On Thu, Apr 24, 2014 at 11:39:42AM -0400, Paul Wouters wrote:
> On Thu, 24 Apr 2014, Florian Weimer wrote:
>
> >I don't think "openssl genrsa 2048" has this issue on today's
> >machines. (I know I saw it with GNUTLS.)
>
> I was sceptical, so I tried this on a freshly booted VM:
>
> root@bofh:~#
On 04/24/2014 08:39 AM, Paul Wouters wrote:
On Thu, 24 Apr 2014, Florian Weimer wrote:
I don't think "openssl genrsa 2048" has this issue on today's
machines. (I know I saw it with GNUTLS.)
I was sceptical, so I tried this on a freshly booted VM:
root@bofh:~# virsh start north
Domain north
On Thu, Apr 24, 2014 at 10:10:15AM -0400, Adam Jackson wrote:
> On Thu, 2014-04-24 at 15:47 +0200, Florian Weimer wrote:
> > I'm working on advice on automated X.509 certificate generation during
> > package installation.
> >
> > One aspect is that these files obviously have to be generated on th
On 04/24/2014 05:39 PM, Paul Wouters wrote:
On Thu, 24 Apr 2014, Florian Weimer wrote:
I don't think "openssl genrsa 2048" has this issue on today's
machines. (I know I saw it with GNUTLS.)
I was sceptical, so I tried this on a freshly booted VM:
root@bofh:~# virsh start north
Domain north
On Thu, 24 Apr 2014, Florian Weimer wrote:
I don't think "openssl genrsa 2048" has this issue on today's machines. (I
know I saw it with GNUTLS.)
I was sceptical, so I tried this on a freshly booted VM:
root@bofh:~# virsh start north
Domain north started
root@bofh:~# ssh root@north
Last logi
On 04/24/2014 04:20 PM, Paul Wouters wrote:
On Thu, 24 Apr 2014, Florian Weimer wrote:
I'm working on advice on automated X.509 certificate generation during
package installation.
I would strongly recommend doing it on first service start. I've lived
through the FreeS/WAN times and my experie
Paul Wouters writes:
> [...]
> How many packages would actually perform any kind of "opportunistic
> encryption"? I know the mail servers prefer a selfsigned cert over no
> cert whatsoever, but what other applications have this issue of "better
> unknown certificate than plaintext" ?
Probably al
On Thu, 2014-04-24 at 15:47 +0200, Florian Weimer wrote:
> I'm working on advice on automated X.509 certificate generation during
> package installation.
>
> One aspect is that these files obviously have to be generated on the
> system during installation (or first service start) and cannot be
On Thu, 24 Apr 2014, Florian Weimer wrote:
I'm working on advice on automated X.509 certificate generation during
package installation.
I would strongly recommend doing it on first service start. I've lived
through the FreeS/WAN times and my experience with it for 15+ years
caused us (in libre
