On Sat, Mar 16, 2013 at 01:16:23AM -0400, Ewen Chan wrote:
> Okay then, here's another one of my infamous dumb questions.
>
> If that's the case, then why do we need the AES-NI instruction set?
It's far from the first accelerated instruction set of dubious utility. ;)
Marketing... etc.
Actually
Okay then, here's another one of my infamous dumb questions.
If that's the case, then why do we need the AES-NI instruction set?
If it's likely going to be storage and/or network bandwidth limited;
wouldn't the improvements made by introducing and incorporating the
AES-NI instruction set be kind
On Sat, Mar 16, 2013 at 12:06:07AM -0400, Ewen Chan wrote:
> That's MUCH faster than I expect it to be (even with AES-NI) and the
> 888 MB/s is faster than any available storage host-bus interface we've
> got right now; so I want to make sure that I am not losing my marbles
> here in trying to make
Do these number make sense or seem reasonable?
(I'm running a Core i7 3930K that's been OC'd to 4.5 GHz up from the
stock 3.2 GHz, running cygwin 1.7.17 on Windows 7 x64 Professional,
with 64 GB of DDR3-1600)
~$ OPENSSL_ia32cap="~0x202" openssl speed -elapsed -evp aes-256-cbc
You have
If I specify a salt, does the salt have to be ASCII or can they be Unicode?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
So is the number of rounds set by Rijndahl or the AES spec? I'm confused.
And is the number of rounds hard-coded into the OpenSSL source; or is
it embedded somewhere else?
On Fri, Mar 15, 2013 at 7:27 PM, wrote:
> I don't know the interfaces to OpenSSL, but AES-192 specifies the number
> of rou
> From: owner-openssl-us...@openssl.org On Behalf Of Dirk-Willem van Gulik
> Sent: Wednesday, 06 March, 2013 06:01
-dev added as a possible minor bug/enhancement, see end
> A simple
>
> echo foo | openssl smime -encrypt/sign | openssl smime
> -decrypt/verify
>
> works dandy. But was surp
>From: owner-openssl-us...@openssl.org On Behalf Of Evan Brown
>Sent: Wednesday, 13 March, 2013 11:02
>openssl genrsa -aes256 -out private.pem 2048
>Am I correct in my understanding that OpenSSL adds a salt
>to the passphrase that I specify when this command runs?
>How is the salt computed and w
>From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti
>Sent: Wednesday, 13 March, 2013 13:44
>I was trying to implement the diffie Hellman algorithm in Java
>which makes use of JCF and as well as in c with openssl...
I assume you mean JCE, or maybe JCA. JCF is completely unrelated.
I don't know the interfaces to OpenSSL, but AES-192 specifies the number
of rounds. The approved AES algorithms specify a subset of Rijndahl
cipher whereby you can specify alternative numbers of rounds, key
sizes, and block sizes.
Sincerely,
Steven J. Hathaway
> There's a file that I want to enc
for those who don't read openssl-dev
Original Message
Subject:[openssl.org #3016] openssl ts fix
Date: Wed, 13 Mar 2013 16:13:31 +0100
From: Peter Sylvester via RT
Reply-To: openssl-...@openssl.org
CC: openssl-...@openssl.org
Hi,
I have "weakend" the
On 13.03.2013 01:19, kap...@mizera.cz wrote:
Dne 12.3.2013 20:36, Walter H. napsal(a):
Hello,
I found the following:
http://tsa.postsignum.cz:444
do you have account by this TSA ?
No.
if there is a need to have an account; then this page is not conforming
to any RFC - HTTP 400 is not an
Hi Erwann,
Am 15.03.2013 17:36, schrieb Erwann Abalea:
Yes. That's one possible solution (possible from a PKI point of view).
Another solution would be to play with indirect CRLs. That involves
Thank you very much for your explanations, I will try these scenarios.
Thanks, Sven
_
Le 15/03/2013 17:01, Sven Dreyer a écrit :
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi!
The new server currently hosting the www, git, rt, ftp, and cvs
services is going to be moved within the installation of our hoster.
As a consequence, the system will be assigned a new IP address.
Old: 178.16.220.54
New: 185.9.166.106
The move
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable
for RFC5280, but you'll have to check with your clients. And find a
way to distribute this certificate.
On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote:
> I tried this some 2yrs ago what seemed to work (at least wins showed the
> strings in cert correctly)
>
> in
> [ req ]
> ...
> distinguished_name= req_distinguished_name
> attributes= req_attributes
> string_mask
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but yo
Hi Matthew,
Am 15.03.2013 16:03, schrieb Matthew Hall:
Read about the cRLSign KeyUsage bit. This is how it is usually
handled.
I already let the Root CA issue a certificate with "keyUsage = cRLSign"
and used that certificate to sign the CRL, but my colleague's Windows
machine refused to acce
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a "CRL signe
On Fri, 15 Mar 2013, Dr. Stephen Henson wrote:
Analysing that CSR the actual signature isn't in the correct form: it just
contains the raw SHA1 digest instead of the required DigestInfo structure.
You can check that using rsautl in a manner similar to that for certificates
mentioned in the ma
Bonjour,
Le 15/03/2013 14:07, Tim Tassonis a écrit :
Hi
I am trying to generate a csr in a c program by having the signing
part done by pkcs11 calls, and while I get no errors, the resulting
csr fails upon validation:
$ openssl req -verify -in wltx.csr
verify failure
2948:error:0D07207B:asn
Hi Steve
Thanks a lot for your reply.
Just another quick question. Do you know by chance an openssl function
that would convert the raw sha1 into a digestinfo structure?
Kind regards
Tim
On 03/15/2013 02:36 PM, Dr. Stephen Henson wrote:
On Fri, Mar 15, 2013, Tim Tassonis wrote:
Hi
I am
So if I want to do that, the very basic way for me to do it would be
to write all of the commands (line-by-line; which processes each file
separately) into a shell script file and then run that?
But if I were to use some kind of programming or more advanced
scripting language/syntaxes; I would be
On Fri, Mar 15, 2013, Tim Tassonis wrote:
> Hi
>
> I am trying to generate a csr in a c program by having the signing
> part done by pkcs11 calls, and while I get no errors, the resulting
> csr fails upon validation:
>
Analysing that CSR the actual signature isn't in the correct form: it just
c
For AES-256-CBC, if I have a passphrase stored in a file; are there
limits in terms of how big either the key or the passphrase can be in
terms of characters?
__
OpenSSL Project http://www.openssl.or
Le 15/03/2013 13:54, Ewen Chan a écrit :
Sorry, my bad. Wrong terminology.
(The AES wiki says that it uses a key.) But I was really thinking
about multiple passphrases.
And from this passphrase, a key and IV can be generated. It's more easy
to remember a passphrase than a bunch of hex digits
Hi
I am trying to generate a csr in a c program by having the signing part
done by pkcs11 calls, and while I get no errors, the resulting csr fails
upon validation:
$ openssl req -verify -in wltx.csr
verify failure
2948:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:.\
Sorry, my bad. Wrong terminology.
(The AES wiki says that it uses a key.) But I was really thinking
about multiple passphrases.
Sorry for the mix up.
So let's say I have three files:
file1
file2
file3
And then I have a passphrase file that contains the following:
Alice
Bob
Charlie
and I want
a...okay. Gotcha.
Thanks!
On Fri, Mar 15, 2013 at 5:23 AM, Erwann Abalea
wrote:
> On a PC under Linux, you can do a "cat /proc/cpuinfo" and look for "aes" in
> the "flags".
> On a PC under any OS, get the CPUID, and look for bit 25 of ECX.
> That's not OpenSSL-related.
>
>
> The use of OPENS
On a PC under Linux, you can do a "cat /proc/cpuinfo" and look for "aes"
in the "flags".
On a PC under any OS, get the CPUID, and look for bit 25 of ECX.
That's not OpenSSL-related.
The use of OPENSSL_ia32cap environment variable allows you to alter the
CPUID result (only inside OpenSSL), and
"openssl enc" encrypts one file at a time, and can read the first line
of a file to get the passphrase (in order to derive key and iv).
If you want to provide your own key and iv, you have to do it as command
line arguments.
Key management is out of scope.
--
Erwann ABALEA
Le 15/03/2013 06:33,
Hi,
I tried this some 2yrs ago what seemed to work (at least wins showed the
strings in cert correctly)
in
[ req ]
...
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
utf8 = yes
...
...
[ req_distinguished_name ]
...
localityName_
33 matches
Mail list logo
