On Thu, Mar 27, 2014 at 2:47 AM, Stefan H. Holek wrote:
> No reason. Just for maximum compatibility. Every software can do SHA1. But
> this comes up a lot and I might switch to sha256 the next time around.
It appears that even what most "legacy" web browsers and servers
support sha256, given the
On 27.03.2014, at 13:32, Walter H. wrote:
> Does this mean, you use certificates with a complete chain of at least 4
> certificates?
>
> - root ca cert. no pathlen
> - intermediate ca cert. also no pathlen
> - signing ca cert. with pathlen
> - end cert
Yes, the expert example does that.
> what
On Thu, Mar 27, 2014, axisofevil wrote:
> I would like to use default implementations for some ECC operations but the
> OpenSC pkcs11 engine for other ECDSA operations.
>
> At a high level I have a Sign() & a Verify() in one app on a server - the
> Sign() needs to be done via a HSM using PKCS11
I would like to use default implementations for some ECC operations but the
OpenSC pkcs11 engine for other ECDSA operations.
At a high level I have a Sign() & a Verify() in one app on a server - the
Sign() needs to be done via a HSM using PKCS11 interface, using EVP
functions. Keys for these oper
Hi Thomas.
I was told a while ago that Google's servers will only negotiate
ECDHE-ECDSA if the client i) sends the SNI extension and ii) does _not_
offer any compression methods.
IINM, s_client always offers zlib compression if zlib support is
compiled in. It'd be nice if there was a comman
On Wed, Mar 26, 2014 at 05:25:49PM -0400, Devon H. O'Dell wrote:
> Hi there,
>
> I'm working on an application that shares SSL_SESSION pointers between
> SSL_CTXs in multiple threads. The logic for sharing the session is
> roughly as follows:
>
> lock(&mtx);
> sp = get_cached_session_pointer();
On Thu, Mar 27, 2014, Dr. Stephen Henson wrote:
> On Thu, Mar 27, 2014, Thomas Montroy wrote:
>
> > hi Jeff,
> >
> > Thanks for the response, but I'm still having trouble.
> >
> > As for TLSv1.2:
> >
> > With the OS version of openssl, my default connection looks to be TLSv1.1
> >
> > However
Nice catch. Thanks for looking into it.
Cheers,
-Tom
On Thu, Mar 27, 2014 at 9:22 AM, Dr. Stephen Henson wrote:
> On Thu, Mar 27, 2014, Thomas Montroy wrote:
>
> > hi Jeff,
> >
> > Thanks for the response, but I'm still having trouble.
> >
> > As for TLSv1.2:
> >
> > With the OS version of ope
On Thu, Mar 27, 2014, Thomas Montroy wrote:
> hi Jeff,
>
> Thanks for the response, but I'm still having trouble.
>
> As for TLSv1.2:
>
> With the OS version of openssl, my default connection looks to be TLSv1.1
>
> However, if I add -tls1_2 to the call, I get this:
> SSL-Session:
> Protoc
hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2 to the call, I get this:
SSL-Session:
Protocol : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Should t
Hello,
On Thu, March 27, 2014 10:47, Stefan H. Holek wrote:
>> 3. Is there a reason to not set a pathLen in the basicConstraints
>> section of the Root CA's (to 1, to allow a maximum of one layer of
>> CA's below the Root), but to do so on the Intermediate CA's?
>
> Pathlen is not used on root CA
Le 27/03/2014 11:14, Jeffrey Walton a écrit :
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek wrote:
On 25.03.2014, at 17:44, Zack Williams wrote:
...
3. Is there a reason to not set a pathLen in the basicConstraints
section of the Root CA's (to 1, to allow a maximum of one layer of
CA's bel
Hi there,
I'm working on an application that shares SSL_SESSION pointers between
SSL_CTXs in multiple threads. The logic for sharing the session is
roughly as follows:
lock(&mtx);
sp = get_cached_session_pointer();
if (!SSL_set_session(ctx, sp)) {
SSL_set_session(ctx, NULL);
}
unlock(&mtx);
r
On Thu, Mar 27, 2014 at 5:47 AM, Stefan H. Holek wrote:
> On 25.03.2014, at 17:44, Zack Williams wrote:
>
>> ...
>> 3. Is there a reason to not set a pathLen in the basicConstraints
>> section of the Root CA's (to 1, to allow a maximum of one layer of
>> CA's below the Root), but to do so on the I
On 25.03.2014, at 17:44, Zack Williams wrote:
> 1. Is there a reason you're not using SHA-256 hash by default - it
> appears that SHA1 is being recommended against currently:
> http://www.digicert.com/sha-2-ssl-certificates.htm
No reason. Just for maximum compatibility. Every software can do SHA1
15 matches
Mail list logo
