Re: [openssl-users] DH_generate_key Hangs

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jason Qian via openssl-users > Sent: Wednesday, September 27, 2017 07:00 > To: openssl-users@openssl.org > Subject: [openssl-users] DH_generate_key Hangs > Need some help,  one of our application that hangs when

Re: [openssl-users] Storing private key on tokens

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Dmitry Belyavsky > Sent: Wednesday, September 27, 2017 06:22 > To: openssl-users@openssl.org > Subject: [openssl-users] Storing private key on tokens > What is the most natural way to generate private keys using

Re: [openssl-users] Hardware client certificates moving to Centos 7

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > I don't know offhand which OpenSSL versions

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 10:10 PM, Michael Wojcik wrote: > On Behalf Of Jochen Bern > Sent: Wednesday, September 27, 2017 06:51 >> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos > >

Re: [openssl-users] Storing private key on tokens

> On 27 Sep 2017, at 20:02, Michael Wojcik > wrote: > >> What is the most natural way to generate private keys using openssl but >> store them on a specific hardware tokens? >> Reading/writing is implemented via engine mechanism. > > The tokens / HSMs I've

Re: [openssl-users] Hardware client certificates moving to Centos 7

>> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos: > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL

Re: [openssl-users] Hardware client certificates moving to Centos 7

Not sure if this helps but the native installation for CentOS7 by default installs OpenSSL with FIPS mode compiled in which means deprecated algorithms such as MD5 and the like will not work. If you tried to generate a certificate you should have received an error or not have seen that algorithm

Re: [openssl-users] Hardware client certificates moving to Centos 7

FIPS mode is a policy decision in my opinion also but since RedHat prides itself in security e.g. SELinux, etc. I believe that is a RedHat decision as opposed to the OpenSSL community. The alternative would be to use a different Linux distro like Ubuntu, etc. which does not compile their OpenSSL

[openssl-users] PKCS7 and RSA_verify

Hello! I am working on a tool for verifying SMIME-messages. Because cms and smime is only able to verify base64 pkcs7-signatures I try to do it "manually" and I now have a problem with the signing-timestamp. Lets do an example: openssl smime -sign -md sha1  -in plain.txt  -inkey mykey

Re: [openssl-users] Storing private key on tokens

On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote: On 27 Sep 2017, at 20:02, Michael Wojcik The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a

Re: [openssl-users] Hardware client certificates moving to Centos 7

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jeffrey Walton > Sent: Wednesday, September 27, 2017 13:15 > To: OpenSSL Users > Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7 > > > > > Heck, MD4 and MDC2 are still available in 1.0.2 -

Re: [openssl-users] PKCS7 and RSA_verify

Hello! Thanks for the support. On 2017-09-28 01:06, Dr. Stephen Henson wrote: On Thu, Sep 28, 2017, ch wrote: Hello! I am working on a tool for verifying SMIME-messages. Because cms and smime is only able to verify base64 pkcs7-signatures I try to do it "manually" and I now have a problem

Re: [openssl-users] PKCS7 and RSA_verify

On Thu, Sep 28, 2017, ch wrote: > Hello! > > I am working on a tool for verifying SMIME-messages. > Because cms and smime is only able to verify base64 pkcs7-signatures > I try to do it "manually" and I now have a problem with the > signing-timestamp. > I'm not sure what you mean by "only able

Re: [openssl-users] How to load the right engine?

Hello, I usually use strace for this purpose. On Wed, Sep 27, 2017 at 12:53 AM, Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote: > I’m debugging programmatic access to a (modified) pkcs11 engine. My system > has several OpenSSL installations: Apple-provided OpenSSL-0.9.8 (kept as > that

Re: [openssl-users] Hardware client certificates moving to Centos 7

Hi I think I know what you are going to say - MD5? I ran openssl s_server -verify , then ran the x509 command as you suggested using the captured client certificate This phone model has only just gone into production, and I am using a "preview version" of the hardware Is there a way a can

[openssl-users] Storing private key on tokens

Hello, What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? Reading/writing is implemented via engine mechanism. I suppose that it should be added support of -outform ENGINE to the genpkey command, but do not understatnd how to deal

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 08:07 AM, Stuart Marsden wrote: Hi I think I know what you are going to say - MD5? Lots of problems with that cert. If you have some connection with the vendor, have them read IEEE 802.1AR-2009 standard for Device Identity credentials. You will be supporting this phone

Re: [openssl-users] Storing private key on tokens

AFAIK, at this point pkcs11 engine doesn't support key generation. The only viable options AFAIK are OpenSC (pkcs11-tool) and vendor-specific applications like yubico-piv-tool. Regards, Uri Sent from my iPhone > On Sep 27, 2017, at 08:23, Dmitry Belyavsky wrote: > >

[openssl-users] DH_generate_key Hangs

Hi, Need some help, one of our application that hangs when calling DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded condition. Not sure, if anyone know this issue ? Thanks Jason -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Hardware client certificates moving to Centos 7

On 09/27/2017 02:07 PM, Stuart Marsden wrote: > Is there a way a can install a version of openssl on a dedicated standalone > Centos 7 server which will support these phones? > That would be preferable to me than having to leave Centos 6 servers just > for this I don't know

Re: [openssl-users] Storing private key on tokens

On 27 Sep 2017, at 14:22, Dmitry Belyavsky wrote: > What is the most natural way to generate private keys using openssl but store > them on a specific hardware tokens? Reading/writing is implemented via engine > mechanism. > > I suppose that it should be added support of