Hi,
I tried this some 2yrs ago what seemed to work (at least wins showed the
strings in cert correctly)
in
[ req ]
...
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
utf8 = yes
...
...
[ req_distinguished_name ]
...
openssl enc encrypts one file at a time, and can read the first line
of a file to get the passphrase (in order to derive key and iv).
If you want to provide your own key and iv, you have to do it as command
line arguments.
Key management is out of scope.
--
Erwann ABALEA
Le 15/03/2013 06:33,
On a PC under Linux, you can do a cat /proc/cpuinfo and look for aes
in the flags.
On a PC under any OS, get the CPUID, and look for bit 25 of ECX.
That's not OpenSSL-related.
The use of OPENSSL_ia32cap environment variable allows you to alter the
CPUID result (only inside OpenSSL), and alter
a...okay. Gotcha.
Thanks!
On Fri, Mar 15, 2013 at 5:23 AM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
On a PC under Linux, you can do a cat /proc/cpuinfo and look for aes in
the flags.
On a PC under any OS, get the CPUID, and look for bit 25 of ECX.
That's not OpenSSL-related.
Sorry, my bad. Wrong terminology.
(The AES wiki says that it uses a key.) But I was really thinking
about multiple passphrases.
Sorry for the mix up.
So let's say I have three files:
file1
file2
file3
And then I have a passphrase file that contains the following:
Alice
Bob
Charlie
and I want
Hi
I am trying to generate a csr in a c program by having the signing part
done by pkcs11 calls, and while I get no errors, the resulting csr fails
upon validation:
$ openssl req -verify -in wltx.csr
verify failure
2948:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
Le 15/03/2013 13:54, Ewen Chan a écrit :
Sorry, my bad. Wrong terminology.
(The AES wiki says that it uses a key.) But I was really thinking
about multiple passphrases.
And from this passphrase, a key and IV can be generated. It's more easy
to remember a passphrase than a bunch of hex
For AES-256-CBC, if I have a passphrase stored in a file; are there
limits in terms of how big either the key or the passphrase can be in
terms of characters?
__
OpenSSL Project
On Fri, Mar 15, 2013, Tim Tassonis wrote:
Hi
I am trying to generate a csr in a c program by having the signing
part done by pkcs11 calls, and while I get no errors, the resulting
csr fails upon validation:
Analysing that CSR the actual signature isn't in the correct form: it just
So if I want to do that, the very basic way for me to do it would be
to write all of the commands (line-by-line; which processes each file
separately) into a shell script file and then run that?
But if I were to use some kind of programming or more advanced
scripting language/syntaxes; I would be
Hi Steve
Thanks a lot for your reply.
Just another quick question. Do you know by chance an openssl function
that would convert the raw sha1 into a digestinfo structure?
Kind regards
Tim
On 03/15/2013 02:36 PM, Dr. Stephen Henson wrote:
On Fri, Mar 15, 2013, Tim Tassonis wrote:
Hi
I
Bonjour,
Le 15/03/2013 14:07, Tim Tassonis a écrit :
Hi
I am trying to generate a csr in a c program by having the signing
part done by pkcs11 calls, and while I get no errors, the resulting
csr fails upon validation:
$ openssl req -verify -in wltx.csr
verify failure
On Fri, 15 Mar 2013, Dr. Stephen Henson wrote:
Analysing that CSR the actual signature isn't in the correct form: it just
contains the raw SHA1 digest instead of the required DigestInfo structure.
You can check that using rsautl in a manner similar to that for certificates
mentioned in the
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a CRL
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but
On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote:
I tried this some 2yrs ago what seemed to work (at least wins showed the
strings in cert correctly)
in
[ req ]
...
distinguished_name= req_distinguished_name
attributes= req_attributes
string_mask =
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi!
The new server currently hosting the www, git, rt, ftp, and cvs
services is going to be moved within the installation of our hoster.
As a consequence, the system will be assigned a new IP address.
Old: 178.16.220.54
New: 185.9.166.106
The
Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And
Hi Erwann,
Am 15.03.2013 17:36, schrieb Erwann Abalea:
Yes. That's one possible solution (possible from a PKI point of view).
Another solution would be to play with indirect CRLs. That involves
Thank you very much for your explanations, I will try these scenarios.
Thanks, Sven
On 13.03.2013 01:19, kap...@mizera.cz wrote:
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
No.
if there is a need to have an account; then this page is not conforming
to any RFC - HTTP 400 is not an
for those who don't read openssl-dev
Original Message
Subject:[openssl.org #3016] openssl ts fix
Date: Wed, 13 Mar 2013 16:13:31 +0100
From: Peter Sylvester via RT r...@openssl.org
Reply-To: openssl-...@openssl.org
CC: openssl-...@openssl.org
Hi,
I
I don't know the interfaces to OpenSSL, but AES-192 specifies the number
of rounds. The approved AES algorithms specify a subset of Rijndahl
cipher whereby you can specify alternative numbers of rounds, key
sizes, and block sizes.
Sincerely,
Steven J. Hathaway
There's a file that I want to
From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti
Sent: Wednesday, 13 March, 2013 13:44
I was trying to implement the diffie Hellman algorithm in Java
which makes use of JCF and as well as in c with openssl...
I assume you mean JCE, or maybe JCA. JCF is completely unrelated.
I
From: owner-openssl-us...@openssl.org On Behalf Of Evan Brown
Sent: Wednesday, 13 March, 2013 11:02
openssl genrsa -aes256 -out private.pem 2048
Am I correct in my understanding that OpenSSL adds a salt
to the passphrase that I specify when this command runs?
How is the salt computed and where
From: owner-openssl-us...@openssl.org On Behalf Of Dirk-Willem van Gulik
Sent: Wednesday, 06 March, 2013 06:01
-dev added as a possible minor bug/enhancement, see end
A simple
echo foo | openssl smime -encrypt/sign | openssl smime
-decrypt/verify
works dandy. But was surprized
So is the number of rounds set by Rijndahl or the AES spec? I'm confused.
And is the number of rounds hard-coded into the OpenSSL source; or is
it embedded somewhere else?
On Fri, Mar 15, 2013 at 7:27 PM, shath...@e-z.net wrote:
I don't know the interfaces to OpenSSL, but AES-192 specifies the
If I specify a salt, does the salt have to be ASCII or can they be Unicode?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
Do these number make sense or seem reasonable?
(I'm running a Core i7 3930K that's been OC'd to 4.5 GHz up from the
stock 3.2 GHz, running cygwin 1.7.17 on Windows 7 x64 Professional,
with 64 GB of DDR3-1600)
~$ OPENSSL_ia32cap=~0x202 openssl speed -elapsed -evp aes-256-cbc
You have
On Sat, Mar 16, 2013 at 12:06:07AM -0400, Ewen Chan wrote:
That's MUCH faster than I expect it to be (even with AES-NI) and the
888 MB/s is faster than any available storage host-bus interface we've
got right now; so I want to make sure that I am not losing my marbles
here in trying to make
Okay then, here's another one of my infamous dumb questions.
If that's the case, then why do we need the AES-NI instruction set?
If it's likely going to be storage and/or network bandwidth limited;
wouldn't the improvements made by introducing and incorporating the
AES-NI instruction set be kind
On Sat, Mar 16, 2013 at 01:16:23AM -0400, Ewen Chan wrote:
Okay then, here's another one of my infamous dumb questions.
If that's the case, then why do we need the AES-NI instruction set?
It's far from the first accelerated instruction set of dubious utility. ;)
Marketing... etc.
Actually,
32 matches
Mail list logo