Thanks for your reply.
Am 12.11.2015 um 18:45 schrieb [email protected]:
Hi,
You might want to upgrade to OpenSSL-1.0.2 which seems to support the
RSA PSS algorithm, see https://openssl.org/news/changelog.html#x5.
Regards,
Stefan
...
we are up to the most current version, i.e. Snippet OpenSSL 1.0.2d 9 Jul
2015.
Trying the commandline tool
openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -out
rca.pubcert.pem -keyout rca.privkey.pem -pkeyopt rsa_padding_mode:pss
-pkeyopt rsa_pss_saltlen:-2 -passin pass:
... leads to ...
Loading 'screen' into random state - done
parameter error "rsa_padding_mode:pss"
10584:error:0408F090:rsa routines:PKEY_RSA_CTRL:illegal or unsupported
padding mode:.\crypto\rsa\rsa_pmeth.c:517:
10584:error:06089093:digital envelope
routines:EVP_PKEY_CTX_ctrl:command not
supported:.\crypto\evp\pmeth_lib.c:405:
...
Since we found explicit exclusion of PSS padding for cert signing in
.\crypto\rsa\rsa_pmeth.c:501, we guess PSS signing of certificates is
currently not officially supported.
So we've just asked for the reason why, since we're looking for
certificates which may satisfy security needs for decades.
Regards
--
Christian Weber
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
