I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to
use these keys from openssl CLI using the pkcs11 engine, it fails.
1. SoftHSM version
[]:~$ softhsm2-util --version
2.5.0rc1
2. SoftHSM token init
[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.0-rc1"
I get the following error when I try to access the ed25519 key stored in
SoftHSM via the openssl engine interface using engine_pkcs11.
[]:~$ openssl pkey -in
In message <4ac69fc3-bec7-46f6-882a-671196fc0...@contoso.com> on Mon, 17 Sep
2018 20:59:59 +, "Paras Shah (parashah)" said:
> 4. Import the key into softhsm
>
> []:~$ softhsm2-util --import ~/tmp/secp256k1-key.pem.pkcs8 --label "ec key"
> --id --token
> "token 2.5.0-rc1"
Ok, so
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection
That is not it. It results in the same error for the EC key.
It is not the URL or the ID. Because for a RSA key in the softhsm with id =
, it works fine with url containing id=%33%33
$ openssl pkey -in
Hi all
I'm trying to re-add 3DES support (a temporary move, due to business
requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX build
flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt from
https://www.openssl.org/blog/blog/2016/08/24/sweet32/.
Whilst I do see
On 17/09/18 16:29, Neil Craig wrote:
> Hi all
>
> I'm trying to re-add 3DES support (a temporary move, due to business
> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
> from
Perhaps the pkcs11 engine does not support ed25519 keys?
Matt
On 17/09/18 22:05, Paras Shah (parashah) via openssl-users wrote:
> I get the following error when I try to access the ed25519 key stored in
> SoftHSM via the openssl engine interface using engine_pkcs11.
>
>
>
> []:~$ openssl
I had the same doubt. I have x-posed this question on the opensc mailing list
as well.
On 9/17/18, 3:37 PM, "openssl-users on behalf of Matt Caswell"
wrote:
Perhaps the pkcs11 engine does not support ed25519 keys?
Matt
On 17/09/18 22:05, Paras Shah (parashah) via
On 17/09/18 19:12, Jay Foster wrote:
> There were many many more of these, which I omitted for brevity. I
> looked at the source and it does look like the code is trying to stuff a
> 64-bit constant into a 32-bit variable. Does OpenSSL-1.1.1 work on
> 32-bit architectures?
Yes. It should work
With the recent release of OpenSSL 1.1.1, I tried to cross compile it
for a 32-bit ARM architecture. I observe many compiler warnings similar
to the following:
crypto/ec/curve448/curve448.c:30: warning: integer constant is too large
for 'long' type
crypto/ec/curve448/curve448.c:30: warning:
Would it be possible for you to open this as an issue on Github and include
there your first email and the full logs?
Thanks,
Nicola Tuveri
On Tue, 18 Sep 2018 at 01:15, Paras Shah (parashah) via openssl-users <
openssl-users@openssl.org> wrote:
> That is not it. It results in the same error
> On Sep 17, 2018, at 1:30 AM, Billy Brumley wrote:
>
>> openssl version
>> openssl: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version
>> `OPENSSL_1_1_1' not found (required by openssl)
>> openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version
>> `OPENSSL_1_1_1' not found (required by
hi all,
I set the fips mode and call the RAND_pseudo_bytes for more than 1<<24 times to
trigger the reseed process, but I found RAND_Poll() still cannot be called in
the reseed process.
if (!initialized) {
RAND_poll();
initialized = 1;
}
the initialized cannot be changed
On Thu, Sep 13, 2018 at 3:51 PM wrote:
> I tryed to dig inside openssl s_client source code, but it's really too
> complex for me, it seems like s_client doesn't use
> SSL_connect, instead, using more low-level functions.
>
>
> So, does anybody have any simple client-side implementation of DTLS
Fedora 29 beta just provided (in testing-update repo):
openssl-1.1.1-2.fc29.armv7hl.rpm
Against this version, I successfully produced by ED25519 pki per:
https://github.com/rgmhtt/draft-moskowitz-eddsa-pki
I have some minor textual edits to make in the draft and then submit
it. Then I can
...and once again FIPS screws those who don't want to adhere to its
mandates (which everyone in the know has always stated simply reduces
security by requiring the use of less-secure ciphers and implementations,
without allowing patches or modifications to deal with newly-discovered
classes of
17 matches
Mail list logo