uses.
Number of rounds is important for AES security as it is for any other
algorithm (think about attacks on reduced-rounds AES/SHA/whatever).
--
Erwann ABALEA
Le 13/03/2013 15:31, Ewen Chan a écrit :
So the algorithms include the number of rounds? I thought that it
would only describe the math
GPGPU isn't natively supported. You can write your own engine if you
want, but I think memory transfers will dominate the cost.
AES-NI is natively supported (I get about 550MB/s on my i5 M540 @2.53
GHz for 8k blocks).
--
Erwann ABALEA
Le 13/03/2013 16:49, Ewen Chan a écrit :
Would
to code using
the OpenSSL library.
On Wed, Mar 13, 2013 at 12:12 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
GPGPU isn't natively supported. You can write your own engine if you want,
but I think memory transfers will dominate the cost.
AES-NI is natively supported (I get about 550MB/s
on the runtime platform to speed it up).
--
Erwann ABALEA
Le 13/03/2013 18:07, Ewen Chan a écrit :
Yea, I've tried reading the man pages, but it doesn't list all of the
options available on there (which would tend to indicate that it is a
little behind compared to the development and released versions
to encrypt actual files? Have you encountered a CPU
bottleneck, a bug, or anything?
On Wed, Mar 13, 2013 at 1:31 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
If what you want is simply encrypt and decrypt files using command-line
openssl executable, then you don't need to play with engine
Le 13/03/2013 20:06, Ewen Chan a écrit :
I'm asking about the '-engine aesni' flag because when I google
openssl aes-ni - that's what comes up.
I've never used it before, but I'm about to as I've recently aquired a
system that supports AES-NI.
I'm also asking because I'm about to encrypt a
You should have received an HTTP 400 error, with an HTML page. The
service behind it may not be RFC3161 compliant, it may even not be
advertised as RFC3161 compliant.
Your solution works, but it doesn't answer the problem.
--
Erwann ABALEA
-
québésectophile: séparatiste québécois
Le 12/03
It's probably the IV.
--
Erwann ABALEA
Le 08/03/2013 16:55, Tayade, Nilesh a écrit :
On performing the AES128 decryption, I see the decrypted data is preceded by a
block of 16bytes.
E.g. Below, 0x48 to 0x5a is the extra 16bytes block. And the actual 'GET'
request starts from 0x47 onwards
man asn1parse
man ASN1_generate_nconf
That should give you some bootstrap information.
--
Erwann ABALEA
-
tridécatabulophobie: peur d'être treize à table
Le 28/02/2013 11:16, Walter H. a écrit :
Hello,
I have the following:
---
name = ASN1:SEQUENCE:section
[ section ]
value.1
the request. You still can set a CN in your
request, its content will be copied into the SAN.
--
Erwann ABALEA
Le 14/02/2013 07:18, Matthew Hall a écrit :
I am sure at least some would sign it because RFC 5280 PKIX standard was
written by the CAs themselves and they are the ones deprecating CN
oid_section = new_oids must be in the top level, not in [ca], [myca],
or whatever. Just move that declaration to the top.
ICAO has only defined document types 'P' and 'ID', hasn't it?
--
Erwann ABALEA
Le 13/02/2013 16:46, Eisenacher, Patrick a écrit :
I'm troubled by what seems to be a weird
Because this server is configured to send a self-signed certificate
(VeriSign Class 3 PCA). This is useless, and openssl warns you.
--
Erwann ABALEA
Le 11/02/2013 08:47, Prasanth Madhavan a écrit :
Hello Sir,
Why does |wget https://www.asb.co.nz| give |Self-signed certificate
encountered
of several AVAs, AVAs are generally separated by
'+' character (instead of ','). For example, C=DE, O=Siemens,
GN=John+SN=Simner, which is equal to C=DE, O=Siemens, SN=Simner+GN=John.
This string representation is only informative.
--
Erwann ABALEA
Le 08/02/2013 16:42, Simner, John a écrit
The 0x00 byte in the BITSTRING is the number of unused bits in the last
octet of the encoded bit string.
See X.690 as a BER/DER reference. Document is free to download from ITU
website.
--
Erwann ABALEA
Le 24/01/2013 19:17, kap...@mizera.cz a écrit :
I have used header from my certificate
Camellia is freely available on several licenses (BSD, GPL, MPL).
IDEA's patent has expired (2011 un Europe, 2012 in Japan+USA).
RC4 is an RSA trademark, no patent has been asked on the algorithm itself.
RC5 is still patented, by RSA.
--
Erwann ABALEA
-
aquadiemoctus: aujourd'hui (oui, je
Inline.
--
Erwann ABALEA
Le 07/12/2012 11:26, Ralph Holz a écrit :
Hi,
Yes, that clarifies the issue for me.
One thing I am wondering about now (as a user) would be how to get
openssl to disregard any local trusted cert list - i.e. how do I get it
to act on the provided CAFile only
Bonjour,
See apps/apps.c, function setup_verify. It receives 2 arguments CAfile
and CApath.
Each one is processed independently, and if either one is NULL, its
corresponding default is used.
--
Erwann ABALEA
Le 06/12/2012 10:38, Ralph Holz a écrit :
Good day,
I was using openssl verify
to other parts (ts, s_client, s_server, ...).
Documented, of course.
But only for the app.
--
Erwann ABALEA
Le 06/12/2012 20:39, Chris Palmer a écrit :
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz
ralph-openssl-...@ralphholz.de wrote:
-CAfile fileA file of trusted certificates.
The lookup
OpenSSL 1.0.1 works fine here, both with expired and revoked
certificates (i.e. correctly reports the status).
Could you share your elements (certs, CRLs)?
--
Erwann ABALEA
-
chlorophytophonie: musique pour les plantes vertes
Le 05/12/2012 15:11, Will Nordmeyer a écrit :
Hi, I've done
Can you post here the certificate chain? Not the private key, only the
certificates, from the root down to the end-entity.
--
Erwann ABALEA
-
Ca se fait pas du tout d'avoir donné toutes les adresses email des
votants C bon pour les spammers ça !
[suit la liste intégrale des votants mal
Thanks.
The first certificate is your root CA, the second one is a version 1
certificate that can't be used as a CA (it would be insecure to allow it).
If your end-user certificate is issued by this second certificate, then
the error message is normal.
--
Erwann ABALEA
-
anatomie
Answers inline.
--
Erwann ABALEA
-
Un forum peut répondre à plusieurs besoins à la fois
Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur
middle-class ce qui provoque inévitablement des tensions.
-+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+-
Le
Your RSA public key is not pure DER encoded, it's DER+base64 encoded.
d2i_* functions take pure DER objects (binary on the wire).
--
Erwann ABALEA
-
multicoprothalassotope: station balnéaire de la Méditerranée
Le 16/11/2012 15:37, PraveenPVS a écrit :
Hi,
I need to load RSA Public key
In addition to Mr Henson answer, your CA certificate doesn't have any
keyUsage extension, depending on the toolkit it may not be considered a
valid CA.
Your countryName AVA is wrong, too. It must be only 2 characters long,
NL in your case.
--
Erwann ABALEA
-
yuppiexpédidétritus: cadavres
Answers inline.
--
Erwann ABALEA
-
paléocapridé: genre de vieille bique, cf paléotalpidé (vieille taupe) ou
paléogadidé (vieille morue)
Le 13/11/2012 19:34, Sanford Staab a écrit :
I have been struggling with openssl for a few months now writing batch
scripts on windows trying to make
Le 07/11/2012 16:08, Jakob Bohm a écrit :
On 11/7/2012 3:39 PM, Charles Mills wrote:
A struct tm is only granular down to whole seconds, right?
Yes, and it is not the easiest data type for data math either, even
when restricted to GMT/UT1/UTC.
Plus many OS/compiler supplied struct tm related
Where's the failure here?
hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization,
and in case of a NULL hostname or certificate it is returned by the
function, unmodified.
--
Erwann ABALEA
Le 27/10/2012 21:00, Jeffrey Walton a écrit :
On Sat, Oct 27, 2012 at 11:00 AM, Alban D
revoked certificates, and thus how useless it is
to revoke a certificate, because applications don't check for
revocation, or do it with a soft-fail behavior. That's something public
CAs want to be changed, and the lack of revocation check in your
examples won't help.
--
Erwann ABALEA
Le 27/10
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
as company_root_oid.2.5.29.32.1.
--
Erwann ABALEA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
Bonjour,
Le 28/09/2012 16:29, Valentin Bud a écrit :
On Fri, Sep 28, 2012 at 02:53:35PM +0200, Erwann Abalea wrote:
Strange, my previous answer was sent empty, and every try results in
an empty mail stored in my postponed folder...
Anyway.
Use decimal numbers for an OID.
Yours
Bonsoir,
Your public key parameter field is set to NULL. It must either be an OID
to name the curve, or explicit parameters.
--
Erwann ABALEA
Le 26/09/2012 14:17, Naveen Gopala Reddy a écrit :
Hi,
I am using openssl version 1.0.1c to parse the attached
certificate(test.pem) using
Le 25/09/2012 18:45, Jakob Bohm a écrit :
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
[...]
Any signature algorithm works by dividing the universe of N bit strings
into those that are validsignatures
, not sha1withRSA1024 or sha256withRSA4096.
A SHA256 certificate (or however you call it) can still produce
sha1withRSA signatures. The other way is also possible, of course.
--
Erwann ABALEA
__
OpenSSL Project
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Le 24/09/2012 21:03, Jakob Bohm a écrit :
Does that work with any other serious X.509 validation toolkit?
It should.
And in fact, OpenSSL works correctly, at least versions 1.0.1 (Ubuntu
:8f:46:08:11:d8:f7:65:eb:26:8f:e6:fe:
[...]
d2:61
|
publicExponent: 65537 (0x10001)
privateExponent:
|73:e4:bd:f4:e1:24:f6:ca:23:7c:90:99:d9:ad:9c:
[...]
11|
Using bc you can quickly get p, q, dp and dq. qinv is harder to get, but
it's possible.
--
Erwann ABALEA
-grade system, you'll have to write
your own using the API.
--
Erwann ABALEA
Bonjour,
Answers inline.
--
Erwann ABALEA
Le 14/08/2012 19:03, adrien pisarz a écrit :
Hi,
I have several questions about the ocsp functionnality. I read many
articles before asking those questions and unfortunetaly I still don't
have the answers. Maybe you can help me.
Fist of all, here
work on IETF about DANE certificates and
clarifications on RFC5280 about self-signed EE certificates. The
presented certificate is certainly such a DANE one.
--
Erwann ABALEA
-
pastacircopyge: quelqu'un qui a vraiment beaucoup de chance
Le 06/08/2012 13:04, Johannes Bauer a écrit :
Hi list
Bonjour,
Which part of the examples did you mimic?
32 bytes is the length of a SHA256, it's also the max message length of
a 256bits ECDSA key. Whence, I assume you're doing straight
ECDSA_do_sign() without hashing and padding the message.
--
Erwann ABALEA
-
paléogallicisme: style
Use the EVP_* interface for high-level functions.
Use ECDSA_do_sign() or other low-level functions if you're absolutely
sure about what you're doing.
--
Erwann ABALEA
Le 06/08/2012 14:31, Mohammad khodaei a écrit :
Yes, it's correct.
Now I try to feed the ECDSA_do_sign with the output
to ECDSA. It uses GOST R 34.11-94 to
hash data (just as {EC}DSA uses SHA{1,2*}).
--
Erwann ABALEA
Le 28/07/2012 21:31, Jeffrey Walton a écrit :
On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo xidex...@yahoo.com wrote:
Hi all!
The last problem is how to create GOST key pair for certificate
=not is not the issuer of /CN=foo/CN=bar (at
least not in what you described, /CN=foo/CN=bar may have another
certificate).
--
Erwann ABALEA
-
Pas de panique, ça sera pire.
__
OpenSSL Project http
Bonjour,
Le 02/07/2012 16:05, Mathias Tausig a écrit :
Which padding method does openssl use, when I sign a certificate with
the 'ca' command (using an RSA key)?
RSA PKCS#1v1.5
Is there a way to change it?
I don't think so.
--
Erwann ABALEA
Le 02/07/2012 19:38, Dr. Stephen Henson a écrit :
On Mon, Jul 02, 2012, Erwann Abalea wrote:
Le 02/07/2012 16:05, Mathias Tausig a écrit :
Is there a way to change it?
I don't think so.
In openssl 1.0.1 and later you can use the -sigopt to change the signature
format used. It currently
with a public exponent of any size.
Or a 3073bits RSA key with a public exponent limited to 64bits.
Other than for performance, I don't see any reason to limit the size of
the public exponent.
--
Erwann ABALEA
Le 21/06/2012 16:41, Sukalp Bhople a écrit :
Hello guys,
I was looking into the (RSA
compiled
library, there will still be no problem.
You can get into a situation where a public RSA operation takes more
time than a private one, if e is sufficiently large. But that's all.
On Thu, Jun 21, 2012 at 5:14 PM, Erwann Abalea
erwann.aba...@keynectis.com mailto:erwann.aba
Why should it be different?
--
Erwann ABALEA
-
gérontopropulsion prurigineuse: abus d'excès caractérisé par trop d'exagération
(se fait quand on pousse mémé dans les orties)
Le 13/06/2012 13:30, ankur dwivedi a écrit :
Hi,
I am observing that after doing a renegotiation, the new cipher
identifier.
Regards
Manas Lenka
--
Erwann ABALEA
-
If it walks like a duck, and quacks like a duck,
then it just may be a duck.
- Reuther
Le 22/05/2012 10:57, Eisenacher, Patrick a écrit :
-Original Message-
From: Erwann Abalea
Bonjour,
Le 21/05/2012 14:10, Serge Emantayev a écrit :
Hello openSSL gurus,
I faced an issue of pathlen constraint checking by openSSL
when verifying the client certificate. I did few studies
.
--
Erwann ABALEA
-
Ce ne sont que des propositions. Je ne veux pas les faire passer en
force. Je pense que si mes idées doivent être reprises, elles ne
doivent pas passer au vote, pour plusieurs raison :
-+- BC in : http://neuneu.ctw.cc - Neuneu sans vote et sans forcer
is negociated as the ciphersuite. The FW drops the
connection, resulting in this errno=104 error. Try to limit the set of
ciphersuites in your client.
--
Erwann ABALEA
-
Lu sur alt.france :
Peut-on installer Win 95 par dessus win 95 tout en gardant les
differents données des logiciels
Le 10/05/2012 13:41, Andreas Bießmann a écrit :
On Thu, May 10, 2012 at 12:38:00PM +0200, Erwann Abalea wrote:
Le 10/05/2012 11:39, Andreas Bießmann a écrit :
My questions:
* can anyone confirm this behaviour (it seems other hosts are working with
openssl 1.0
?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
mailto:openssl-users@openssl.org
Automated List Manager majord...@openssl.org
mailto:majord...@openssl.org
--
Erwann ABALEA
-
Ca fait déjà plusieurs semaines que jessaie de
octets either in the content.
The content MUST be serialized with the lowest possible number of
octets. The difference between BER and DER for integers encoding is on
the length encoding (02 81 01 01 is valid BER, not valid DER; 02 01
00 01 is neither valid BER nor DER).
--
Erwann ABALEA
zeros
appear. When openssl encode those number leading zeros are missing.
This is what i claim as a bug.
On Tue, Apr 3, 2012 at 11:58 AM, Erwann Abalea via RTr...@openssl.org wrote:
Le 03/04/2012 09:38, Tamir Khason via RT a écrit :
Please see decrypted private key
http://pastebin.com/DzYLnHZT
the openSSL
implementation support?
--
Erwann ABALEA
-
Depuis ce matin, j'ai une IP en 213.@@@.@@@ et des plumes.
C'est devenu apparement une IP statique.
Mon contrat me donne droit à une IP dynamique..
-+- TW inhttp://neuneu.mine.nu : Neuneu se fixe
connaitre g^ab?
quel algorithme est le plus approprié en terme d'efficacité et de
consommation des ressources?
en attente de toute suggestion, acceptez nos salutations.
--
Erwann ABALEA
-
caïssaphique: se dit d'une lesbienne qui joue aux échecs. (Caïssa est la déesse
des échecs
.
--
Erwann ABALEA
-
yétiscopique: relatif à certaines vapeurs des sommets himalayens
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
\
-nameopt multiline,show_type \
-keyout private/THORSTROM.key \
-out csrs/THORSTROM.csr \
-subj /O=ESBJÖRN.com/OU=Esbjörn-Thörstrom Group/CN=Áki Thörstrom
--
Erwann ABALEA
-
vésicosufflochromateur: supérieur à 0,5 gramme
Thörstrom
on an UTF8 capable terminal, with a string_mask = utf8only in the
right openssl.cnf file, gives me a certificate request correctly encoded
in UTF8 with the wanted characters in the DN.
--
Erwann ABALEA
-
minilactopotage: intense satisfaction
Le 16/12/2011 16:29, Jakob Bohm a écrit :
On 12/16/2011 3:22 PM, Erwann Abalea wrote:
Le 16/12/2011 15:07, Jakob Bohm a écrit :
I think we may have a bug here, anyone from the core team
wish to comment on this.
The apparent bug:
When enforcing the match policy for a DN part, openssl reports
Le 16/12/2011 18:27, Jakob Bohm a écrit :
On 12/16/2011 6:14 PM, Erwann Abalea wrote:
Le 16/12/2011 17:57, Mick a écrit :
On Friday 16 Dec 2011 16:23:52 you wrote:
man req
Then look for the -utf8 argument.
I took your example below, added -utf8 argument, and it worked.
You can display
,-esc_msb ..., extracting the RDNs, comparing with what
is set in the CA certificate (the -nameopt ... argument will convert
everything into UTF8, easing the comparison), whence performing your own
validation.
--
Erwann ABALEA
-
Désolé.
Ta gueule.
-+- LC in : Guide du Neuneu Usenet
Le 16/12/2011 19:07, Jakob Bohm a écrit :
On 12/16/2011 6:47 PM, Erwann Abalea wrote:
Le 16/12/2011 16:29, Jakob Bohm a écrit :
On 12/16/2011 3:22 PM, Erwann Abalea wrote:
NameConstraints is a set of constraints imposed on the semantic
value of the name elements, not on their encoding (string
Do you have an UTF8 capable terminal?
Can you send the certificate you're testing?
Le 15/12/2011 09:17, gkout a écrit :
No joy...
openssl x509 -text -noout -in blablabla.pem -nameopt -esc_msb
outputs : ESPA%D1A
--
Erwann ABALEA
-
ypéritorhinotachytrope: colérique, qui s'énerve rapidement
@openssl.org
*Sent: *Tuesday, December 13, 2011 5:35:27 PM
*Subject: *Special character in CA name
Hello again,
This time I have an issue with a special character in the CA name
which is
converted by openssl.
ESPA\xC3\x91A which should read [UTF-8?]ESPAц▒A with an [UTF-8?]ц▒.
--
Erwann ABALEA
commands.
Thanks,
Sandeep
--
Erwann ABALEA
-
pyropyge: qui a le feu aux fesses
that RFC5280? Have I
missed a specific option that does just that?
--
Erwann ABALEA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :
Hi Erwann,
-Original Message-
From: Erwann Abalea
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including
the patch to use OpenSSL CRL validation, I've come to
disagree with what
OpenSSL does.
My scheme
Le 17/10/2011 16:09, Jakob Bohm a écrit :
On 10/17/2011 3:47 PM, Erwann Abalea wrote:
Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :
Hi Erwann,
-Original Message-
From: Erwann Abalea
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including
the patch
I forgot to tell that I did these tests with version 1.0.0e.
Le 17/10/2011 14:14, Erwann Abalea a écrit :
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including the patch to use OpenSSL CRL validation, I've come to
disagree with what OpenSSL does.
My scheme
(of type OtherRevocationInfoFormat, as it also must be
tagged ([1]) and be identified by the correct OID (1.3.6.1.5.5.7.16.2).
--
Erwann ABALEA
-
Le neuneu est un con qui débute. C'est une espèce rare mais qui fait
beaucoup de bruit.
-+- JCD in : Guide du Neuneu d'Usenet -- Bien configurer son
for pretty much anything regarding PKI (X.509 and others), crypto, SSL,
... RFC5280 is a profile of X.509, i.e. X.509 with constraints.
--
Erwann ABALEA
-
apaléostéoplasique: qui ne fait pas de vieux os
Le 22/09/2011 16:10, Dr. Stephen Henson a écrit :
On Thu, Sep 22, 2011, Erwann Abalea wrote:
[...]
In your examples, you set version to 3.
Based on your parsed example, it seems you correctly set the tag
([1]) for the crls element, but you didn't use the good encoding
for the other field
would need it and use openssl s_client -connect ...
-showcerts to update its database, instead of providing a link to
this certificate somewhere?
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
__
OpenSSL
dataEncipherment should be set in the SSL server certificate and
clear in the SSL client certificate, as is apparently already the case
here, so that part is OK.
Even if you don't set the dataEncipherment bit in the keyUsage
extension, it works. TLS libraries are tolerant :)
--
Erwann ABALEA erwann.aba
, and 128bits ciphers.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
private
key.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
directory, after that? Normally, it should try
to validate the position 1 certificate with its certificate store.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
.#Q.mGjO
0060 - 9d bb 12 e3 e0 44 c7 4d-23 4c c0 49 a6 40 fe 38 .D.M#L.I.@.8
0070 - e7 ab 48 f6 a3 f3 a5 a6-1a 11 bb 1b 94 d9 e0 bc ..H.
You then can manually verify the padding, hash algo, hash value, etc.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
sure of your public key?
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
__
OpenSSL Project
SEQUENCE {
30 09 SEQUENCE {
06 05 2b 0e 03 01 1a OID (sha1)
05 00 NULL
}
04 14 ... 2c df OCTET STRING (the hash value)
}
Download and read PKCS#1, and you'll have a better understanding.
--
Erwann ABALEA
revocation,
but they have no means of preventing it)
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
-
All wiyht. Rho sritched mg kegtops awound
, using OpenSSL API.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
, as it has been asked quite some
times.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
-
Architect: Someone who knows the difference between that which could
be done and that which should be done.
Larry McVoy
Bonjour,
Hodie VIII Kal. Iun. MMXI, Dr. Stephen Henson scripsit:
On Wed, May 25, 2011, Erwann ABALEA wrote:
Hodie VIII Kal. Iun. MMXI, shoutee scripsit:
I want to run a TLS Server with support of cipher suite
'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find
Hodie XIV Kal. Iun. MMXI, Dave Thompson scripsit:
From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA
Sent: Thursday, 19 May, 2011 04:20
Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit:
snip: renew CA
The only way I found was to give the new Root Certificate the same
Hodie XV Kal. Iun. MMXI, Alex Bergmann scripsit:
On 05/18/2011 11:17 AM, Erwann ABALEA wrote:
Bonjour,
Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit:
Hi !
It’s possible to renew a Certificate Autority or extend the date
validity
?
These 2 options are possible
and end-users (server+user)).
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
-
Your mouse has moved. Please reboot to continue.
__
OpenSSL Project http://www.openssl.org
Bonjour Tim,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 13:03, Erwann ABALEA wrote:
[...]
SHA1 is still tolerated, but being slowly obsolete. You can still use
it if your serial numbers have some randomness, which is not the case
here. Either use one member of the SHA2 family
Bonjour Tim,
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
On 19/05/11 14:48, Erwann ABALEA wrote:
Hodie XIV Kal. Iun. MMXI, Tim Watts scripsit:
Thanks for that. I'm not sure how to do random serials (I let
openssl manage those) but it interesting to know it makes a
difference.
This how
.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
-
If you never try anything new, you'll miss out on many of life's great
disappointments.
Demotivators, 2002 calendar
RFC5280 compliance, you MUST
produce one CRL for each root CA certificate (and adapt the
crlDistributionPoints).
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
__
OpenSSL Project
don't know how this evolved).
You could also pre-generate several CRLs, with a 1 month validity
period, and disclose a new one regularly.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
Hodie pr. Id. Ian. MMXI, Mark H. Wood scripsit:
On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote:
In order to be referenced by browser vendors (Opera comes to mind, and
I think Mozilla will require this), the serial number MUST be random
(or at least *appear* random from
(best practices, to avoid attacks with non
collision-resistant hash functions).
In order to be referenced by browser vendors (Opera comes to mind, and
I think Mozilla will require this), the serial number MUST be random
(or at least *appear* random from the outside).
--
Erwann ABALEA erwann.aba
of
this message.
From the CA, it's dangerous to reply with an OK status when this
certificate can't be found (an unknown status would be better). But in
the end, everything has expired, so that's not really a problem.
--
Erwann ABALEA erwann.aba...@keynectis.com
are in proportion with the product /
service provided...
I think you should have looked a bit more into it, before complaining
:)
Sorry if I offended anyone,
No offense, really. (We provide EV certificates, among other things,
and everything described above is really done)
--
Erwann ABALEA
to be
integrated in supported browsers as an EV-compliant one, and for this,
you need to be audited, have correct validation procedures, have a
correct facility, etc.
--
Erwann ABALEA erwann.aba...@keynectis.com
Département RD
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex
101 - 200 of 332 matches
Mail list logo