On 25.03.2014, at 17:44, Zack Williams wrote:
1. Is there a reason you're not using SHA-256 hash by default - it
appears that SHA1 is being recommended against currently:
http://www.digicert.com/sha-2-ssl-certificates.htm
No reason. Just for maximum compatibility. Every software can do SHA1.
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek ste...@epy.co.at wrote:
On 25.03.2014, at 17:44, Zack Williams wrote:
...
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so
Hi there,
I'm working on an application that shares SSL_SESSION pointers between
SSL_CTXs in multiple threads. The logic for sharing the session is
roughly as follows:
lock(mtx);
sp = get_cached_session_pointer();
if (!SSL_set_session(ctx, sp)) {
SSL_set_session(ctx, NULL);
}
unlock(mtx);
r =
Le 27/03/2014 11:14, Jeffrey Walton a écrit :
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek ste...@epy.co.at wrote:
On 25.03.2014, at 17:44, Zack Williams wrote:
...
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one
Hello,
On Thu, March 27, 2014 10:47, Stefan H. Holek wrote:
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's below the Root), but to do so on the Intermediate CA's?
Pathlen is not used on root CA certs.
hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2 to the call, I get this:
SSL-Session:
Protocol : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Should
On Thu, Mar 27, 2014, Thomas Montroy wrote:
hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2 to the call, I get this:
SSL-Session:
Protocol :
Nice catch. Thanks for looking into it.
Cheers,
-Tom
On Thu, Mar 27, 2014 at 9:22 AM, Dr. Stephen Henson st...@openssl.orgwrote:
On Thu, Mar 27, 2014, Thomas Montroy wrote:
hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of
On Thu, Mar 27, 2014, Dr. Stephen Henson wrote:
On Thu, Mar 27, 2014, Thomas Montroy wrote:
hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2
On Wed, Mar 26, 2014 at 05:25:49PM -0400, Devon H. O'Dell wrote:
Hi there,
I'm working on an application that shares SSL_SESSION pointers between
SSL_CTXs in multiple threads. The logic for sharing the session is
roughly as follows:
lock(mtx);
sp = get_cached_session_pointer();
Don't
Hi Thomas.
I was told a while ago that Google's servers will only negotiate
ECDHE-ECDSA if the client i) sends the SNI extension and ii) does _not_
offer any compression methods.
IINM, s_client always offers zlib compression if zlib support is
compiled in. It'd be nice if there was a
I would like to use default implementations for some ECC operations but the
OpenSC pkcs11 engine for other ECDSA operations.
At a high level I have a Sign() a Verify() in one app on a server - the
Sign() needs to be done via a HSM using PKCS11 interface, using EVP
functions. Keys for these
On Thu, Mar 27, 2014, axisofevil wrote:
I would like to use default implementations for some ECC operations but the
OpenSC pkcs11 engine for other ECDSA operations.
At a high level I have a Sign() a Verify() in one app on a server - the
Sign() needs to be done via a HSM using PKCS11
On 27.03.2014, at 13:32, Walter H. wrote:
Does this mean, you use certificates with a complete chain of at least 4
certificates?
- root ca cert. no pathlen
- intermediate ca cert. also no pathlen
- signing ca cert. with pathlen
- end cert
Yes, the expert example does that.
what is here
On Thu, Mar 27, 2014 at 2:47 AM, Stefan H. Holek ste...@epy.co.at wrote:
No reason. Just for maximum compatibility. Every software can do SHA1. But
this comes up a lot and I might switch to sha256 the next time around.
It appears that even what most legacy web browsers and servers
support
15 matches
Mail list logo