You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an openssl
engine. If your HSM does not provide an openssl engine, it probably does
provide a PKCS#11 module, and you can use the pkcs11 engine to load it and
use it.
2) In some situations that is not
2013/5/10 Cristian Thiago Moecke cont...@cristiantm.com.br
You have two ways to follow.
2) In some situations that is not possible (e.g. you need it to be signed
on a different remote system). And I just had the same need this week, but
for Certificate Requests. There are a lot of small
Hello
I have build OpenSSL 1.0.1e with fips 2.0.3
eistre:/ # openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
when I use 'wget' with https I run in Illegal instruction
I start with gdb and it comes
Verbindungsaufbau zu eisler.nettworks.org
(eisler.nettworks.org)|139.20.200.42|:443...
On 5/10/2013 5:37 AM, Cristian Thiago Moecke wrote:
You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module, and you can use the pkcs11
engine to load
On 5/10/2013 6:17 AM, Krzysztof Konopko wrote:
This could also be handled by some sort of engine that would work in two
modes:
* generate an intermediate result (hash) that can be processed (signed)
I'm looking for advice on how to do that.
at the remote site (how to get it there securely
2) In some situations that is not possible (e.g. you need it to be
signed on a different remote system). And I just had the same need this
week, but for Certificate Requests. There are a lot of small
non-documented things to do in this case but basically you need to:
a) get the der encoded
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
a) get the der encoded value of tbsCertificate field
b) hash it
c) apply pkcs1 padding and sign it
d) put the signature on asn1 form
e) add NIDs and other parameters to the cert_info field you identified.
I spent a lot of time
Must non-CA, self-signed certificates have the keyCertSign bit set in the
keyUsage extension to be valid?
If I don't have the bit set and execute the following command:
openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
I get the following error:
error 20 at 0 depth
Hello
I have build OpenSSL 1.0.1e with fips 2.0.3
eistre:/ # openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
when I use 'wget' with https I run in Illegal instruction
I start with gdb and it comes
Verbindungsaufbau zu eisler.nettworks.org
(eisler.nettworks.org)|139.20.200.42|:443...
Cristian Thiago Moecke
contato-pbw9x2wndctn3hn+mpyg4faujnlxr...@public.gmane.org writes:
You have two ways to follow.
1) To use an HSM to sign, the official way to do it is to use an
openssl engine. If your HSM does not provide an openssl engine, it
probably does provide a PKCS#11 module,
The answer to your question is yes, RSA blinding is turned on by default.
To verify that blinding is turned on by default, run this test:
Run the following code after calling RSA_blinding_off(*RSA). Then, comment
out RSA_blinding_off() and run it again. The output from this test verifies
that
What is the difference between SSL_CTX_SET_cipher_list and
SSL_CTX_set_preferred_cipher_list ? When and why would I use the preferred
version? I promise to turn any answers I got into a POD manpage for future
inclusion :)
And why is there an SSL_set_cipher_list function, but the (misnamed?)
Would there be any interest (and support) from the dev team for patches that
completely remove SSLv2 API's?
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
On Fri, May 10, 2013, Salz, Rich wrote:
Would there be any interest (and support) from the dev team for patches that
completely remove SSLv2 API's?
What would the difference be between this and the no-ssl2 switch to Configure?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Fri, May 10, 2013 at 01:00:21PM -0600, Salz, Rich wrote:
What is the difference between SSL_CTX_SET_cipher_list and
SSL_CTX_set_preferred_cipher_list?
Which version of OpenSSL has the preferred version? I don't see
this in master.
When and why would I use the preferred version?
I
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
Sent: Friday, 10 May, 2013 12:20
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote:
a) get the der encoded value of tbsCertificate field
b) hash it
c) apply pkcs1 padding and sign it
d) put the signature on
Hello I can see a call to OBJ_bsearch_pmeth() in openssl source. By I could
not find the definition of OBJ_bsearch_pmeth(). I greped the entire source.
Can somebody help me to find the definition ?
./openssl-1.0.1d/crypto/evp/pmeth_lib.c:ret = OBJ_bsearch_pmeth(t,
standard_methods,
17 matches
Mail list logo