On 30.04.2014 03:57, Nikolay Elenkov wrote:
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the root. Then there won't be a need to have the root key at multiple places and
not problems with serial. Additionally, clients will only have to
install and trust
the roo
On Wed, Apr 30, 2014 at 6:59 AM, Michael Wojcik
wrote:
> All of these approaches have already been suggested in this thread. Is it
> really necessary that we go through them again?
>
>
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the root. Then there won't be a
All of these approaches have already been suggested in this thread. Is it
really necessary that we go through them again?
Rich Salz's suggestion of using a UUID for the serial number makes collisions
sufficiently improbable that the possibility can be ignored, and it's simpler
than any of the o
On 30/04/2014 6:05 AM, Walter H. wrote:
> On 29.04.2014 21:38, d...@deadhat.com wrote:
>>
>> This all seems unecessarily complex. Make the serial number a 256 bit or
>> greater true random number. There will be no collisions.
> the serial number has maximum length ..., 256 bit is quite too big ..
>
On 30/04/2014 4:23 AM, Blibbet wrote:
> The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x).
> https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>
>
> BTW, it's a shame that OpenSSL doesn't integrate that patch, and have
> some UEFI-target
On 29.04.2014 21:38, d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions.
the serial number has maximum length ..., 256 bit is quite too big ..
smime.p7s
Description: S/MIME Cryptographic Sig
> On 29.04.2014 20:15, Jakob Bohm wrote:
>> I seem to (vaguely) recall that there was once an option or standard for
>> using a certificate-contents-related hash as the serial number, but I
>> can't seem to find it right now.
> Hi,
> could you please try to find this; I would be interested in such
Thanks for the reply. What I found is that it's always slow first time
running from a particular application, but not other applications, no matter
which applications I run first.
--
View this message in context:
http://openssl.6102.n7.nabble.com/slowness-of-ssl-sslwrap-on-first-call-tp49700p49
> The involvement of Microsoft, makes this initiative highly suspect, and
> I wish the Linux Foundation had told them to get lost. Ever since its
> foundation, Microsoft has used every underhanded trick in the book to
> sabotage open source projects (just remember Bill Gates open letter
> on the
On 29.04.2014 20:15, Jakob Bohm wrote:
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
Hi,
could you please try to find this; I would be interested in such - a way
o
On 4/28/2014 10:53 AM, Mat Arge wrote:
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have to
create the random serial number externally by some script and write it into
the serial file (as set in t
On 4/25/2014 11:19 PM, summer wrote:
Furthur investigation shows the slowness is happening at _ssl.c line 306,
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
Is this line code involving client/server communication yet?
I haven't checked, but maybe SSL_CTX_new() is initializin
On 4/25/2014 9:33 PM, Awi wrote:
As a US based organization, Apache is unsuited and (given fairly recent
public news) untrusted to have any power of a project such as OpenSSL.
Additionally, the Apache foundation has accumulated so many important
projects over the last few years that it they are
We are active and continuing users of the z/OS port of OpenSSL, have just
rebuilt 1.0.1c without heartbeats on a maintenance stream and are upgrading to
1.0.g on a future release stream. Just as example of staying current on z/OS.
We use z/OS on the server side only, and generates server certs f
Am 29.04.14 10:28, schrieb Tim Hudson:
Bug reports on EBCDIC with patches are definitely interesting as there
is an active community of OpenSSL z/OS users - at the very least the
other users will benefit from any work you have already done.
I can provide bug reports, but at the moment I cannot
On 29/04/2014 5:38 PM, Stephan Mühlstrasser wrote:
> ... or is the EBCDIC port essentially dead?
Bug reports on EBCDIC with patches are definitely interesting as there
is an active community of OpenSSL z/OS users - at the very least the
other users will benefit from any work you have already done.
What is the current state of EBCDIC support in OpenSSL?
While there are CHARSET_EBCDIC #ifdefs all over the source, a build on
z/OS Unix System Services is possible and creation of signatures
apparently works, there are several problems we ran into:
- the "openssl s_client" command cannot be
openssl can use a PKCS#11 interface in some scenarios, but you won't need it
for what you want to do.
I'd advise you to get the actual PKCS#11 standard document. For each function,
there is always some sample code included.
cheers
Mat
On Monday 28. April 2014 23:32:21 you wrote:
> Need some bas
18 matches
Mail list logo
