. MMIX, Oliver Martin scripsit: Am Wed, 4 Mar 2009 11:19:09 +0100 schrieb Erwann ABALEA: RFC5280 is a *profile* of X.509, i.e. a subset; it cannot replace X.509. Non Zulu times, minute accuracy, and fractional seconds are accepted in X.509, why should it be refused

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA isrenewed

Hi Dave, Hodie Kal. Feb. MMVIII est, Dave Thompson scripsit: From: [EMAIL PROTECTED] On Behalf Of Erwann ABALEA Sent: Thursday, 31 January, 2008 13:08 Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: I disagree with this idea, in principle, and what you are suggesting

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA is renewed

Hi Patrick, Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: Hi Erwann; On Thursday 31 January 2008 13:07:32 Erwann ABALEA wrote: Renewal is when you issue a new certificate, but keep the same keys. In this case, the CRL validation in OpenSSL works fine, since the keys

Proposed patch to check a CRL when a CA is renewed

it checks the verification of the CRL against the public key of the certificate that signed the end-user certificate. That's not conformant to the X.509 standard. -- Erwann ABALEA [EMAIL PROTECTED] openssl099-crl-renewedca.diff.gz Description: Binary data

Re: [openssl-dev] Re: Proposed patch to check a CRL when a CA is renewed

Hi Patrick, Hodie pr. Kal. Feb. MMVIII est, Patrick Patterson scripsit: Hi Erwann: On Thursday 31 January 2008 11:23:57 Erwann ABALEA wrote: Hello, OpenSSL doesn't cleanly verify revocation status when a CA is renewed (with a key change). Attached is a proposed patch to handle

Re: [openssl-dev] Regarding extended key usage extension implementation which differs from RFC 2459

field. The corresponding paragraph of the RFC3280 (RFC2459 is obsolete, and superseded by RFC3280) reads: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. RFC3280 is much more clear and unambigous than RFC2459. -- Erwann ABALEA [EMAIL

Re: Mail System Error - Returned Mail

. If necessary, please contact Dominique Manenc [EMAIL PROTECTED]. You'll receive this message only once. Thanks. -- Erwann ABALEA [EMAIL PROTECTED] - It takes months to find a customer, but only seconds to lose one... The good news is that we should run out of them in no time

Re: [openssl-dev] [openssl.org #551] [Fwd: Bug#186487: openssl:'openssl ca' allows serial 00 which breaks the signed certificate]

itself, when it's a self-signed CA. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - If you never try anything new, you'll miss out on many of life's great disappointments. Demotivators, 2002 calendar

Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?

this mistake, I never found it in any other product I've seen. Based on that, I really don't think it might be necessary to rewrite the RFC, or the X.509 standard (which would involve *much* more work). -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Unspeakable error in module Cthulhu

Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?

children. That's how it's done, and that's how it has to be done. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Le netétiquette n'est qu'une vaste fumisterie,il faut de l'argent pour fonctionner,à force,en France de refuser tout rapport sain avec l'argent,l'on riqsque de

Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?

. The keyIdentifier is not used, the only valid content for the authorityKeyIdentifier is the issuer's name of the issuer certificate, packed with the issuer's certificate serial number. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Et puis, je sais que ça ne se fait pas de reprendre sur

Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?

extension to have a qualified certificate Hope this helps. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - CJ Les censeurs agitent plus de vent que les moulins des Pays Bas. Tiens, je savais pas que c'étaient les moulins qui créaient le vent. -+- GR in GNU : Dame qui se

Re: certificate start date difference!

is stored in a certificate is a GMT time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Stupidity is no excuse for not thinking. __ OpenSSL Project http://www.openssl.org

Re: certificate start date difference!

Sorry for this late delivery. It seems pipes can be filled with old stuff sometimes. ;) On Mon, 8 Jul 2002, Erwann ABALEA wrote: On Mon, 8 Jul 2002, Mehdi Jabal Ameli wrote: [...] -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - J'aurai aimé savoir si en Norvège il y

Re: Questions about PKI

if you could fill it. Thank you for your time and your interest. I'm looking foreward to reading you. Yours sincerely -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Pour moi, que ce soit fr.rec.arts.musique.variete ou fr.rect.arts.chansons, c négatif, parce que je

Re: problem OpenSA SSL

, and that changing the mod_ssl.so into mod_ssl.dll in the configuration file should do the trick. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - NT n'a pas pu initialiser le fichier de partage de la partition de démarrage pour le vidage sur incident. Ceci est peut-être dû au fait que

Re: your mail

solution would be to call the administrator. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - BC désolé, mais j'ai pas pû m'empecher. On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore assez. -+- RM in http://neuneu.mine.nu : En période de manque

Re: Solaris bc

reasonable control structures for programs. See bc(1). dc and bc are linked by some way... -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - I'm not dyslexic, thank dog! __ OpenSSL Project

Re: Solaris bc

On Tue, 5 Mar 2002, Michael Sierchio wrote: Erwann ABALEA wrote: dc and bc are linked by some way... Yes. Unlink dc and bc won't work. ;-) ;) I read J.P. King's email, and it's more clear now. ot I should try to learn dc, as I'm more comfortable with RPN that traditional algebraic. /ot

Re: Please help me.

, not a bug in the OpenSSL library. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``We're operating from a knowledge base that is not very dense.'' Jim Skeen Explaining how to say that we don't know what we are doing

RE: PKCS#11 engine support

] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - When uncertain

RE: PKCS#11 engine support

2001, Erwann ABALEA wrote: On Thu, 3 May 2001, Reddie, Steven wrote: Zoran, I'd be happy to test your implementation. The PKCS#11 devices that I have at my disposal are: Eracom CSA7001/7002 nCipher nFast SCSI HSM GemPlus PC410 smartcard reader Litronic Netsignia 210

Re: Object names

even think of it... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org Development Ma

OpenSSL-0.9.6-beta1 and Linux Redhat 5.1

,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID

Re: OpenSSL

or windows (if there is) thanx, audrey -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org D

Re: Pseudo Random Number Generator

Does anyone have paid to go through the FIPS-140 evaluation of any part of OpenSSL? ;-) On Thu, 23 Mar 2000, David Ahrens wrote: Does anyone know if the pseudo random number generator in openssl is FIPS-140 compliant? -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL

Problem under Win32

found another problem with the command line tool openssl, used in it's "prompt mode"... I'll try to reproduce the behaviour, and I'll post my results. -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID:

Re: Adding new cipher suites to TLS with 256+ bit session keys.

with their cracked keys.) But my boss as asked me I (and others too) think that 1024 bits RSA will be broken in less than 10 years... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5

RE: [Fwd: OCSP and CSL]

ones used to generate the certificates Basically, you have one certificate to sign the certificates, and one other to sign the CRLs... A different key pair is associated with each certificate. The difference is in the keyUsage extension. -- Erwann ABALEA System and Development Engineer - C

Re: How to build ssleay libraries on WindowsNT

Please read the file INSTALL.W32, everything's described... On Mon, 17 Jan 2000, bhushan wrote: Could you please explain,how to build static ssleay libraries on WindowsNT -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5

Re: Benchmark

Just run 'openssl speed' and enjoy... You can also give parameters to the 'openssl speed' command. On Fri, 4 Jun 1999, Pierre De Boeck wrote: Where can I find a program that compute benchmark time for the ciphers, digests and public key alg of OpenSSL (I use the 0.9.3a version). -- Erwann

Re: R: OCSP patching

Who wants to write a simple S/MIME tool, able to decrypt, verify, sign, crypt any mail, so I can use it as a PINE filter? ;-) On Tue, 20 Apr 1999, Andrea e Luca Giacobazzi wrote: [NON-Text Body part not included] -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL

Re: Re(2): Where to get Country list?

codes are PL and 616 AFAIR) Right... France is 'FR' and '250'... Next! ;-) -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project

Re: Question about OIDs

On Thu, 11 Feb 1999, Dr Stephen Henson wrote: Erwann ABALEA wrote: I posted this question on the old ssl-users list, but got no answer. I wanted to add OIDs from SET books, and I'm running into problems. Could you send me a sample certificate that exhibits this behaviour

Correction to asn1.h

Hi, I'm new to the list, but I have used SSLeay for 4 or 5 months from now. I submitted a correction to Eric Young, but it seems it has not been reported to OpenSSL 0.9.1c: in asn1.h, line 284, change ocurrence of PRINTABLESTRING_STRING to PRINTABLESTRING -- Erwann ABALEA System

Re: [ssl-users] How to update Trust provider list?

of this object is a certificate of a CA to be trusted. I'm not sure about the MIME type, I write this from memory, but I used this method, and it works well, both with Netscape and IE4. For more info, just read the (poor) documentation contained in SSLeay. -- Erwann ABALEA System and Development