Re: Cancel of mailing list
I believe you need to refer to this link:- https://mta.openssl.org/pipermail/openssl-users/2016-July/003979.html There are two options for you with which you can remove yourself Paul. Good luck, -- Warron French On Tue, Jun 9, 2020 at 10:18 AM Paul wrote: > Can you please remove my email from mailing list? > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited.
[openssl-users] Testing ports through firewall
Hello Community, and Merry Christmas/Happy Seasons Greetings, anyway, I need some help with understanding an openssl feature - *s_server*. I executed the following command: openssl s_server -accept 21937 -www & And immediately got the following output: [1] 3286 [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private key file server.pem 140679739017032:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.pem','r') 140679739017032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load server certificate private key file In order to test ports that are not encrypted with SSL/TLS do I still have to generate a certificate and private key file (each)? I would like to test ports from one machine using openssl s_client against a remote machine on an opposing network, running a "listener", using openssl s_server. Perhaps I am way off? I am not allowed to use openssl for this sort of thing? Any guidance would be greatly appreciated because I want to expand my understanding of the openssl suite of commands and its offerings. Have a nice day, -- Warron French -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help with making a SHA >1 certificate
Charles, thanks for clarifying. I was on the correct track, but for some reason couldn't confirm it. (I chalk it up to being tired. That's my story and I'm sticking to it. lol). -- Warron French On Tue, Nov 7, 2017 at 9:37 AM, Charles Mills <charl...@mcn.org> wrote: > The CA’s certificate validity is > > > > Not After : Nov 18 17:39:38 2024 GMT > > > > *Charles* > > > > *From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On > Behalf Of *warron.french > *Sent:* Monday, November 6, 2017 4:02 PM > *To:* openssl-users@openssl.org > *Subject:* Re: [openssl-users] Help with making a SHA >1 certificate > > > > Charles, I am no expert either - sorry. > > > > However, the question about why is your signed certificate at least not > getting to be over 1 year in "length?" What is the duration of the CA's > certificate? > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help with making a SHA >1 certificate
Charles, I am no expert either - sorry. However, the question about why is your signed certificate at least not getting to be over 1 year in "length?" What is the duration of the CA's certificate? -- Warron French On Mon, Nov 6, 2017 at 5:04 PM, Charles Millswrote: > Please forgive my ignorance here. I’m really not a certificate expert. I’m > a software developer trying to make certificates to use in a testing > situation. > > > > I’ve got some scripts that I have been using for years. I’ve just upgraded > to 1.10f (but there are no upgrade issues that I know of – that’s not the > problem). > > > > My last test certificate expired. So I am trying to make another one. All > I seem to be able to make are SHA-1 signed certificates, but I’m trying to > load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I > think because of the SHA-1. Here is how I am making the certificate. What > do I have to do differently to make a SHA-512 (or at least some SHA > 1) > certificate? > > > > C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 > -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg > -extensions usr_cert -reqexts usr_cert -nodes -days 3650 > > C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512 > > C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config > CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile > CMC_root.key.pem -passin pass:password > > > > Here is what I end up with: > > > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: CN=Charles Mills Consulting, LLC, ST=California, > C=US/emailAddress=charl...@mcn.org, O=Charles Mills Consulting, LLC > > Validity > > Not Before: Nov 6 19:13:09 2017 GMT > > Not After : Nov 6 19:13:09 2018 GMT > > Subject: CN=Charles Mills Consulting, LLC, ST=California, > C=US/emailAddress=charl...@mcn.org, O=CZAGENT_Nov2017 > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > > > While we’re at it, why doesn’t my –days 3650 seem to have any effect? > > > > Thanks! > > > > *Charles * > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How do I connect to this server
I know that this is a TLS related question; however, do you know how you can diagnose straight HTTP using: *telnet **server1 portnumber ?* Then provide HTTP/1.1 etc? Is it possible to do the same thing with: *openssl s_client server1:portnumber* then do the HTTP/1.1 etc... etc...? Is that a possible technique? I am interested in learning too? -- Warron French On Fri, Apr 21, 2017 at 6:29 PM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > > https://username:passw...@server.com > > How do I specify this username and password when using SSL_connect()? > > You don't. That stuff is at the protocol level about TLS/SSL. > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Properly manage CA-signed certificates that have expired
Hello, I had to build a Certificate Authority (CA) server for an isolated network (I know, it seems silly). Anyway, I figured out how to create the CA service doing a self-signed certificate that will expire in 9 years, because it was a 10-year certificate of which 9 years remains available. I then created separate TLS keys and CSRs and had them signed by the CA server. The 2 certificates for the "servers" (its actually all the same 1 server with different DNS-A-Record resolvable names) worked perfectly for the past 1 year; but I was kept busy working on other tasks; so this isolated network got neglected. The two (2) certificates for the servers expired last month. I documented how to build the CA, how to create the CSRs and get them signed; but I didn't know how to write the documentation for maintaining any certificates once they expired. I want to properly, and gracefully, manage the CA server to do whatever is appropriate. I believe, but do not know for sure, that what I want to do is: 1. Revoke the expired certificates (maybe that is not necessary or appropriate?) 2. Clean up the CA database (with the openssl ca -updatedb command?) 3. Then create new server certificates for the 2 servers again. I don't want to use the same 1 certificate for 2 services, because I have one for TLS-securing the LDAP service making it an ldapS:// url, and the other is for TLS-securing the AdminConsole of the same 389-ds implementation. Please help, I don't know what terminology I am looking for to properly pursue what a Professional CA (like Verisign, or wherever) would do. Thanks, -- Warron French -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users