Re: [openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512
Hi Steve, Thanks for the information I was not aware of that. Yes, did that modification and now I am getting it as following (I passed EVP_sha512()). Signature Algorithm: ecdsa-with-SHA256 Thanks, Abhilash. On Sun, Jul 17, 2016 at 8:05 PM, Dr. Stephen Hensonwrote: > On Sun, Jul 17, 2016, Abhilash K.V wrote: > > > I am trying to generate a CSR using EC and wanted to have signature > > algorithm as ???ecdsa-with-SHA512???. > > > > But in the generated csr I am getting signature algorithms as > ???Signature > > Algorithm: ecdsa-with-SHA1??? always. > > > > > > if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) { > > > > Don't use EVP_ecdsa() it is an old "linked digest" which uses SHA1 and is > only > retained for compatibility with old code. Use EVP_sha512() instead. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.35 released
Dear Users, I have released version 5.35 of stunnel. The ChangeLog entry: Version 5.35, 2016.07.18, urgency: HIGH * Bugfixes - Fixed incorrectly enforced client certificate requests. - Only default to SO_EXCLUSIVEADDRUSE on Vista and later. - Fixed thread safety of the configuration file reopening. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: ffa386ae4c825f35f35157c285e7402a6d58779ad8c3822f74a9d355b54aba1d stunnel-5.35.tar.gz 36e70e109d0283cd55c416eb261234f4c1b165409e1805df369bc774551f965c stunnel-5.35-installer.exe e671a4716fd36bde67850cdb5d17f54ee32b6afec9ad4ea6825d00f72a741cc5 stunnel-5.35-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512
On Sun, Jul 17, 2016, Abhilash K.V wrote: > I am trying to generate a CSR using EC and wanted to have signature > algorithm as ???ecdsa-with-SHA512???. > > But in the generated csr I am getting signature algorithms as ???Signature > Algorithm: ecdsa-with-SHA1??? always. > > > if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) { > Don't use EVP_ecdsa() it is an old "linked digest" which uses SHA1 and is only retained for compatibility with old code. Use EVP_sha512() instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] rejection message from i Tune
Thank you very much 2016-07-15 16:56 GMT+03:00 Jakob Bohm: > Maybe Apple changed their technical checks. > > I think (I haven't checked in detail) that the contract rules > for uploading probably say that the certificate *must* be > created with XCode and not some other tool. > > On 15/07/2016 15:46, Shai Quantz wrote: > >> >> Hi, >> >> I get this rejection message from i Tune: >> --- >> Dear developer, >> We have discovered one or more issues with your recent delivery for >> "Hebrew Tutor". To process your delivery, the following issues must be >> corrected: >> Invalid Signature - The binary with bundle identifier >> 'com.jewishsoftware.hebrewtutor' at path [Hebrew-Tutor.app] contains an >> invalid signature. Make sure you have signed your application with a >> distribution certificate, not an ad hoc certificate or a development >> certificate. Verify that the code signing settings in Xcode are correct at >> the target level (which override any values at the project level). If you >> are certain your code signing settings are correct, choose "Clean All" in >> Xcode, delete the "build" directory in the Finder, and rebuild your release >> target. >> >> I created my distribution certificate with openSSL, was working fine in >> the past, but now there is this problem, even though I did everything good, >> and checked my self over and over, but I can't get a good distribution >> certificate, if the error message is correct. When I create a developer >> certificate it works fine, the same process more or less, still >> Distribution certificate just will not work. maybe I can send you the >> distribution certificate, I make a ios_distribution.pem file and then a p12 >> file to use on windows with the platform I work with which is Flash Builder >> 4.6 >> >> >> > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512
Hi , I am trying to generate a CSR using EC and wanted to have signature algorithm as “ecdsa-with-SHA512”. But in the generated csr I am getting signature algorithms as “Signature Algorithm: ecdsa-with-SHA1” always. Open ssl version : 1.0.1 It would be great if you can help me on this. Code below: int generate_csr() { EVP_PKEY *privkey; if ((privkey = EVP_PKEY_new()) == NULL) { printf("Cannot allocate memory for private key.\n"); exit(1); } EC_KEY *eckey; printf("Generating ECC keypair...\n"); eckey = EC_KEY_new(); if (NULL == eckey) { printf("Failed to create new EC Key\n"); return -1; } EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(NID_secp521r1); if (NULL == ecgroup) { printf("Failed to create new EC Group\n"); return -1; } int set_group_status = EC_KEY_set_group(eckey, ecgroup); const int set_group_success = 1; if (set_group_success != set_group_status) { printf("Failed to set group for EC Key\n"); return -1; } if (!EC_KEY_generate_key(eckey)) { printf("Failed to generate EC Key\n"); exit(1); } if (!EVP_PKEY_assign_EC_KEY(privkey, eckey)) { printf("Cannot assign keypair to private key.\n"); exit(1); } X509_REQ *req; if ((req = X509_REQ_new()) == NULL) { printf("Cannot allocate memory for certificate request.\n"); exit(1); } X509_NAME * name; name = X509_REQ_get_subject_name(req); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *) "alice", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_ASC, (unsigned char *)"al...@darkmatter.ae", -1, -1, 0); X509_REQ_set_pubkey(req, privkey); if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) { printf("Cannot sign request.\n"); exit(1); } const char *keyfn = "/Users/abhilash/test/csr_sample/tempkey.der"; const char *csrfn = "/Users/abhilash/test/csr_sample/tempcsr.der"; // write to files ... FILE * f; f = fopen(keyfn, "w"); i2d_PrivateKey_fp(f, privkey); fclose(f); f = fopen(csrfn, "w"); i2d_X509_REQ_fp(f, req); fclose(f); return 0; } Thanks, Abhilash. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users