2015-05-09 21:47 GMT+02:00 Salz, Rich <rs...@akamai.com>: > >> After getting into building and especially configuring my own CA again I'm >> nearly at the end and I've noticed some errors in the documentation I want >> to report. > > I like the "again" :)
Yeah, once upon a time I had done a comprehensive configuration with a Root CA and two Signing CAs and wrote down the command lines I need to use but then I didn't even touched it for over four years so I only had few memories. A good PKI tutorial and my files helped me getting into it again quickly. >> 1) On https://www.openssl.org/docs/apps/ca.html for the -md option not all >> possible values (sha256, sha384, etc.) are list but just md5, sha1 and mdc2 >> 2) On https://www.openssl.org/docs/apps/req.html for the -[digest] option >> not all possible values are listed >> 4) On https://www.openssl.org/docs/apps/req.html for the default_md >> option not all possible values are listed (shouldn't this reference the >> -[digest] >> option) >> 5) On https://www.openssl.org/docs/apps/x509.html not all available >> options are listed in -md2|-md5|-sha1|-mdc2 > > Getting this correct is incredibly painful, as it depends on the > configuration options chosen when building openssl, and right now the > manpages are not affected by the config. Our plan for this is to say "any > supported digest." That will be updated in a couple of days, and then > pushed to the website in hour or so later. I see. I thought about mentioning "get a list of supported (message) digests by using the command > openssl list-message-digest-commands < in the doc but after I tried that command I just got md4, md5, rmd160, sha, sha1 but since I was able to create a sha-256 with the -sha256 command option I guess it's just the wrong command to get a list of supported digest? I also tried openssl list-message-digest-algorithms and that shows SHA512, SHA256, whirlpool (I like that one) and more. However I don't think that it shows the correct names of supported options (case-sensitive?). Additionally some options are listed twice like DSA, DSA-SHA, MD4, MD5. Is that a bug too? While being on it I also issued openssl list-cipher-algorithms and here all entries are listed twice. The output gives a list which contains of list (B) appended to list (A). List (A) has 93 unique entries and shows aliases uppercase (eg. CAMELLIA256 => CAMELLIA-256-CBC). List (B) has 100 entries, 97 of them are unique. Aliases are shown lowercase (camellia256 => CAMELLIA-256-CBC). The additional entries are id-aes128-GCM, id-aes192-GCM, id-aes256-GCM and blowfish => BF-CBC while the three aes ones are listed twice (once correctly between AES-xxx-ECB and and AES-xxx-OFB once incorrectly between DESX-CBC and rc2 => RC2-CBC). >> I also would like to ask if there's a newer version (or subtree) of openssl >> that >> is cleaned up. > > I don't know what you mean by this. Well I just asked because if that would've been planned I would've liked to participate in that process. What I meant was a version that's cleaned up of superseded / deprecated commands and has a more logical structure or command names, eg. no CA command and not three different ways of getting the same result. It's simple enough for doing simple stuff like quickly getting a self-signed certificate and just gets a little bit more complicated than it has so be when you begin with complex stuff. But I don't have a problem with how it's done now :) >> Currently there are many ways of creating a CSR, signing a >> certificate, etc. I think this is confusing everybody. > > The CA script is a wrapper around the various commands, and is reasonable. > But we're not planning on removing any of the current mechanisms. Ivan > Ristic has a really great, free, OpenSSL cookbook that might be useful: > https://www.feistyduck.com/books/openssl-cookbook/ Thanks for that like. I'll definitely cook some delicious meals with that ;) _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
