Re: [EXTERNAL] Re: odd error for ECDSA key in REQ.

2020-08-10 Thread Erwann Abalea via openssl-users
, and the encoded public key), and finally the BIT STRING encapsulation. The OCTET STRING is wrong here. Cordialement, Erwann Abalea Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » a écrit : The key is generated by a lovely HSM - which is by its nature a bit

Re: [EXTERNAL] Re: Unusual certificates

2020-06-25 Thread Erwann Abalea via openssl-users
The second certificate seems garbaged at the 4th RDN of the issuerName. The Base64 edition might have added or deleted some characters. Cordialement, Erwann Abalea Le 25/06/2020 16:00, « openssl-users au nom de Angus Robertson - Magenta Systems Ltd » a écrit : More information

Re: client certs with no subjectName only SAN

2019-08-16 Thread Erwann Abalea via openssl-users
a SHOULD in PKIX) A quick reading of RFC8002 tells me that you may need to include the IssuerAltName extension as well? Cordialement, Erwann Abalea Le 16/08/2019 17:11, « openssl-users au nom de Robert Moskowitz » a écrit : Viktor, On 8/16/19 8:41 AM, Viktor Dukhovni wrote

Re: client certs with no subjectName only SAN

2019-08-16 Thread Erwann Abalea via openssl-users
ertificate, the field is not OPTIONAL. Cordialement, Erwann Abalea Le 15/08/2019 22:13, « openssl-users au nom de Salz, Rich via openssl-users » a écrit : subjectAltName is rarely marked as critical; sec 4.2.1.6 of PKIX says "SHOULD mark subjectAltName as non-critical" I can

Re: Why were edwards curves given distinct key types, aren't they EC keys?

2019-03-15 Thread Erwann Abalea via openssl-users
Maybe because EVP_PKEY_EC designates an ECDSA key, that an EdDSA key is not generated the same way (particularly the public part), and that the encodings are different? Cordialement, Erwann Abalea Le 15/03/2019 19:20, « openssl-users au nom de Sam Roberts » a écrit : It seems like

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

2019-03-07 Thread Erwann Abalea via openssl-users
xist and is supposed to be produced). Cordialement, Erwann Abalea Le 06/03/2019 16:38, « openssl-users au nom de Jakob Bohm via openssl-users » a écrit : On 06/03/2019 16:17, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf

Re: [openssl-users] RSA Public Key error

2018-12-17 Thread Erwann Abalea via openssl-users
want Cordialement, Erwann Abalea De : prithiraj das Date : lundi 17 décembre 2018 à 08:23 À : Erwann Abalea , "openssl-users@openssl.org" Objet : Re: [openssl-users] RSA Public Key error Hi Erwann/All, Thank you for your earlier response. I have done a couple of tests on the

Re: [openssl-users] RSA Public Key error

2018-12-12 Thread Erwann Abalea via openssl-users
at the beginning by my own, and now I can’t open the file again ». Those bytes are there for a reason. A quick solution would be to *add* your 16 bytes before the public key, and remove them when passing the rest of the bytes to OpenSSL. Cordialement, Erwann Abalea De : openssl-users au nom de prithiraj

Re: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate

2018-10-08 Thread Erwann Abalea via openssl-users
Bonjour, The prospective certification path excludes the Trust Anchor. Therefore, the « max_path_length=0 » step is attained only when dealing with your EvilCA cert. Cordialement, Erwann Abalea > Le 8 oct. 2018 à 14:47, Peter Magnusson a > écrit : > > That is not correct beha

Re: [openssl-users] Doubt regarding O-SSL and setting the duration of certificates

2017-09-13 Thread Erwann Abalea via openssl-users
nd happening at that exact day, removing second 59 completely. Just think of this as a magical value. Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using set_serial to control serial number size directly

2017-08-21 Thread Erwann Abalea via openssl-users
, serial number}. Cordialement, Erwann Abalea > Le 21 août 2017 à 15:44, Robert Moskowitz <r...@htt-consult.com> a écrit : > > > > On 08/21/2017 09:36 AM, Salz, Rich wrote: >> ➢ Thus how large does this random number have >> >> It’s also to protect agai

Re: [openssl-users] More on cert serialnumbers

2017-08-18 Thread Erwann Abalea via openssl-users
> Le 18 août 2017 à 15:18, Mark H. Wood <mw...@iupui.edu> a écrit : > > On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users > wrote: >> The BR are for public CAs, not private CAs; even if some of those >> requirements are considered « go

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

2017-08-17 Thread Erwann Abalea via openssl-users
> Le 17 août 2017 à 17:36, Jeffrey Walton <noloa...@gmail.com> a écrit : > > On Thu, Aug 17, 2017 at 11:34 AM, Erwann Abalea > <erwann.aba...@docusign.com> wrote: >> >>> Le 17 août 2017 à 17:26, Jeffrey Walton <noloa...@gmail.com> a écrit : >

Re: [openssl-users] Implementing deprecation of commonname and emailaddress

2017-08-17 Thread Erwann Abalea via openssl-users
value in CN MUST be present in the SAN extension. Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] More on cert serialnumbers

2017-08-17 Thread Erwann Abalea via openssl-users
The CN deprecation and use of SAN:dNSName instead is a target of some browsers for private CAs; it may require more work for you, but there’s a benefit. CN has been populated with too much garbage (FQDN, domain, service name, IP address, person name, …), the SAN extension has nice baskets to pu

Re: [openssl-users] keyusage digitalSignature in CA certs

2017-08-17 Thread Erwann Abalea via openssl-users
P responses, or an issuing CA can issue different certificates for the same CA (they all have the same Subject, which is different from the issuing’s Subject) but for different purposes (and thus different keyUsage bits). Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Erwann Abalea via openssl-users
ince for smaller CAs > it is a better solution for browsers and servers that support it. Another requirement is that a TLS server certificate shall have its identity (FQDN) in the SAN extension. Use of the commonName attribute has been deprecated long ago. Cordialement, Erwann Abalea -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Understanding RSA_sign and type argument

2017-06-12 Thread Erwann Abalea
Bonjour, Add « -sigalgs SHA256+RSA » to one of your command lines. Cordialement, Erwann Abalea Le 9 juin 2017 à 09:45, Ignacio Alamo Corsino <nacao2...@hotmail.com<mailto:nacao2...@hotmail.com>> a écrit : Hello everyone, i am having some issues understanding the RSA_sign functio

Re: [openssl-users] Leading Zeros in ASN1_INTEGER?

2017-01-30 Thread Erwann Abalea
Why not? This serial number could also be displayed as 3203232750, or 000BEED73EE, or 03203232750. Cordialement, Erwann Abalea Le 30 janv. 2017 à 11:03, Matthias Ballreich <matthias.ballre...@outlook.de<mailto:matthias.ballre...@outlook.de>> a écrit : thanks for explanation.

Re: [openssl-users] ECDSA_SIG_new and ECDSA_SIG_free details

2017-01-11 Thread Erwann Abalea
pointer. Cordialement, Erwann Abalea > Le 11 janv. 2017 à 17:18, Jeffrey Walton <noloa...@gmail.com> a écrit : > >> Could someone from the OpenSSL team please explain the rationale for this >> decision? What is the problem with using assignments with 0 or NULL t

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

2016-11-08 Thread Erwann Abalea
Bonjour, The root certificate is not expected to be sent by the server, as it already needs to be known and trusted by the client. However, you’re free to configure your server to send it, for debugging or informational purposes. Cordialement, Erwann Abalea Le 8 nov. 2016 à 03:36, Mofassir Ul

Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-20 Thread Erwann Abalea
N(MYSTRUCT) Now you can call i2d_MYSTRUCT()/d2i_MYSTRUCT() to encode/decode such a data type, and similar _bio, _fp, _dup functions as well. Cordialement, Erwann Abalea Le 20 sept. 2016 à 11:45, Aleksandr Konstantinov <aleksandr.v.konstanti...@gmail.com<mailto:aleksandr.v.konsta

Re: [openssl-users] openssl crl fails to parse a CRL file, which seems correct

2016-09-15 Thread Erwann Abalea
That’s a bug in the Issuer name length check. Use the 1.1.0 version. Cordialement, Erwann Abalea > Le 14 sept. 2016 à 14:31, Wouter Verhelst <wouter.verhe...@fedict.be> a écrit > : > > Hi, > > (this is a resend because my MUA crashed while I tried to send this mai

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Erwann Abalea
Bonjour, Le 22 juil. 2016 à 08:44, Gupta, Saurabh > a écrit : 1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake? It should fail for other ciphers also. Ciphers: working

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea
> Le 21 juil. 2016 à 15:08, Salz, Rich a écrit : > >> By raising the limit, you don’t suddenly put every application at risk of a >> DoS, >> because these applications won’t suddenly use a 16k RSA key. > > Yes we do, because the other side could send a key, not local config.

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea
> Le 21 juil. 2016 à 14:17, Salz, Rich a écrit : > >> We have to make trade-offs. Who uses a 16K RSA key? > > Let me add some clarification. Is it worth putting every application that > uses OpenSSL at risk for a DoS attack with a 16K RSA key? By raising the limit, you

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Erwann Abalea
Largest accepted client key exchange message length seems to be set to 2048 bytes. Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes of pure crypto payload, plus a few bytes of overhead). OpenSSL is too conservative here. Cordialement, Erwann Abalea Le 21 juil. 2016

Re: [openssl-users] Creating an X25519-based Certificate

2016-06-30 Thread Erwann Abalea
Maybe we just didn’t. At least not with the command line tools. The CHANGES file lists a merge between « dh », « gendh », and « dhparam » in 2000, but no evolution since then. The oldest version I could find is 0.9.6, and there’s no command-line DH key generation. Cordialement, Erwann Abalea

Re: [openssl-users] Creating an X25519-based Certificate

2016-06-30 Thread Erwann Abalea
Ok, you’re talking about OpenSSL command line tool only, I missed that part. The solution should then be to modify apps/ca.c:certify() function to add an arg, and avoid the call to X509_REQ_verify when desired. Cordialement, Erwann Abalea Le 29 juin 2016 à 19:17, Michael Scott <mike

Re: [openssl-users] Creating an X25519-based Certificate

2016-06-29 Thread Erwann Abalea
ers are defined for this OID -> cert.signatureAlgorithm.parameters * a canonical encoding for the signature value is defined, so it can be enclosed into cert.signatureValue All this is being discussed at CFRG. Cordialement, Erwann Abalea Le 29 juin 2016 à 16:46, Michael Scott <mike.sc...@m

Re: [openssl-users] (SPAM) I: Question on ccm mode in openssl

2016-05-24 Thread Erwann Abalea
Bonjour, CCM mode is already implemented in OpenSSL. Cordialement, Erwann Abalea Le 24 mai 2016 à 17:43, Christian Adja <christian_a...@yahoo.it<mailto:christian_a...@yahoo.it>> a écrit : Il Martedì 24 Maggio 2016 17:21, Christian Adja <christian_a...@yahoo.it<

Re: [openssl-users] Is the structure of this CMS object correct?

2016-02-09 Thread Erwann Abalea
Bonjour, Le 9 févr. 2016 à 10:15, Stephan Mühlstrasser > a écrit : Hi, I'm trying to decrypt a DER-encoded CMS object (created by Adobe Acrobat) with OpenSSL 1.0.2d: $ openssl cms -decrypt -in recipient.bin -inform DER -inkey atssecp521r1.key -recip

Re: [openssl-users] Is the structure of this CMS object correct?

2016-02-09 Thread Erwann Abalea
Bonjour Stephan, Le 9 févr. 2016 à 12:29, Stephan Mühlstrasser <s...@pdflib.com<mailto:s...@pdflib.com>> a écrit : Am 09.02.16 um 11:53 schrieb Erwann Abalea: Bonjour, Le 9 févr. 2016 à 10:15, Stephan Mühlstrasser <s...@pdflib.com<mailto:s...@pdflib.com> <mailto:s

Re: [openssl-users] OCSP service dependant on time valid CRLs

2015-12-11 Thread Erwann Abalea
revoked. Such an OCSP service, responding « Revoked », wouldn’t be strictly compliant. Erwann Abalea erwann.aba...@docusign.com<mailto:erwann.aba...@docusign.com> Le 10 déc. 2015 à 20:07, socket <danbrya...@gmail.com<mailto:danbrya...@gmail.com>> a écrit : Thanks for

Re: [openssl-users] OCSP service dependant on time valid CRLs

2015-12-10 Thread Erwann Abalea
certificate as revoked. « tryLater » is also a correct answer, even « internalError » if we consider the CRL as part of the internal state of the responder. Erwann Abalea erwann.aba...@docusign.com<mailto:erwann.aba...@docusign.com> Le 10 déc. 2015 à 18:29, socket <danbrya...@

Re: [openssl-users] using openssl to validate an external AES program

2015-10-09 Thread Erwann Abalea
a7b0430d8cdb78070b4c55a > > i get the following > > :~/git/aes/openssl$ od -x clear2.txt > 000 1100 3322 5544 7766 9988 bbaa ddcc ffee > 020 > :~/git/aes/openssl$ openssl enc -nosalt -in clear2.txt -out encrypted.dat -e > -aes-1

Re: [openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

2015-09-09 Thread Erwann Abalea
Bonjour, > Le 9 sept. 2015 à 14:17, Georgi Guninski a écrit : > > On Wed, Sep 09, 2015 at 12:07:43PM +, Viktor Dukhovni wrote: >>> >>> Are you saying I can't sign the cert with another cert >>> (the pubkey is easy to extract from the cert) with openssl? >> >> If you

Re: [openssl-users] Converting Bin format to X509 format

2015-07-22 Thread Erwann Abalea
» element (not its BIT STRING structure, only the inner content). What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement, Erwann Abalea Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com

Re: [openssl-users] Converting Bin format to X509 format

2015-07-22 Thread Erwann Abalea
want to sign certificates (either subCA or subscriber, it doesn’t matter). That’s how I understood your question. If you want to do all this using only openssl CLI, that’s doable with a specially crafted config file declaring your engine and its parameters. Cordialement, Erwann Abalea Le 22

Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?

2015-04-30 Thread Erwann Abalea
Bonjour, Le 30/04/2015 19:44, Tomasz Chmielewski a écrit : This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET

Re: [openssl-users] NID_Name equivalent in a certificate

2015-04-29 Thread Erwann Abalea
Bonjour, NID_name correspond to the OID id-at-name. There's no equivalent field in a certificate that maps to an OID. The OID id-at-name designs the attribute supertype name, which shouldn't be present in a certificate, but can nevertheless be present. Anywhere. -- Erwann ABALEA Le 29/04

Re: [openssl-users] Delete a post to openssl-user mailing list

2015-04-22 Thread Erwann Abalea
Bonjour, The password pwd1234 is obviously a test one, as is the file path c:/work/mypemfile.pem. Knowing that you're using OpenSSL 1.0.2a shouldn't be a problem either. What is the security risk? -- Erwann ABALEA Le 22/04/2015 15:55, Vollaro, John a écrit : Can a message be removed

Re: [openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

2015-04-06 Thread Erwann Abalea
algorithm. On 03/04/2015 10:56, Erwann Abalea wrote: (Forwarded to openssl-users) The subjectName of file4.pem matches the issuerName of file3.pem, the signature block in file3.pem, when verified with the public key of file4.pem, gives a correct signature for the tbsCertificate of file3.pem

[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

2015-04-03 Thread Erwann Abalea
.pem.SKI matches file3.pem.AKI, and refuses to go further (here, AKI doesn't match SKI). -- Erwann ABALEA Le 03/04/2015 03:10, Yuting Chen a écrit : I used OpenSSL to verify a certificate file (file3.pem) against another certificate file (file4.pem). OpenSSL reports that it cannot find

[openssl-users] Fwd to openssl-users, Re: [openssl-dev] Reminder: OpenSSL's EC private key encoding is broken

2015-03-24 Thread Erwann Abalea
The private key is a random integer in [1, p-1], not in [2^(log2(p)-1), (2^log2(p))-1]. In DER, an INTEGER is always expressed using the smallest possible number of octets. 001a is an integer equal to 001a, but it will be represented as 1a. -- Erwann ABALEA Le 24/03/2015 12:10, Annie

Re: [openssl-users] [openssl-dev] [openssl.org #3726] Cocoapods install BUG

2015-03-02 Thread Erwann Abalea
It seems all the tarballs have disappeared. -- Erwann ABALEA Le 02/03/2015 18:06, Alex Sklyar via RT a écrit : Hello guys. There is a issue with openssl pod installing with cocoapods tool. The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead

Re: [openssl-users] S/MIME mime type application/octet-stream

2014-11-06 Thread Erwann Abalea
, suboptimal, and whatever. It WORKSFORME, on an indefinite length signature as well as the corresponding definite one recreated by OpenSSL. I haven't contempted the idea of parsing ASN.1/BER in magic(5) parlance. -- Erwann ABALEA Le 06/11/2014 17:24, Jan Hejl a écrit : Hello, i found that the file

Re: [openssl-users] OpenSSL X509 Parse Error with Elliptice curve Public Key

2014-10-20 Thread Erwann Abalea
Your EC point is on the brainpoolP256r1 curve. This curve isn't supported by OpenSSL (yet). -- Erwann ABALEA Le 20/10/2014 10:16, Harakiri a écrit : Im getting the following error using openssl x509 -inform DER -in cms_cert.der -text 140026491385512:error:100D7010:elliptic curve

Re: [openssl-users] Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?

2014-10-16 Thread Erwann Abalea
Would you like all your OpenSSL-enabled applications to be configured all the same, with the same protocols and same ciphersuites? -- Erwann ABALEA Le 15/10/2014 23:56, Todd Pfaff a écrit : I'd like to be able to disable SSLv3 for all openssl-enabled applications in a single configuration

Re: Query reg multiple CA-Cert in list with same subject

2014-06-10 Thread Erwann Abalea
a set of CA certificates. If your gateway software is a commercial software, please report this misbehaviour to the vendor. -- Erwann ABALEA Le 10/06/2014 09:08, Mukesh Yadav a écrit : Hi, I have a query for Ca-Cert list. If at gateway we have configured two CA-certs A1 and A2 both having

Re: [openssl-users] OpenSSL on Mac

2014-04-01 Thread Erwann Abalea
Darwinports. -- Erwann ABALEA Le 31/03/2014 21:18, Landen Landens a écrit : My Mac still has OpenSSL 0.9.8. How may I update this to the latest stable version? I believe the latest stable version is at least 1.0.01

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

2014-03-27 Thread Erwann Abalea
Le 27/03/2014 11:14, Jeffrey Walton a écrit : On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek ste...@epy.co.at wrote: On 25.03.2014, at 17:44, Zack Williams wrote: ... 3. Is there a reason to not set a pathLen in the basicConstraints section of the Root CA's (to 1, to allow a maximum of one

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

2014-03-26 Thread Erwann Abalea
Le 25/03/2014 23:08, Zack Williams a écrit : On Tue, Mar 25, 2014 at 10:54 AM, Erwann Abalea erwann.aba...@keynectis.com wrote: 2. I couldn't figure out what the [additional_oids] section of the Expert example's root-ca.conf file is for - either through research or going through the commit

Re: [openssl-users] Re: OpenSSL PKI Tutorial updated

2014-03-25 Thread Erwann Abalea
Le 25/03/2014 17:44, Zack Williams a écrit : On Fri, Mar 21, 2014 at 12:25 AM, Stefan H. Holek ste...@epy.co.at wrote: I have updated the OpenSSL PKI Tutorial at Read the Docs. The tutorial provides three complete PKI examples you can play through and the prettiest configuration files this

Re: [openssl-users] openssl-0.9.8j has problem with Google HTTPS using SSLv3

2014-02-21 Thread Erwann Abalea
Bonjour, It seems OpenSSL 0.9.8j doesn't like receiving a New Session Ticket message over an SSLv3 session, even when it sends an empty session ticket in its ClientHello message. Possible solutions: -tls1 instead of -ssl3 add -no_ticket -- Erwann ABALEA Le 21/02/2014 11:03, Lvqier

Re: [openssl-users] MODSSL: RFC 2560

2014-01-14 Thread Erwann Abalea
Bonsoir, Le 14/01/2014 19:44, socket a écrit : Hey all, I am wondering if anyone here could point me in the right direction or even assist with a problem I have having. According to RFC 2560: All definitive response messages SHALL be digitally signed. The key used to sign the response

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Erwann Abalea
Le 13/12/2013 19:30, Walter H. a écrit : On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Erwann Abalea
Don't regret it, it wasn't that bad ;) -- Erwann ABALEA Le 13/12/2013 20:39, andrew cooke a écrit : sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: it dpends how many characters differ when sorted. in this case: ECDHE

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-12 Thread Erwann Abalea
It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. -- Erwann ABALEA Le 11/12/2013 22:34, Walter H. a écrit : Hello

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-11 Thread Erwann Abalea
to only allow (EC)DHE key exchange mechanisms, by tweaking its acceptable ciphersuites -- Erwann ABALEA Le 11/12/2013 20:29, Walter H. a écrit : [...] can please someone tell me why I get in FF (in an old 3.6 and in an relatively actual one 24.2esr) This Connection is Untrusted www.google.nl uses

Re: [openssl-users] Re: Bad OIDs

2013-11-29 Thread Erwann Abalea
Le 28/11/2013 22:18, Rob Stradling a écrit : On 28/11/13 15:14, Erwann Abalea wrote: How nice, they're asking for a self-signed certificate to include a specific EKU to indicate it's a Trust Anchor, and the OID used for this has never been allocated. Crazy. It's crazier than that. RFC5906

Re: [openssl-users] Re: Bad OIDs

2013-11-29 Thread Erwann Abalea
Le 29/11/2013 16:25, Dr. Stephen Henson a écrit : On Thu, Nov 28, 2013, Erwann Abalea wrote: How nice, they're asking for a self-signed certificate to include a specific EKU to indicate it's a Trust Anchor, and the OID used for this has never been allocated. Crazy. I just looked at OpenSSL's

Re: [openssl-users] Re: Bad OIDs

2013-11-29 Thread Erwann Abalea
Le 29/11/2013 17:53, Erwann Abalea a écrit : Le 29/11/2013 16:25, Dr. Stephen Henson a écrit : Changing OIDs in the table is problematical. If anything uses them it could break them in all sorts of ways. The NID_* entries would change and text based lookup would no longer work. The reference

Bad OIDs (was: Re: Verification of a x509 certificate signature)

2013-11-28 Thread Erwann Abalea
by PKIX. RFC5906 uses a trustRoot EKU, without any OID being proposed or referenced. Your certificate includes the later one in the EKU extension. -- Erwann ABALEA Le 28/11/2013 14:26, Dereck Hurtubise a écrit : It is NTP indicating that this certificate is held by a supposed trusted root

Re: [openssl-users] Need to send CN attribute in TeletexString/T61String format for ASN1DN Id and certificate

2013-11-25 Thread Erwann Abalea
. -- Erwann ABALEA Le 25/11/2013 15:15, Sanjay Kumar (sanjaku5) a écrit : Hi, We need to send CN attribute in TeletexString format for ASN1DN Id and certificate. Does openssl support for TeletexString/ T61String(T61String, an arbitrary string of T.61 (eight-bit) characters.) ? What

Re: [openssl-users] CA certificate bundle bogus certs

2013-11-25 Thread Erwann Abalea
certificates, such as bogus live.com cert, but also DigiNotar CA certificates, MD5-collision CA, other bogus certs (gmail, yahoo, etc), and CA certificates not trusted for SSL use. Don't use that file, at all. -- Erwann ABALEA

Re: [openssl-users] OpenSSL doesn't treat RFC 3280 validations as an error?

2013-11-13 Thread Erwann Abalea
Bonjour, Le 13/11/2013 11:35, Igor Sverkos a écrit : Hi, please see the following certificate: -BEGIN CERTIFICATE- MIIEbTCCA1WgAwIBAgICLgAwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx [...] uKnvqzQP10A7f3PBsGYRA2DCeMDavaEoizJnNyjCOQx4 -END CERTIFICATE- It seems to be a valid

Re: [openssl-users] Re: OpenSSL doesn't treat RFC 3280 validations as an error?

2013-11-13 Thread Erwann Abalea
UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } Nearly every attribute type is encoded as a DirectoryString. An empty element doesn't respect the size constraint, so is invalid. -- Erwann ABALEA Le 13/11/2013 11:48, Ben Laurie a écrit : On 13 November

Re: [openssl-users] OpenSSL doesn't treat RFC 3280 validations as an error?

2013-11-13 Thread Erwann Abalea
Le 13/11/2013 13:30, Igor Sverkos a écrit : Hello, thank you for your response. There's one thing in your reply I don't understand: Erwann Abalea wrote: It seems to be a valid certificate for OpenSSL, right? OpenSSL can parse it, yes. [...] Reading X.520 shows that the DirectoryString

Re: [openssl-users] Is aesni-intel module required for openssl

2013-11-07 Thread Erwann Abalea
The Linux kernel module isn't necessary for OpenSSL. -- Erwann ABALEA Le 07/11/2013 06:48, sarav.sars a écrit : Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ? Loading this module makes no difference in openssl speed output

Re: [openssl-users] Re: connection problem with the version 1.0.1e

2013-10-14 Thread Erwann Abalea
Le 11/10/2013 19:57, nehakochar a écrit : Erwann ABALEA wrote The server and client are both compliant. With the first command, you tell the client to use TLS1.0 only. No more, no less. The server is ok with it, and both negociate TLS1.0. With the second command, you tell the client to use

Re: [openssl-users] Re: connection problem with the version 1.0.1e

2013-10-11 Thread Erwann Abalea
Bonjour, Le 11/10/2013 03:35, nehakochar a écrit : Rajesh Malepati wrote On Wed, Jul 24, 2013 at 9:30 PM, kirpit lt; kirpit@ gt; wrote: The server doesn't seem to care to respond to clients supporting TLS 1.2 ok: openssl s_client -tls1 -connect emea.webservices.travelport.com:443 no

Re: [openssl-users] Updating key size - security related questions

2013-10-10 Thread Erwann Abalea
Bonjour, Le 10/10/2013 18:29, int0...@safe-mail.net a écrit : Hi, I've been asking this on the OpenVPN mailinglist, but didn't get an answer so far. Therefore I hope you can help me. We use OpenVPN in our company with the default cipher suite, which should be: DHE_RSA_BF_CBC_SHA So RSA is

Re: [openssl-users] Re: adding certificate policies extension in CSR

2013-09-09 Thread Erwann Abalea
The requestor is allowed to ask for any extension it wants. The CA will do its job, ignore those requested extensions, and place the good ones in the certificate. It can also change the subject name contained in the certificate. -- Erwann ABALEA Le 09/09/2013 11:21, phildoch a écrit : Oh I

Re: [openssl-users] Precedence of URL between configured one and provided in AIA filed.

2013-09-03 Thread Erwann Abalea
That's software dependant. Either one is a valid responder, and either response has the same value, there's no priority. -- Erwann ABALEA Le 02/09/2013 10:27, deepak.kathuria a écrit : Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. At OCSP Requester side, if OCSP

Re: [openssl-users] X509 CRLs

2013-08-27 Thread Erwann Abalea
Bonjour, Le 27/08/2013 18:14, Thaddeus Fuller a écrit : Hello all, I had a couple questions about X509 CRLs. 1) It appears that OpenSSL does not check my tree against the CRLs I provide. If I revoke my own leaf certificate, and establish mutually-authenticated SSL, OpenSSL does not prevent

Re: [openssl-users] RE: CA hierarchy / pathlen:0

2013-08-22 Thread Erwann Abalea
Bonjour, Le 22/08/2013 14:56, Peter1234 a écrit : You misunderstand how it’s supposed to work. OpenSSL does not prevent you from signing anything. It can’t; for example, you could use other software and generate the signature. Instead, when the recipient gets a certificate, and verifies the

Re: [openssl-users] Re: Displaying cert with ecdsa

2013-08-19 Thread Erwann Abalea
Le 16/08/2013 20:10, Robert Moskowitz a écrit : On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with:

Re: [openssl-users] Country Name field in CA generated by openssl is encoded as PRINTABLESTRING

2013-06-21 Thread Erwann Abalea
countryName is ALWAYS a PrintableString, and is ALWAYS 2 characters long. See X.520 for a normative definition, included in RFC5280 for information. -- Erwann ABALEA Le 20/06/2013 18:33, phildoch a écrit : Country Name field in CA generated by openssl is encoded as PRINTABLESTRING while other

Re: [openssl-users] Certificate chain issue

2013-06-04 Thread Erwann Abalea
Try these: - split the certificates from your CA/cecert.pem into individual files with correct hashes - run strace -eopen openssl verify -CApath yourcacertsdirectory client.cert -- Erwann ABALEA Le 04/06/2013 09:02, Leon Brits a écrit : Hi all, I have just created a new CA which has

Re: [openssl-users] Display CSR w/ subjectAltName

2013-05-23 Thread Erwann Abalea
Are you sure there's a SAN extension in the displayed CSR? Dump the entire content with asn1parse. -- Erwann ABALEA Le 23/05/2013 17:41, Craig White a écrit : I want to be able to view CSR's with subjectAltName's but I can't figure out any way to make it happen. I have poured over the man

Re: [openssl-users] How to create CSR with SN attribute

2013-05-22 Thread Erwann Abalea
That question has been answered a few days ago. Here's an example: openssl req -new -newkey rsa:2048 -keyout dumb.key -nodes -out dumb.req -subj /C=UT/O=Whatever/GN=Per/SN=Edlund -- Erwann ABALEA Le 20/05/2013 16:47, Per Edlund a écrit : Hello! I need to create a key and a csr with SN

Re: [openssl-users] openssl req -x509 Serial Number

2013-04-29 Thread Erwann Abalea
Le 28/04/2013 20:26, redpath a écrit : When an x509 is created using the openssl command it creates a default serial number if one not supplied How is this serial number created (algorithm) in general. A 64bits random number. openssl req -x509 etcetera The default serial number is quite

Re: [openssl-users] RE: extended x509 custom, Attributes and BEGIN Certificate size

2013-04-27 Thread Erwann ABALEA
duplicate in information. The extended attributes have information and the PEM has the base64 encoding below. Is there a way not to have this duplicate info for efficient size? -- Erwann ABALEA erwann.aba...@keynectis.com __ OpenSSL

Re: [openssl-users] X509 custom extension

2013-04-26 Thread Erwann Abalea
Bonjour, Le 26/04/2013 15:15, redpath a écrit : I am adding a custom extension to an x509 a png icon basically (bytes). Since the png icon is too large to post the data I have subsituted it with a file called sample.txt that has a text line This is a sample. The code excerpt to add the

Re: [openssl-users] handling of expired certificates

2013-04-24 Thread Erwann Abalea
that may now declare your certificate as revoked. Verify the validity of the certificate at the current time. If you want to periodically check for the validity of the certificate because you're using it for a looong session, that's up to you. -- Erwann ABALEA Le 23/04/2013 19:17, Vijaya

Re: [openssl-dev] MD5 in openSSL internals

2013-04-23 Thread Erwann Abalea
think you could define your own with TLS1.0). -- Erwann ABALEA Le 23/04/2013 08:29, Venkataragavan Narayanaswamy a écrit : Hi, We are currently analyzing and understanding the security strength of the openSSL internal implementation to certify the products. In version 0.9.8d, TLSv1.0 alone

Re: [openssl-users] Re: [openssl-dev] MD5 in openSSL internals

2013-04-23 Thread Erwann Abalea
on collision of both MD5 and SHA1 at the same time. -- Erwann ABALEA Le 23/04/2013 14:28, David Jacobson a écrit : Careful about this. The technically correct answer is misleading. Yes, MD5 is used in the PRF, but it is XORed with SHA1. So you get at least the strength of stronger of the two

Re: [openssl-users] Re: SSL / SMTP

2013-04-17 Thread Erwann Abalea
Le 17/04/2013 18:40, Joan Moreau a écrit : Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL

Re: [openssl-users] how to STORE encrypted string in database

2013-03-28 Thread Erwann Abalea
as binary data. In fact, following your link, those are the first 2 answers... -- Erwann ABALEA Le 28/03/2013 19:08, Jevin Sonut a écrit : hi, i have encrypted a string using Blowfish from Openssl library i got the following string A▓☼LÝ$øä²↓j╗ú¤Ä:ðï▲ i inserted the data into my database

Re: [openssl-users] using multiple keys

2013-03-15 Thread Erwann Abalea
openssl enc encrypts one file at a time, and can read the first line of a file to get the passphrase (in order to derive key and iv). If you want to provide your own key and iv, you have to do it as command line arguments. Key management is out of scope. -- Erwann ABALEA Le 15/03/2013 06:33

Re: [openssl-users] Re: having a lot of troubles trying to get AES-NI working

2013-03-15 Thread Erwann Abalea
its behaviour. It's not resistant to a reboot, it's only process dependant. Compare the following results: * OPENSSL_ia32cap=~0x202 openssl speed -elapsed -evp aes-128-cbc * openssl speed -elapsed -evp aes-128-cbc -- Erwann ABALEA Le 15/03/2013 04:46, Ewen Chan a écrit

Re: [openssl-users] using multiple keys

2013-03-15 Thread Erwann Abalea
Le 15/03/2013 13:54, Ewen Chan a écrit : Sorry, my bad. Wrong terminology. (The AES wiki says that it uses a key.) But I was really thinking about multiple passphrases. And from this passphrase, a key and IV can be generated. It's more easy to remember a passphrase than a bunch of hex

Re: [openssl-users] Validation error on generated csr

2013-03-15 Thread Erwann Abalea
Bonjour, Le 15/03/2013 14:07, Tim Tassonis a écrit : Hi I am trying to generate a csr in a c program by having the signing part done by pkcs11 calls, and while I get no errors, the resulting csr fails upon validation: $ openssl req -verify -in wltx.csr verify failure

Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Erwann Abalea
, but you'll have to check with your clients. And find a way to distribute this certificate. -- Erwann ABALEA Le 15/03/2013 15:53, Sven Dreyer a écrit : Hi List, I would like to setup an OpenSSL-based offline Root CA. Certificates issued by this Root CA contain a CDP. I would like to issue CRLs

Re: [openssl-users] Offline Root CA and CRL generation

2013-03-15 Thread Erwann Abalea
Le 15/03/2013 17:01, Sven Dreyer a écrit : Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients

Re: [openssl-users] specifying the number of rounds that I would like to use with AES-192-CBC

2013-03-13 Thread Erwann Abalea
If you change the number of rounds, then it's not AES anymore, but a custom Rijndael. Reading the source code, it appears there's no support for that in OpenSSL (and poking inside an AES_KEY to change the number of rounds probably won't work). -- Erwann ABALEA Le 13/03/2013 14:32, Ewen Chan

Re: [openssl-users] specifying the number of rounds that I would like to use with AES-192-CBC

2013-03-13 Thread Erwann Abalea
uses. Number of rounds is important for AES security as it is for any other algorithm (think about attacks on reduced-rounds AES/SHA/whatever). -- Erwann ABALEA Le 13/03/2013 15:31, Ewen Chan a écrit : So the algorithms include the number of rounds? I thought that it would only describe the math

Re: [openssl-users] specifying the number of rounds that I would like to use with AES-192-CBC

2013-03-13 Thread Erwann Abalea
GPGPU isn't natively supported. You can write your own engine if you want, but I think memory transfers will dominate the cost. AES-NI is natively supported (I get about 550MB/s on my i5 M540 @2.53 GHz for 8k blocks). -- Erwann ABALEA Le 13/03/2013 16:49, Ewen Chan a écrit : Would

Re: [openssl-users] specifying the number of rounds that I would like to use with AES-192-CBC

2013-03-13 Thread Erwann Abalea
to code using the OpenSSL library. On Wed, Mar 13, 2013 at 12:12 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: GPGPU isn't natively supported. You can write your own engine if you want, but I think memory transfers will dominate the cost. AES-NI is natively supported (I get about 550MB/s

  1   2   3   4   >