CApath in the config file

2013-04-29 Thread Arthur Carcano
Good evening everyone, Please excuse me if it has already been asked but is there a way to make openssl s_client use my directory with every certificates (as with -CApath) once and for all ? Claws-mail is relying on it and doesn't manage to automatically asses "good" certificates whereas /etc/ssl/

Re: OpenSSL PKI Tutorial updated

2013-04-29 Thread Kevin Fowler
In the Simple PKI example, step 5.4 "View PKCS#7 bundle", the "-in" option points to "ca" directory, but the bundle was created in step 4.3 "Create PKCS#7 bundle" in the "certs" directory". I.e.: Step 4.3: openssl crl2pkcs7 -nocrl \ -certfile ca/signing-ca.crt \ -certfile ca/root-ca.crt \

RE: Why Openssl "s_server" is allowing Session Reuse on the same tcp connection

2013-04-29 Thread Eisenacher, Patrick
> -Original Message- > From: sajualways > > But what "Use Case" does this have, where client tells the server to resume > the ssl session on the same tcp connection. The use case is changing the keys for securing long-standing connections. Of course this is in the server's responsibility

Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?

2013-04-29 Thread Jakob Bohm
Please refer to for the current version numbers. Note that 2.3.x was a beta series for the current 2.4.x releases. On 4/29/2013 2:22 PM, Cipher wrote: Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we w

Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?

2013-04-29 Thread Cipher
Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we will upgrade to 2.3.x since we need OCSP support as well. Any idea which is the stable version in 2.3.x? Hi Viktor, >/And then protocols here. Which do you want, the protocol or the

AES wrap APIs in FIPS mode

2013-04-29 Thread Rahul Godbole
Hi OpenSSL Users, I am using OpenSSL 1.0.1c with OpenSSL FIPS module 2.0.2. I need a API similar to AES_wrap_key() and AES_unwrap_key() in crypto/aes/aes_wrap.c that will work in FIPS mode. The functions in aes_wrap.c use low level AES functions ( and not EVP ) that are not supported in FIPS mode.

Re: [openssl-users] openssl req -x509 Serial Number

2013-04-29 Thread Erwann Abalea
Le 28/04/2013 20:26, redpath a écrit : When an x509 is created using the openssl command it creates a default serial number if one not supplied How is this serial number created (algorithm) in general. A 64bits random number. openssl req -x509 etcetera The default serial number is quite lon