On Wed, Jul 08, 2020 at 02:24:47PM -0400, Felipe Gasper wrote:
> > This is also supported in Postfix, just don't authenticate
> > the client cert at all (no PKI), grab the key digest and
> > use it directly for access control.
>
> Wouldn’t there need to be a shared secret, though, or some other w
> On Jul 8, 2020, at 1:51 PM, Viktor Dukhovni
> wrote:
>
> On Wed, Jul 08, 2020 at 01:31:04PM -0400, Felipe Gasper wrote:
>
>> What I’m looking for is a way to authenticate a user over TLS in
>> essentially the same manner that SSH’s handshake uses, where a
>> signature of a shared secret va
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Vijayakumar Kaliaperumal
> Sent: Wednesday, July 08, 2020 11:32
> I now understand that the heartbeat mechanism is completely removed in OpenSSL
> 1.1.1, whereas it's still available in gnuTLS.
gnuTLS would not be my
On Wed, Jul 08, 2020 at 01:31:04PM -0400, Felipe Gasper wrote:
> > On Jul 8, 2020, at 12:59 PM, Viktor Dukhovni
> > wrote:
> >
> > On Wed, Jul 08, 2020 at 12:48:38PM -0400, Felipe Gasper wrote:
> >
> >> Does OpenSSL support authentication via raw public keys? (RFC 7250) I
> >> can’t find anyth
Hi,
I am just following up with my earlier mail as I did not get an answer. I
now understand that the heartbeat mechanism is completely removed
in OpenSSL 1.1.1, whereas it's still available in gnuTLS. So I do not
understand why it was removed from OpenSSL
Having your own keepalive mechanism(
> On Jul 8, 2020, at 12:59 PM, Viktor Dukhovni
> wrote:
>
> On Wed, Jul 08, 2020 at 12:48:38PM -0400, Felipe Gasper wrote:
>
>> Does OpenSSL support authentication via raw public keys? (RFC 7250) I
>> can’t find anything to this effect on openssl.org.
>
> These are not presently supported.
On 08.07.20 17:57, Matt Caswell wrote:
>
>
> On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> > On 08.07.20 12:21, Viktor Dukhovni wrote:
> >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
> >>
> >>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> > How could I set t
On Wed, Jul 08, 2020 at 12:48:38PM -0400, Felipe Gasper wrote:
> Does OpenSSL support authentication via raw public keys? (RFC 7250) I
> can’t find anything to this effect on openssl.org.
These are not presently supported. However, you can use DANE-EE(3) TLSA
records to authenticate essentially
On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> On 08.07.20 12:21, Viktor Dukhovni wrote:
>> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>>
>>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> How could I set the a System default "MinProtocol" for DTLS and TLS to
Hello,
Does OpenSSL support authentication via raw public keys? (RFC 7250) I
can’t find anything to this effect on openssl.org.
Thank you!
cheers,
-Felipe Gasper
On 08.07.20 12:21, Viktor Dukhovni wrote:
> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>
> > On 08/07/2020 16:28, Viktor Dukhovni wrote:
> > >> How could I set the a System default "MinProtocol" for DTLS and TLS to
> > >> 1.2?
> > >
> > > AFAIK, that's not presently possible.
On Wed, Jul 08, 2020 at 05:40:38PM +0100, Matt Caswell wrote:
> > I agree that the situation with MinProtocol in openssl.cnf is
> > unfortunate. But instead of mappings, I would propose a different
> > solution:
> >
> > * Restrict MinProtocol/MaxProtocol to just TLS protocols,
> > i.e.
On 08/07/2020 17:21, Viktor Dukhovni wrote:
> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>
>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>>>
>>> AFAIK, that's not presently possible. You can sp
On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> >
> > AFAIK, that's not presently possible. You can specify application
> > profiles, for applications th
On 08/07/2020 16:28, Viktor Dukhovni wrote:
>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>
> AFAIK, that's not presently possible. You can specify application
> profiles, for applications that specify an application name when
> initializing OpenSSL. Or use th
On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:
> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work
> for
> the client (in my specific case openconnect).
Unfortunately, I think that's expected. The actual bounds are numeric,
and TLS prot
Hi,
when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
the client (in my specific case openconnect).
According to https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html,
only one value is possible, so I can't set both. The usage of "Protocol",
where I could use
17 matches
Mail list logo
