Re: [openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512

2016-07-17 Thread Abhilash K.V 
Hi Steve,

Thanks for the information I was not aware of that.

Yes, did that modification and now I am getting it as following (I passed
EVP_sha512()).

Signature Algorithm: ecdsa-with-SHA256

Thanks,
Abhilash.

On Sun, Jul 17, 2016 at 8:05 PM, Dr. Stephen Henson 
wrote:

> On Sun, Jul 17, 2016, Abhilash K.V wrote:
>
> > I am trying to generate a CSR using EC and wanted to have signature
> > algorithm as ???ecdsa-with-SHA512???.
> >
> > But in the generated csr I am getting signature algorithms as
> ???Signature
> > Algorithm: ecdsa-with-SHA1??? always.
> >
> >
> > if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {
> >
>
> Don't use EVP_ecdsa() it is an old "linked digest" which uses SHA1 and is
> only
> retained for compatibility with old code. Use EVP_sha512() instead.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] stunnel 5.35 released

2016-07-17 Thread Michał Trojnara 
Dear Users,

I have released version 5.35 of stunnel.

The ChangeLog entry:
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
  - Fixed incorrectly enforced client certificate requests.
  - Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
  - Fixed thread safety of the configuration file reopening.

Home page: https://www.stunnel.org/
Download:  https://www.stunnel.org/downloads.html

SHA-256 hashes:
ffa386ae4c825f35f35157c285e7402a6d58779ad8c3822f74a9d355b54aba1d
stunnel-5.35.tar.gz
36e70e109d0283cd55c416eb261234f4c1b165409e1805df369bc774551f965c
stunnel-5.35-installer.exe
e671a4716fd36bde67850cdb5d17f54ee32b6afec9ad4ea6825d00f72a741cc5
stunnel-5.35-android.zip

Best regards,
Mike



signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512

2016-07-17 Thread Dr. Stephen Henson 
On Sun, Jul 17, 2016, Abhilash K.V wrote:

> I am trying to generate a CSR using EC and wanted to have signature
> algorithm as ???ecdsa-with-SHA512???.
> 
> But in the generated csr I am getting signature algorithms as ???Signature
> Algorithm: ecdsa-with-SHA1??? always.
> 
> 
> if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {
> 

Don't use EVP_ecdsa() it is an old "linked digest" which uses SHA1 and is only
retained for compatibility with old code. Use EVP_sha512() instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] rejection message from i Tune

2016-07-17 Thread Shai Quantz 
Thank you very much

2016-07-15 16:56 GMT+03:00 Jakob Bohm :

> Maybe Apple changed their technical checks.
>
> I think (I haven't checked in detail) that the contract rules
> for uploading probably say that the certificate *must* be
> created with XCode and not some other tool.
>
> On 15/07/2016 15:46, Shai Quantz wrote:
>
>>
>> Hi,
>>
>> I get this rejection message from i Tune:
>> ---
>> Dear developer,
>> We have discovered one or more issues with your recent delivery for
>> "Hebrew Tutor". To process your delivery, the following issues must be
>> corrected:
>> Invalid Signature - The binary with bundle identifier
>> 'com.jewishsoftware.hebrewtutor' at path [Hebrew-Tutor.app] contains an
>> invalid signature. Make sure you have signed your application with a
>> distribution certificate, not an ad hoc certificate or a development
>> certificate. Verify that the code signing settings in Xcode are correct at
>> the target level (which override any values at the project level). If you
>> are certain your code signing settings are correct, choose "Clean All" in
>> Xcode, delete the "build" directory in the Finder, and rebuild your release
>> target.
>> 
>> I created my distribution certificate with openSSL, was working fine in
>> the past, but now there is this problem, even though I did everything good,
>> and checked my self over and over, but I can't get a good distribution
>> certificate, if the error message is correct. When I create a developer
>> certificate it works fine, the same process more or less, still
>> Distribution certificate just will not work. maybe I can send you the
>> distribution certificate, I make a ios_distribution.pem file and then a p12
>> file to use on windows with the platform I work with which is Flash Builder
>> 4.6
>>
>>
>>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512

2016-07-17 Thread Abhilash K.V 
Hi ,



I am trying to generate a CSR using EC and wanted to have signature
algorithm as “ecdsa-with-SHA512”.

But in the generated csr I am getting signature algorithms as “Signature
Algorithm: ecdsa-with-SHA1” always.



Open ssl version : 1.0.1



It would be great if you can help me on this.



Code below:



int generate_csr()

{

EVP_PKEY *privkey;



if ((privkey = EVP_PKEY_new()) == NULL) {

printf("Cannot allocate memory for private key.\n");

exit(1);

}



EC_KEY *eckey;





printf("Generating ECC keypair...\n");

eckey = EC_KEY_new();

if (NULL == eckey) {

printf("Failed to create new EC Key\n");

return -1;

}



EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(NID_secp521r1);

if (NULL == ecgroup) {

printf("Failed to create new EC Group\n");

return -1;

}



int set_group_status = EC_KEY_set_group(eckey, ecgroup);

const int set_group_success = 1;

if (set_group_success != set_group_status) {

printf("Failed to set group for EC Key\n");

return -1;

}





if (!EC_KEY_generate_key(eckey)) {

printf("Failed to generate EC Key\n");

exit(1);

}



if (!EVP_PKEY_assign_EC_KEY(privkey, eckey)) {

printf("Cannot assign keypair to private key.\n");

exit(1);

}



X509_REQ *req;

if ((req = X509_REQ_new()) == NULL) {

printf("Cannot allocate memory for certificate request.\n");

exit(1);

}



X509_NAME * name;

name = X509_REQ_get_subject_name(req);

X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)
"alice", -1, -1, 0);

X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_ASC, (unsigned
char *)"al...@darkmatter.ae", -1, -1, 0);



X509_REQ_set_pubkey(req, privkey);

if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {

printf("Cannot sign request.\n");

exit(1);

}







const char *keyfn = "/Users/abhilash/test/csr_sample/tempkey.der";

const char *csrfn = "/Users/abhilash/test/csr_sample/tempcsr.der";

// write to files ...

FILE * f;

f = fopen(keyfn, "w");



i2d_PrivateKey_fp(f, privkey);



fclose(f);

f = fopen(csrfn, "w");

i2d_X509_REQ_fp(f, req);

fclose(f);

return 0;

}





Thanks,

Abhilash.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users