the CA cert itself stronger? I don't
care if the CA takes 30 seconds longer to sign a cert - but I'd really
care if it made a web browser hang when talking to the resultant server
cert ;-)
Thanks!
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481
experience, our company has been one of the few enterprise environments
where a PKI has actually fundamentally improved our security posture,
and it was ENTIRELY through focusing on processes - not the technology!
(sheesh, ask a simple question... ;-)
--
Cheers
Jason Haar
Corporate Information
into a normal CSR for openssl ca to sign, then bundle it appropriately
up for delivery back to the SCEP client? Is that even possible with
command line tools, or is this exclusively the realm of actual PKI products?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone
/Location
So when you attempt to access https://server/ssl_secure/ - you are asked
for your client cert.
We have another section of the site that has SSLVerifyClient optional
and that also triggers the same fault in MSIE - and FF/Chrome work fine :-(
Help?
Thanks!
--
Cheers
Jason Haar
Information
it and check if MSIE likes it.
Nope - didn't make a difference
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
cert case too well - I certainly don't understand why only
MSIE is having a problem.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On 04/02/2010 08:13 AM, Jason Haar wrote:
On 04/02/2010 02:21 AM, Chris Clark wrote:
You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010)
Your version is years old.
OK, this is getting weird... I just created the same directory structure
on a CentOS-5.3 server
me
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project
://support.microsoft.com/kb/291010/
Jason
Jason Haar wrote:
Hi there
I'm evaluating eTokens for secure cert storage and along with other
aspects was looking at the ability for Windows domains to use smartcards
to control login access. Aladdin eToken documentation explicitly states
you have
control looks for.
Any ideas what they are (or am I totally off-track?)
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
going to
simply start a new CA. We'll reconfigure all our servers to accept
both the old and new CA, and then simply phase over all new signings to
the new CA.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E
and having to touch 1000's of
machines to update them). But I get the feeling this can't be done
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
. \
and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
people using client certs for email - well that worked!!! ;-)... I
removed that and now a cert can decrypt S/MIME emails :-)
Thanks for that Steve!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6
. Hopefully someone
knows?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL
Richard Levitte wrote:
Jason Haar writes:
Under Windows (which trusts the CA), Outlook is happy to associate
the cert with digital signing, and can send both signed and encrypted
emails. However (and here's the shocker) *IT CAN'T READ THE SENT
ITEMS COPY OF THE EMAIL IT JUST SENT*
Stupid
:-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project
...? Corrupted? It can't be altered. I mean if you're Web
server is compromised, the integrity of your CRL file is irrelevant
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB
some
long-transaction time HTTP events - that's why a full restart is an
issue (it breaks them).
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
CRLs? As far as I'm aware, it
still doesn't?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Richard A. Faulk Jr. wrote:
I just tried setting the crl file to DER encoding and specified that files
with .crl extensions are application/x-x509-crl. I am still receiving the
certificate validation failure error on the Cisco concentrator. Is there
anything else that I need to do? Am I
with a serial 1. Strange - I always
thought 0 was an integer as required by the SSL RFCs... :-()
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
key protection than
try to get the certificates via expiry dates to do that job? (and yes,
that can always be worked around as the end-user controls everything in
the case of a cert)
/soapbox
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax
showing the
usage or help error.
The problem appears to be that 0.9.7d doesn't allow spaces in -caname or
-name compared with 0.9.7a.
Is that the case, and is there any way of stopping that error?
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635
public key, then sign a cert with that,
then break through such a system. I know SSLVerifyDepth stops that, I just
want to find another way of doing the same thing...
Thanks! (and brickbats to Microsoft!)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635
issue
- so that they never expire?]
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project http
that sound roughly correct?
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project
traffic except when you go out of your way to
force the app to use a less secure crypto option.
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
looks like raw encrypted
data in hex.
Maybe I have an old version? (0.9b3)
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project
...
Similarly, sshd could use server certs.
Can it be done?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
if you're using Active Directory :-/
Caching issue perhaps?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
openssl crl to ensure the serial
number was in it :-) into Mozilla and IE (and therefore Outlook).
Is this a known problem? Pretty darn useless if the MUA doesn't tell you
that a cert has been revoked...
Pretty fundementally broken.
--
Cheers
Jason Haar
Information Security Manager, Trimble
cannot be expected to have to manually handle their CRLs
- this must be a config issue for me... :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
is not degraded).
Is this some hack, or would such things be possible within SSL? My main
thought is for being able to decrypt S/MIME mail, without needing the
originators cert (same reason: corporate use)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3
the additional key to the
message, so that either the true recipient or the additional key can decrypt
it. Neat way of adding a new feature :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6
and especially client
certs without also supporting CRL. But they are still plugging their
products...
After that, we decided Apache was our friend :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6
to generate server
certs that can be used by Apache/IIS and EAP-TLS, and client certs that
allow users to do S/MIME, and EAP-TLS - does the -keysig break any of that?
Thanks for your help
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635
the
hell's going on :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project
some versions of
Netscape, but only the people with 8bit names are going to ever see these
certs anyway, and if their browser crashes on it, well - that's there
problem :-)
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
On Wed, Nov 13, 2002 at 09:20:51AM +1300, Jason Haar wrote:
1. find out what charset LDAP returns in
2. find a way to translate those strings into unicode
3. feed the result into OpenSSL with string_mask=utf8only
Actually, it wasn't as hard as all that.
Instead I set string_mask=pkix
this?
Thanks in advance for any help - my poor ASCII brain is feeling
overwhelmed :-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
the trick. Now Outlook correctly recognises clientAuth
certs as not being usable for S/MIME - just what I wanted...
Unfortunately Mozilla says the same cert *is* usable for S/MIME! Sigh...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3
everything:
smime,object signing,file recovery,etc.
The signed cert indeed has a X509v3 extensions of SSL Client under
Netscape Cert Type:, but IE ignores that?
What is the equivalent for IE?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377
-scanner.sourceforge.net/ - ahem. Not that I have anything to
do with that ;-)
--
Cheers
Jason Haar
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
__
OpenSSL Project http
the mail recipient
envelope header (commonly seen as the "Return-Path:" header).
Their mail server is MAJORLY BROKEN if it is replying to Reply-To headers.
End of story.
--
Cheers
Jason Haar
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64
be the
CA!
Other commercial outfits are producing CAs (Microsoft come to mind - anyone
running Active Directory!?!?!?), so why cannot there be an Opensource one?!?!?
[yes, there are, I know - I'm just trying to impress that this issue isn't as
black-and-white as is being said]
--
Cheers
Jason
e how I can automate this so that I can just create a temp
config file, and run it like:
openssl req -new -nodes -keyout key.pem -out req.pem -days 365 \
-config /tmp/root/temp.conf
and it'll run to completion without requiring me to hit RETURN/etc.
Thanks
--
Cheers
Jason Haar
Unix/Network Sp
On Wed, Mar 08, 2000 at 12:14:31PM +, Dr Stephen Henson wrote:
OpenSSL 0.9.5 req was modified to specifically allow this and has
several new config file options, the manual page has an example too.
Absolutely great - just installed and it worked as I wanted :-)
Thanks!
--
Cheers
Jason
to sign that with openssl, and how to convert that
into a signed-cert Exchange would import?
Thanks
--
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
__
OpenSSL
are part of a
multi-national company. If all our Internet mail gateways supported TLS,
then we could use the Internet to transmit our Email instead of expensive
WANs...
I've done our servers - but I can't do our US ones as - well - they're US...
--
Cheers
Jason Haar
Unix/Network Specialist
If I build OpenSSL as:
./config no-rsa no-rc4
Then that removes all patented algorithims from OpenSSL doesn't it?
Then building things like stunnel with this should produce a "binary" or
"product" that I can legally send to a collegue in the USA to use?
--
Cheers
Jaso
53 matches
Mail list logo