SM3WithSM2 Certificate

with SM3. Why doesn't openssl x509 tool display this name? Does OpenSSL support this signature scheme? Best regards, John Jiang

Re: OCSP response signature algorithm

/man1.1.1/man1/ocsp.html Though this option is supported by 1.1.1 series. On Mon, Jul 6, 2020 at 6:15 AM John Jiang wrote: > I just want to know how does OpenSSL implement RFC 6960 section 4.4.7.2 > Responder Signature Algorithm Selection. > > Could I take a OpenSSL responder to use

Re: OCSP response signature algorithm

, Jul 4, 2020 at 12:18 AM John Jiang wrote: > Hi, > I'm using OpenSSL 1.1.1. > > Can I configure the OCSP response signature algorithm? > For a RSA issuer, it looks SHA256withRSA always be selected. > > PreferredSignatureAlgorithms extension in OCSP request may affect this &

OCSP response signature algorithm

Hi, I'm using OpenSSL 1.1.1. Can I configure the OCSP response signature algorithm? For a RSA issuer, it looks SHA256withRSA always be selected. PreferredSignatureAlgorithms extension in OCSP request may affect this algorithm in OpenSSL OCSP response. However, I prefer to use configuration.

Specify multiple certs for s_server and s_client

Hi, Can I specify multiple certificates for tools s_server and s_client? I need to check the certificate selection with certificate_authorities. And it looks s_server has no option for certificate_authorities, however s_client has -requestCAfile for that extension. Best regards, John

Re: Support FFDHE?

On Thu, Feb 27, 2020 at 9:27 PM Salz, Rich wrote: > >- Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port > > > > TLS 1.3 doesn’t have those groups. > Per section Supported Groups in RFC 8446 [1], FFDHE groups could be supported. enum { /* Elliptic Curve Groups

Re: Support FFDHE?

I would have highlighted that OpenSSL 1.1.1d was being used in my testing. On Thu, Feb 27, 2020 at 5:13 PM John Jiang wrote: > Hi, > It sounds FFDHE groups are already supported [1] > But the tools, like s_client, also support them. > Run the command: openssl s_client -tls1_3 -grou

Support FFDHE?

Hi, It sounds FFDHE groups are already supported [1] But the tools, like s_client, also support them. Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port it just raised the issue: Error with command: "-groups ffdhe2048" If using P-256 or X25519, it worked fine. I also tried

Re: Are DHE_DSS cipher suites not supported?

On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell wrote: > > > On 25/10/2019 09:39, Viktor Dukhovni wrote: > > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote: > > > >> I'm using OpenSSL 1.1.1d. > >> Just want to confirm if DHE_DSS cipher suites

Are DHE_DSS cipher suites not supported?

Hi, I'm using OpenSSL 1.1.1d. Just want to confirm if DHE_DSS cipher suites are not supported by this version. Please consider the below simple case, 1. s_server uses a DSA certifcate 2. force s_client to use TLS 1.2 and TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (DHE-DSS-AES256-GCM-SHA384) the

Re: Enabled weak cipher suites

RC4 and MD5 are both considered broken. > Don't worry, just for some testing. Thanks! > > Pauli > -- > Dr Paul Dale | Cryptographer | Network Security & Encryption > Phone +61 7 3031 7217 > Oracle Australia > > > > On 26 Jun 2019, at 11:41 am, John Jiang wrote: >

Enabled weak cipher suites

Hi, I'm using s_server and s_client from OpenSSL 1.1.1. It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled. Is there any way to re-enable these cipher suites? Thanks!

Re: Is X25519/X448 supported for TLSv1.2?

On Thu, Jun 13, 2019 at 12:28 PM Viktor Dukhovni wrote: > On Thu, Jun 13, 2019 at 10:49:14AM +0800, John Jiang wrote: > > > I got the point: the server certificate is ECDSA with curve secp256r1. > > It works with RSA certificate and curves > > sepc256r1/sepc384r1/sepc52

Re: Is X25519/X448 supported for TLSv1.2?

I got the point: the server certificate is ECDSA with curve secp256r1. It works with RSA certificate and curves sepc256r1/sepc384r1/sepc521r1/x25519/x448. On Thu, Jun 13, 2019 at 3:00 AM Viktor Dukhovni wrote: > On Wed, Jun 12, 2019 at 05:31:30PM +0800, John Jiang wrote: > > > >

Re: Is X25519/X448 supported for TLSv1.2?

On Wed, Jun 12, 2019 at 4:34 PM Viktor Dukhovni wrote: > On Wed, Jun 12, 2019 at 03:45:12PM +0800, John Jiang wrote: > > > Using OpenSSL 1.1.1. > > Just want to confirm that if OpenSSL supports curves X25519 and X448 for > > TLSv1.2. > > Yes, it does. > >

Is X25519/X448 supported for TLSv1.2?

Hi, Using OpenSSL 1.1.1. Just want to confirm that if OpenSSL supports curves X25519 and X448 for TLSv1.2. Tried below commands, openssl s_server -trace -state -cert server.cer -key server.key -accept port openssl s_client -trace -state -CAfile ca.cer -tls1_2 -groups X25519 -connect

Session ID or Session ticket?

Hi, I'm using OpenSSL 1.1.1 I just use the below s_client command to test resumption. openssl s_client -CAfile CA.cer -tls1_2 -sess_in openssl.sess -connect localhost:9443 Is there any option to take this tool to use only session id or session ticket for resumption? Thanks!

Re: s_server/s_client on checking middlebox compatibility

I had tried TLS Fuzzer, and it worked for me. I just wished that OpenSSL can do the similar things. Thanks! On Tue, Feb 26, 2019 at 9:56 PM Hubert Kario wrote: > On Tuesday, 26 February 2019 07:22:52 CET John Jiang wrote: > > Is it possible to check if peer implements middlebox comp

s_server/s_client on checking middlebox compatibility

Is it possible to check if peer implements middlebox compatibility by s_server/s_client? It looks the test tools don't care this point. For example, if a server doesn't send change_cipher_spec after HelloRetryRequest, s_client still feels fine.That's not bad. But can I setup these tools to check

Re: [openssl-users] Two sessions in a single full handshake

org> wrote: > s_client has -sess_out and -sess_in options that can be used > to save session information to a file and read it in for a subsequent > connection. Neither is used by default. > > -Ben > > On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote: > >

Re: [openssl-users] Two sessions in a single full handshake

Does s_client resume any session in the local session file? On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > >- The debug logs display two "SSL-Session" blocks in a full handshake. > > Only one "SSL-Session" block is displayed in a

[openssl-users] Two sessions in a single full handshake

Using OpenSSL 1.1.1. The debug logs display two "SSL-Session" blocks in a full handshake. Only one "SSL-Session" block is displayed in a resumption. Why does full handshake has two sessions? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Why was early data rejected?

Matt > > > On 12/09/18 12:25, John Jiang wrote: > > Very strange. I re-tried the same case, but the resumption failed. > > The attached logs contain the full outputs in the both connections on > > server and client sides. > > > > On Wed, Sep 12, 2018 at 7:09 PM Ma

Re: [openssl-users] Why was early data rejected?

t; log including *both* connections, i.e. the original connection attempt > to create the session, followed by the subsequent resume. > > Thanks > > Matt > > > On 12/09/18 11:50, John Jiang wrote: > > Could you please take a look at the attached s_client.log? > >

Re: [openssl-users] Why was early data rejected?

Could you please take a look at the attached s_client.log? It was outputted by s_client with options -trace and -state in the second connection. Matt Caswell 于2018年9月12日周三 下午4:48写道： > > > On 12/09/18 09:34, John Jiang wrote: > > > > It looks the session was resumed,

Re: [openssl-users] Why was early data rejected?

Matt Caswell 于2018年9月12日周三 下午4:16写道： > > > On 12/09/18 08:07, John Jiang wrote: > > I just build OpenSSL 1.1.1 on MacOSX. > > Tried 0-RTT, and the commands like the followings, > > openssl s_server -cert server.cer -key server.key -tls1_3 -early_data > > -accept

[openssl-users] Why was early data rejected?

I just build OpenSSL 1.1.1 on MacOSX. Tried 0-RTT, and the commands like the followings, openssl s_server -cert server.cer -key server.key -tls1_3 -early_data -accept 9443 ... openssl s_client -CAfile ca.cer -tls1_3 -sess_in openssl.sess -early_data data -connect localhost:9443 s_client reported

Re: [openssl-users] Call for testing TLS 1.3

2018-06-20 17:01 GMT+08:00 Matt Caswell : > > > On 20/06/18 07:11, John Jiang wrote: > > 2018-06-19 6:21 GMT+08:00 Matt Caswell > <mailto:m...@openssl.org>>: > > > > > > > > On 18/06/18 21:23, Hubert Kario wrote: > >

Re: [openssl-users] Call for testing TLS 1.3

2018-06-19 6:21 GMT+08:00 Matt Caswell : > > > On 18/06/18 21:23, Hubert Kario wrote: > > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote: > >> On 08/06/18 02:48, John Jiang wrote: > >>> Is it possible to check Key/IV update feature via these too

Re: [openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

2018-06-19 23:11 GMT+08:00 Jakob Bohm : > On 19/06/2018 15:40, John Jiang wrote: > >> Using OpenSSL 1.1.1-pre7 >> >> Please consider the following cases and handshaking results: >> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher

[openssl-users] rsa_pss_pss_*/rsa_pss_rsae_* and TLS_RSA_*/TLS_ECDHE_RSA_*

Using OpenSSL 1.1.1-pre7 Please consider the following cases and handshaking results: 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite Handshaking failed with no suitable cipher 2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite

Re: [openssl-users] Call for testing TLS 1.3

Is it possible to check Key/IV update feature via these tools? Thanks! 2018-05-23 20:33 GMT+08:00 Matt Caswell : > > > On 23/05/18 12:39, John Jiang wrote: > > Hi, > > If just using s_server and s_client, can I test the TLS 1.3 features, > > likes HelloRetryRequ

Re: [openssl-users] Call for testing TLS 1.3

Hi Matt, Thanks for your reply! 2018-05-23 20:33 GMT+08:00 Matt Caswell : > > To test resumption first create a full handshake TLSv1.3 connection and > save the session: > > $ openssl s_server -cert cert.pem -key key.pem > $ openssl s_client -sess_out session.pem > > Close the

Re: [openssl-users] Call for testing TLS 1.3

Hi, If just using s_server and s_client, can I test the TLS 1.3 features, likes HelloRetryRequest and resumption? 2018-04-29 18:43 GMT+08:00 Kurt Roeckx : > The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS > 1.3 brings a lot of changes that might cause

Re: [openssl-users] OpenSSL version 1.1.1 pre release 6 published

Anyway, I can download it via https://www.openssl.org/source/openssl-1.1.1-pre6.tar.gz John 2018-05-02 10:48 GMT+08:00 John Jiang <john.sha.ji...@gmail.com>: > Hi, > I don't see the link for openssl-1.1.1-pre6.tar.gz on page > https://www.openssl.org/source/ > > Thanks, &g

Re: [openssl-users] OpenSSL version 1.1.1 pre release 6 published

Hi, I don't see the link for openssl-1.1.1-pre6.tar.gz on page https://www.openssl.org/source/ Thanks, John 2018-05-01 21:06 GMT+08:00 OpenSSL : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > >OpenSSL version 1.1.1 pre release 6 (beta) >

Re: [openssl-users] How to get SNI info from s_client debug logs?

ng is put into the debug output. Do you really need it > there? > > I'm pretty certain that s_server outputs it in debug output. > > -Kyle H > > On Nov 26, 2017 18:59, "John Jiang" <john.sha.ji...@gmail.com> wrote: > >> Hi, >> The following is

[openssl-users] How to get SNI info from s_client debug logs?

Hi, The following is my OpenSSL version info, OpenSSL 1.1.0f 25 May 2017 I supposed the below command can give me some SNI info, but nothing was found. openssl s_client -debug -tlsextdebug -msg -connect -servername < /dev/null | grep "server name" But I found SNI extension with Wireshark while