So, I'm working with an EAP-TLS system running under freeradius.
I've setup things to use a CRL [not OSCP] to revoke certificates and
all works well.
However, the parameter default_crl_days=XXX puzzles me.
Through trial and error [mostly error] I know that if I don't
regenerate the CTL every
GS So, I'm working with an EAP-TLS system running under freeradius.
GS I've setup things to use a CRL [not OSCP] to revoke certificates and
GS all works well.
GS However, the parameter default_crl_days=XXX puzzles me.
GS Through trial and error [mostly error] I know that if I don't
GS
GS So, I'm working with an EAP-TLS system running under freeradius.
GS I've setup things to use a CRL [not OSCP] to revoke certificates and
GS all works well.
GS However, the parameter default_crl_days=XXX puzzles me.
GS Through trial and error [mostly error] I know that if I don't
GS
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched the list archives too...at least as best I could.]
In several cases, the most obvious being OpenVPN, I use client certificates
generated by openssl, with a pass-phrase [password]. This
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char
.
Disclaimer - I haven't double-checked any of those figures.
Does that help?
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Friday, 05 September, 2014 16:32
To: Salz, Rich
Subject
at 4:00 PM, Gregory Sloop gr...@sloop.net wrote:
Continuing top posting. [Which doesn't bother me nearly as much as it seems to
bother others... ]
Yes! That was a fantastic answer.
...
[A while later]
So, I need to run this down, but it looks like the easy-rsa script uses 3DES to
do encryption
, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gregory Sloop
Sent: Tuesday, 09 September, 2014 01:19
To: openssl-users@openssl.org
Subject: Re: Certificate pass phrase brute force...
I used the asn1parse command [thanks Dave
=1 (AWFUL!!!).
If you want decent security at all, much less anything even approaching the
strength AES-256 appears to promise, use pkcs8 –topk8 –v2 $cipher
(which unobviously works for input that is already pkcs8) or pkey -$cipher .
Cheers.
--
Gregory Sloop, Principal: Sloop Network
Sloop, Principal: Sloop Network Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net
http://www.sloop.net
---
--
Gregory Sloop, Principal: Sloop Network Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net
http://www.sloop.net
---
[SNIP]
However this looks like the key is encrypted with 3DES, but I exported it
from the Cert+Key with -aes256 - so I'm puzzled why I'd have a 3DES
encrypted p12.
DT You thought you did but you didn't.
DT The doc is a bit subtle, but the -$cipher option is listed under PARSING.
DT It
JH On 30/09/14 03:30, Michael Sierchio wrote:
There are many places where a PKI breaks - hash collisions are far
down the list. Most internal CA implementations offer no more
effective security or trust than just using self-signed certs - the
objective seeming to be to make browsers not
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd
guess someone here knows the answer, or can direct me to the correct resource.
[I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL
into a
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd
guess someone here knows the answer, or can direct me to the correct resource.
[I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL
into
Gregory,
* - Windows indeed will not handle a .p12 cert+key with the PKCS5 v2 [i.e.
aes-256] encryption on it. It appears to only handle 3DES. [I didn't test
every possible PBE - just 3DES and AES256]
The Microsoft Windows operating system uses Cryptographic Service Provider
(CSP)
MS On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard dev+open...@seantek.com
wrote:
Using the openssl pkcs12 -export command, is it possible to specify a
-certpbe value that does not do encryption? Perhaps you only want
integrity protection--you don't care whether the certificates are shrouded.
ww.wisemo.com
JB> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
JB> This public discussion message is non-binding and may contain errors.
JB> WiseMo - Remote Service Management for PCs, Phones and Embedded
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gr...@sloop.net
http://www.sloop.net
-
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
17 matches
Mail list logo
