Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-28 Thread Steffan Karger
On 28-02-17 06:09, James Yonan wrote: > On 27/02/2017 18:18, David Sommerseth wrote: > >> On 27/02/17 23:06, James Yonan wrote: >>> On 25/02/2017 08:40, Steffan Karger wrote: >> [...snip...] I'd say so. Something like: legacy: RSA 1024+, SHA1+, all curves default: RSA 2048+,

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-27 Thread James Yonan
On 27/02/2017 18:18, David Sommerseth wrote: > On 27/02/17 23:06, James Yonan wrote: >> On 25/02/2017 08:40, Steffan Karger wrote: > [...snip...] >>> I'd say so. Something like: >>> >>> legacy: RSA 1024+, SHA1+, all curves >>> default: RSA 2048+, SHA2+, all curves >>> suiteb: no RSA,

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-27 Thread David Sommerseth
On 27/02/17 23:06, James Yonan wrote: > On 25/02/2017 08:40, Steffan Karger wrote: [...snip...] >> I'd say so. Something like: >> >> legacy: RSA 1024+, SHA1+, all curves >> default: RSA 2048+, SHA2+, all curves >> suiteb: no RSA, SHA256/SHA384, P-256/P-384 >> >> As long as we kick anything that's

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-27 Thread James Yonan
On 25/02/2017 08:40, Steffan Karger wrote: > On 25-02-17 07:04, James Yonan wrote: >> On 24/02/2017 16:10, Steffan Karger wrote: >>> On 24-02-17 22:28, James Yonan wrote: On 24/02/2017 02:40, Steffan Karger wrote: > On 23-02-17 22:41, James Yonan wrote: >> On 23/02/2017 01:22,

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-25 Thread Steffan Karger
On 25-02-17 07:04, James Yonan wrote: > On 24/02/2017 16:10, Steffan Karger wrote: >> On 24-02-17 22:28, James Yonan wrote: >>> On 24/02/2017 02:40, Steffan Karger wrote: On 23-02-17 22:41, James Yonan wrote: > On 23/02/2017 01:22, Steffan Karger wrote: >> On 22-02-17 19:48, James

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 16:10, Steffan Karger wrote: > Hi, > > On 24-02-17 22:28, James Yonan wrote: >> On 24/02/2017 02:40, Steffan Karger wrote: >>> On 23-02-17 22:41, James Yonan wrote: On 23/02/2017 01:22, Steffan Karger wrote: > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread Steffan Karger
Hi, On 24-02-17 22:28, James Yonan wrote: > On 24/02/2017 02:40, Steffan Karger wrote: >> On 23-02-17 22:41, James Yonan wrote: >>> On 23/02/2017 01:22, Steffan Karger wrote: On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 02:40, Steffan Karger wrote: > On 23-02-17 22:41, James Yonan wrote: >> On 23/02/2017 01:22, Steffan Karger wrote: >>> On 22-02-17 19:48, James Yonan wrote: mbedTLS 2 has a new feature that allows rejection of certificates if the key size is too small or the signing hash

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread Steffan Karger
On 23-02-17 22:41, James Yonan wrote: > On 23/02/2017 01:22, Steffan Karger wrote: >> On 22-02-17 19:48, James Yonan wrote: >>> mbedTLS 2 has a new feature that allows rejection of certificates if the >>> key size is too small or the signing hash is weak. >>> >>> The feature is controlled via

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-23 Thread James Yonan
On 23/02/2017 01:22, Steffan Karger wrote: > Hi James, > > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new feature that allows rejection of certificates if the >> key size is too small or the signing hash is weak. >> >> The feature is controlled via struct mbedtls_x509_crt_profile.

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-23 Thread Steffan Karger
Hi James, On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the > key size is too small or the signing hash is weak. > > The feature is controlled via struct mbedtls_x509_crt_profile. > > For example, you could specify that

[Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-22 Thread James Yonan
mbedTLS 2 has a new feature that allows rejection of certificates if the key size is too small or the signing hash is weak. The feature is controlled via struct mbedtls_x509_crt_profile. For example, you could specify that certificates must be at least 2048 bits and use a SHA-2 signing alg.