RE: RSA public key in x509 format

2012-11-02 Thread Dave Thompson
>From: owner-openssl-us...@openssl.org On Behalf Of Taraniteja Vishwanatha >Sent: Friday, 02 November, 2012 18:29 Answering only -users, this is not a -dev question. >I want to generate a RSA key pair in x509 format and pem encoded >( BEGIN PUBLIC KEY .END PUBLIC KEY). >Can anyone give m

RE: Automating self signed certificate creation

2012-11-02 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Mauricio Tavares > Sent: Friday, 02 November, 2012 16:53 > On Fri, Nov 2, 2012 at 4:23 PM, Ken Goldman > wrote: > > I create a self signed certificate using > > > >> openssl req -new -x509 -key ... -out ... -days ... > > > > It then prompts fo

RE: ECDH-RSA and TLS 1.2 [AESGCM]

2012-11-02 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya > Sent: Thursday, 01 November, 2012 21:31 -dev added > I configured my openssl RSA CA to add the key usage extension > for key agreement to the ECC certificate but even then it > does not work. Pre-TLS 1.2 cipher suites such

Re: Automating self signed certificate creation

2012-11-02 Thread Felipe Gasper
On 2.11.12 3:23 PM, Ken Goldman wrote: I create a self signed certificate using > openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I

Re: Automating self signed certificate creation

2012-11-02 Thread Mauricio Tavares
On Fri, Nov 2, 2012 at 4:23 PM, Ken Goldman wrote: > I create a self signed certificate using > >> openssl req -new -x509 -key ... -out ... -days ... > > It then prompts for the country, state, locality, etc. > > Is there a way to enter that data on the command line or in a configuration > file to

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Jeffrey Walton
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm wrote: > (continuing TOFU posting to keep the thread somewhat consistent) > > Given some of the mathematical restrictions on parameters needed to > keep DSA and ECDSA safe from attackers, I don't think using the same > private key for ECDSA and ECDH is a

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Jakob Bohm
(continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so

Automating self signed certificate creation

2012-11-02 Thread Ken Goldman
I create a self signed certificate using > openssl req -new -x509 -key ... -out ... -days ... It then prompts for the country, state, locality, etc. Is there a way to enter that data on the command line or in a configuration file to avoid the prompts? I tried -config and a configuration file

RE: ECDH-RSA and TLS 1.2

2012-11-02 Thread Abhiram Shandilya
I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@o

openssl verify always returns 0 (success) to shell

2012-11-02 Thread Ken Goldman
In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: > openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. "error 20 at 0 depth lookup: ..." However, when my bash script checks the return code, it is still 0. I was hop

Re: setting a CSR’s challenge password?

2012-11-02 Thread Jakob Bohm
On 11/2/2012 5:20 PM, Felipe Gasper wrote: Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, eithe

setting a CSR’s challenge password?

2012-11-02 Thread Felipe Gasper
Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either. Thanks! -Felipe Gasper Houston, TX

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Billy Brumley
> Well one reason is that the fixed ECDH cipher suites do not support forward > secrecy because they always use the same ECDH key. ECDHE cipher suites as implemented in OpenSSL don't necessarily support forward secrecy either. I wonder what it takes to get SSL_OP_SINGLE_ECDH_USE option by default

setting a CSR’s challenge password?

2012-11-02 Thread Felipe Gasper
Hi all, What ways other than the interactive command shell are available for setting a CSR’s challenge password attribute? I can’t find a command-line switch that does it, and perl’s Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either. Thanks! -Felipe Gasper Houston, T

RE: ECDH-RSA and TLS 1.2

2012-11-02 Thread Erik Tkal
What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of

Re: Enabling https capability

2012-11-02 Thread Jakob Bohm
On 11/2/2012 3:06 PM, John A. Wallace wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, November 01, 2012 12:25 PM To: openssl-users@openssl.org Subject: Re: Enabling https capability (Note

RE: Enabling https capability

2012-11-02 Thread John A. Wallace
> -Original Message- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jakob Bohm > Sent: Thursday, November 01, 2012 12:25 PM > To: openssl-users@openssl.org > Subject: Re: Enabling https capability > > (Note you really should have started