1.0.2j
On Fri, Jun 1, 2018, 3:52 AM Viktor Dukhovni
wrote:
>
>
> > On May 31, 2018, at 6:08 PM, Sandeep Deshpande
> wrote:
> >
> > Hi Rich.. Thanks..
> > We want to add a check in our openssl library on client side to reject
> such server certificate which are generated by the intermediate CA
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote:
>
> We want to add a check in our openssl library on client side to reject such
> server certificate which are generated by the intermediate CA with missing
> extensions like basic constraints..
> How do we go about it?
>
> I looked
I don’t recall the details of 1.0.2, sorry. Maybe someone else on this list
knows the best place to insert your checks.
From: Sandeep Deshpande
Date: Thursday, May 31, 2018 at 6:08 PM
To: Rich Salz , openssl-users
Subject: Re: [openssl-users] Fwd: basic constraints check
Hi Rich.. Thanks..
> On May 31, 2018, at 6:08 PM, Sandeep Deshpande wrote:
>
> Hi Rich.. Thanks..
> We want to add a check in our openssl library on client side to reject such
> server certificate which are generated by the intermediate CA with missing
> extensions like basic constraints..
> How do we go
Hi Rich.. Thanks..
We want to add a check in our openssl library on client side to reject such
server certificate which are generated by the intermediate CA with missing
extensions like basic constraints..
How do we go about it?
I looked at the code. In crypto/x509v3/v3_purp.c I see that check_ca
> On May 31, 2018, at 2:43 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> FWIW, I'm with Viktor in this argument. From cryptography point of view he's
> right. I suspect he's right from the practical point of view as well.
This is not so much a matter of "right" or "wrong" as arguably
FWIW, I'm with Viktor in this argument. From cryptography point of view he's
right. I suspect he's right from the practical point of view as well.
P.S. Those concerned that a nation-state would attack them, are advised to
change the default config anyway.
--
Regards,
Uri Blumenthal
On
* We generated intermediate02 such that it has "basicConstraints" extension
and "keyUsage" missing. Now we used this intermediate 02 CA to sign server
certificate.
If those extensions, which are *optional,* are not present, then there is no
limit on how the keys may be used, or how long
> On May 31, 2018, at 12:37 PM, Tomas Mraz wrote:
>
> I would not say that weak DH parameters are fully rejected by OpenSSL.
> The 1024 bit DH parameters could be in theory attacked by state
> agencies by precomputation of the discrete logarithm table.
That's speculative. If the idea is to
On 05/31/2018 03:03 PM, openssl-users-requ...@openssl.org distributed:
> Date: Thu, 31 May 2018 18:45:02 +1000
> From: FooCrypt
>
> Place a teaspoon of fine grade white sand onto the skin of a snare drum
Macroscopic hardware TRNGs are a *tad* yesteryear
https://en.wikipedia.org/wiki/Lavarand
Hi ,
We are using openssl 1.0.2j and have 3 level certificates like this.
root CA --> intermediate 01 CA-->intermediate02 CA -->Server certificate.
We generated intermediate02 such that it has "basicConstraints" extension
and "keyUsage" missing. Now we used this intermediate 02 CA to sign
On Wed, 2018-05-30 at 13:12 -0400, Viktor Dukhovni wrote:
> > On May 30, 2018, at 12:54 PM, Michał Trojnara > nel.org> wrote:
> >
> > > I am rather puzzled as to why you chose to eliminate
> > > not just fixed DH, but also the ephemeral finite-field
> > > DH key exchange. What's wrong with the
Oh, It's a good starter point.
Openssl, installed in old server,
is 0.9.7e version.
Openssl, installed in new server, is -0.9.8e verson.
In old server I searched .cnf files and I found several files which are
/usr/local/openssl-0.9.7e/xxx/y.cnf
where
xxx= is directory,
= name
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Thursday, May 31, 2018 03:40
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] stunnel 5.46 released
>
>
> > On May 31, 2018, at 3:27 AM, Michał Trojnara
> wrote:
> >
> > AFAIR EC
Are you a Dr Who fan ?
Place a teaspoon of fine grade white sand onto the skin of a snare drum
Place an isolating isoscrope above the snare drum that can measure the
fractional movements of the grains of sand based on the ambient noise.
Do something that moves the sand so you can measure the
I've also encountered this quite often, and I have a feeling that on
today's connected devices there may be a lot of entropy "in the air"
(quite literally) which is not being captured. Does any one know of
research in this area?
> Hi Scott
>
> I donât know your OS or environment, have you
Hello Walter,
I did not found file ca.pem (root certificate) for testing.
Thanks
Mark
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Walter H.
Sent: Wednesday, May 30, 2018 11:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Test SSL connection
On
> On May 31, 2018, at 3:27 AM, Michał Trojnara
> wrote:
>
> AFAIR EC cipher suites were introduced in OpenSSL 1.0.0, so those LTS
> systems must be using OpenSSL 0.9.x.
Actually, no. For IP-related reasons, RedHat for a long time
disabled EC support in OpenSSL 1.0.x. I expect some of
On 05/31/2018 06:15 AM, Viktor Dukhovni wrote:
> I expect there are still plenty of LTS RedHat systems that
> ship without EC support, though yes anything reasonably
> up to date, will have EC support.
AFAIR EC cipher suites were introduced in OpenSSL 1.0.0, so those LTS
systems must be using
19 matches
Mail list logo
