e still applies and
> migration from 3.0 to 3.1 should be just seamless.
>
> Tomas
>
>
> On Thu, 2022-12-01 at 09:40 -0500, Felipe Gasper wrote:
>> AFAICT, the migration guide doesn’t actually seem to mention upgrades
>> to 3.1.
>>
>> -FG
>>
>&g
AFAICT, the migration guide doesn’t actually seem to mention upgrades to 3.1.
-FG
> On Dec 1, 2022, at 09:00, OpenSSL wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
> OpenSSL version 3.1 alpha 1 released
>
>
> OpenSSL - The Open S
> On Nov 3, 2022, at 11:37, Michael Wojcik via openssl-users
> wrote:
>
>> It’s a rare
>> issue, but when it does it’s a head-scratcher. To avoid that, it’s necessary
>> to shutdown(SHUT_RD) then drain the read buffer before close().
>
> Well, it's not *necessary* to do a half-close. Applicat
> On Nov 3, 2022, at 10:17, Michael Wojcik via openssl-users
> wrote:
>
>> Does OpenSSL’s documentation mention that? (I’m not exhaustively
>> familiar with it, but I don’t remember having seen such.)
>
> I doubt it. I don't see anything on the wiki, and this is a pretty obscure
> issue, all
> On Nov 2, 2022, at 16:36, Michael Wojcik via openssl-users
> wrote:
>
>> From: Felipe Gasper
>> Sent: Wednesday, 2 November, 2022 12:46
>>
>> I wouldn’t normally expect EPIPE from a read operation. I get why it happens;
>> it just seems odd. Given
> On Oct 26, 2022, at 13:34, Michael Wojcik via openssl-users
> wrote:
>
>> From: openssl-users On Behalf Of Felipe
>> Gasper
>> Sent: Wednesday, 26 October, 2022 11:15
>>
>> I’m seeing that OpenSSL 3, when it reads empty on a sock
iov_len=2}], msg_iovlen=1,
msg_control=[{cmsg_len=17, cmsg_level=SOL_TLS, cmsg_type=0x1}],
msg_controllen=17, msg_flags=0}, 0) = -1 EPIPE (Broken pipe)
- after read
What is that being sent after the read()? Is there a way to disable it?
Thank you!
cheers,
-Felipe Gasper
> On Sep 26, 2022, at 11:47, Viktor Dukhovni wrote:
>
> On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote:
>
>>> The security levels are documented. You can set the security level
>>> in the cipher string:
>>>
>>> DEFAULT:@SE
> On Sep 26, 2022, at 10:01, Viktor Dukhovni wrote:
>
> On Mon, Sep 26, 2022 at 09:52:29AM -0400, Felipe Gasper wrote:
>
>> OpenSSL 1.1.0k introduced behaviour that rejects 1,024-bit RSA key sizes.
>
> No such change was made. Perhaps your OS distribution has b
.
Thank you!
cheers,
-Felipe Gasper
(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
"Explicit curves are not allowed in fips mode");
return 0;
}
Thank you!
cheers,
-Felipe Gasper
> On Nov 17, 2021, at 16:49, Michael Wojcik
> wrote:
>
>> From: Michael Wojcik
>> Sent: Wednesday, 17 November, 2021 14:22
>> To: openssl-users@openssl.org
>> Subject: RE: “EC PUBLIC KEY”
>>
>>> From: openssl-users On Behalf Of
>> Billy
>>> Brumley
>>> Sent: Wednesday, 17 November, 2021 12:4
Hello,
Does OpenSSL intend to handle EC public keys that in PEM begin “BEGIN
EC PUBLIC KEY”?
I can’t find a way to output this format and am not sure if it’s
actually defined anywhere, but it seems like a logical analogue to the
default/legacy RSA public key format.
Th
> On Oct 28, 2021, at 03:52, Matt Caswell wrote:
>
>
>
> On 27/10/2021 18:53, Felipe Gasper wrote:
>> Support for secure renegotiation is a “good thing”, right? That being
>> the case, why would the newer OpenSSL version report no support for it while
&
it reports that:
> Secure Renegotiation IS supported
Support for secure renegotiation is a “good thing”, right? That being
the case, why would the newer OpenSSL version report no support for it while
the older one supports it?
Thank you!
Cheers,
-Felipe Gasper
into
parity with the behaviour of 1.1.0+. It would be nice--would have been helpful
for me, at least--to have fleshed-out code examples.
Thank you to everyone who maintains OpenSSL and who’s helping us all through
this transition.
cheers,
-Felipe Gasper
same way as connection
handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated
verification logic?
Thank you!
cheers,
-Felipe Gasper
In addition to however OpenSSL does it, you can see how it’s done here:
https://metacpan.org/release/Crypt-Perl/source/lib/Crypt/Perl/X509/Extension/ct_precert_scts.pm
https://metacpan.org/release/Crypt-Perl/source/lib/Crypt/Perl/X509/Extension/ct_precert_poison.pm
-F
> On Jan 10, 2021, at 12:
> On Jul 15, 2020, at 7:16 AM, Hubert Kario wrote:
>
> On Tuesday, 14 July 2020 21:18:53 CEST, Felipe Gasper wrote:
>> Hello,
>>
>> I have domains whose length exceeds the commonName maximum. To create a
>> signing request for such a domain, then, I
useful information--what would the
minimum-viable subject look like from the generation-via-OpenSSL side?
Thank you!
cheers,
-Felipe Gasper
> On Jul 8, 2020, at 1:51 PM, Viktor Dukhovni
> wrote:
>
> On Wed, Jul 08, 2020 at 01:31:04PM -0400, Felipe Gasper wrote:
>
>> What I’m looking for is a way to authenticate a user over TLS in
>> essentially the same manner that SSH’s handshake uses, where a
>
> On Jul 8, 2020, at 12:59 PM, Viktor Dukhovni
> wrote:
>
> On Wed, Jul 08, 2020 at 12:48:38PM -0400, Felipe Gasper wrote:
>
>> Does OpenSSL support authentication via raw public keys? (RFC 7250) I
>> can’t find anything to this effect on openssl.org.
>
>
Hello,
Does OpenSSL support authentication via raw public keys? (RFC 7250) I
can’t find anything to this effect on openssl.org.
Thank you!
cheers,
-Felipe Gasper
Hello,
Is it possible, after having done a TLS handshake in OpenSSL, to extract the
necessary connection parameters from OpenSSL and pass those to the requisite
setsockopt() call to initiate ktls outside of OpenSSL?
Thank you!
-Felipe Gasper
state, shove it
> through a unix domain socket to the target process and then have the target
> process unpack the openssl state and resume IO.
For what it’s worth, I have also wished for something like this, where I could
pass a file descriptor as well as the OpenSSL state over a socket
> On Apr 30, 2019, at 12:21 PM, Michael Wojcik
> wrote:
>
>> From: openssl-users on behalf of Felipe
>> Gasper
>> Sent: Tuesday, April 30, 2019 11:06
>
>> My question is, does TLS allow a client to be _able_ to parse an incomplete
>> message?
_able_ to parse an
incomplete message? Or is it that only the entire message can be decoded?
Thank you!
-Felipe Gasper
Mississauga, Ontario
> On Mar 17, 2019, at 7:55 PM, J Decker wrote:
>
>> On Sun, Mar 17, 2019 at 4:46 PM Felipe Gasper
>> wrote:
>> Buffer, not buffet. Silly autocorrect!
>>
>> -F
>>
>> > On Mar 17, 2019, at 7:21 PM, Felipe Gasper wrote:
>
Buffer, not buffet. Silly autocorrect!
-F
> On Mar 17, 2019, at 7:21 PM, Felipe Gasper wrote:
>
> Hello,
>
> Is there any equivalent to SSL_CTX_use_certificate_chain_file for a PEM
> buffet that’s already in memory?
>
> Thank you!
>
> -F
Hello,
Is there any equivalent to SSL_CTX_use_certificate_chain_file for a PEM buffet
that’s already in memory?
Thank you!
-F
I’m not sure, heh. ;-)
-F
> On Dec 24, 2018, at 3:17 AM, Walter H. wrote:
>
> and which CA does this as the forum guidelines say?
>
>> On 23.12.2018 22:50, Felipe Gasper wrote:
>> Actually, per the latest CA/Browser forum guidelines, subject.CN is not only
>
Actually, per the latest CA/Browser forum guidelines, subject.CN is not only
optional but “discouraged”.
-FG
> On Dec 23, 2018, at 4:29 PM, Kyle Hamilton wrote:
>
> SubjectCN is an operational requirement of X.509, I believe. It's not
> optional in the data structure, at any rate.
>
> -Kyle
Wow that’s pretty bad .. is that the current version of httpd??
That’d be worth a big report if so, IMO, though I’d imagine it’s an issue
they’re aware of.
-FG
> On Dec 23, 2018, at 6:53 AM, Walter H. wrote:
>
>
> I tried the following
>
> the certificate had a CN oftest.example.com a
> On Dec 22, 2018, at 9:12 PM, Salz, Rich via openssl-users
> wrote:
>
> Putting the DNS name in the CN part of the subjectDN has been deprecated for
> a very long time (more than 10 years), although it is still supported by many
> existing browsers. New certificates should only use the subj
It shouldn’t matter. Technically subject.CN is deprecated anyway, but all the
CAs still create it.
-FG
> On Dec 22, 2018, at 4:29 PM, Walter H. wrote:
>
> Hello,
>
> I found several different certificates on the net
>
> some are like this:
>
> CN=example.com
> SANs areDNS:example.com,
Maybe the set of stores root certificates changed with the update?
Try openssl s_client to debug it?
> On Nov 17, 2018, at 8:57 PM, Ken wrote:
>
> I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which
> uses x509_verify_certificate to check the validity of a certificate on
Hi all,
Do EDDSA keys serialize to any format other than SPKI (public) and
PKCS8 (private)?
I ask because RSA and ECC both have “native” formats as well as SPKI
and PKCS8.
Thanks!
-FG
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listin
because I think the syntax is more straightforward than
navigating the openssl binary and openssl.cnf. It’s not nearly as fast, of
course, but I’ve found it useful. YMMV.
-Felipe Gasper
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Ah ok. Thank you for clarifying!
-FG
> On Jul 28, 2018, at 7:42 AM, Matt Caswell wrote:
>
>
>
>> On 28/07/18 12:23, Felipe Gasper wrote:
>> I knew about this one. I see OIDs here for the key algorithm, but not the
>> signature/hash algorithm .. ? I’m looking
I knew about this one. I see OIDs here for the key algorithm, but not the
signature/hash algorithm .. ? I’m looking for the OID that precedes the
signature in an X.509 structure.
Thank you!
-FG
> On Jul 28, 2018, at 7:10 AM, Matt Caswell wrote:
>
>
>
>> On 28/07/18 03
Hi all,
Are there yet OIDs for Ed25519-signed X.509? I know about the drafts
for the key format but am not aware of actual OIDs to identify the signature
hash algorithm.
Thank you!
-F
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openss
RFC 3546, in describing the SNI extension, recommends that servers send a
warning to clients that request an unknown server name. (Page 9)
I’d like to implement that warning .. could someone please point me to which
API functions expose this ability?
Thank you!
-Felipe Gasper
Mississauga, ON
You could:
- Check subject and issuer for sameness.
- Verify the signature with the certificate’s own key. A positive verification
indicates self-signed.
> On May 3, 2018, at 7:18 AM, Salz, Rich via openssl-users
> wrote:
>
>
>
> On 5/3/18, 4:24 AM, "morthalan" wrote:
>
>No, technica
celzKP1zAZCV
> -END CERTIFICATE REQUEST-
>
>
> Jon
>
> On Mon, Mar 26, 2018 at 5:49 PM, Felipe Gasper
> wrote:
> But what is the actual PEM of the CSR?
>
> It should look like:
>
> -BEGIN CERTIFICATE REQUEST-
> ...
> -END CERTIFICATE
But what is the actual PEM of the CSR?
It should look like:
-BEGIN CERTIFICATE REQUEST-
...
-END CERTIFICATE REQUEST-
-FG
> On Mar 26, 2018, at 11:47 AM, Jon Uriarte wrote:
>
> Thanks for your replies.
>
> I'm creating the CSR with the default values.
>
> $ openssl req -noou
Can you paste one of the CSRs that fails verification?
-Felipe
> On Mar 26, 2018, at 11:19 AM, Jon Uriarte wrote:
>
> Hi folks,
>
> I'm hitting some issues when trying to create SSL certificates and was
> wondering if any around could help with this.
> I can create a CSR and sign it with a ne
> On Mar 2, 2018, at 12:44 AM, Viktor Dukhovni
> wrote:
>
>> On Mar 1, 2018, at 10:39 PM, Felipe Gasper wrote:
>>
>> Hi all,
>>
>> I’ve got a project where I’m trying to send a Hello Request from the
>> server immediately before a
Hi all,
I’ve got a project where I’m trying to send a Hello Request from the
server immediately before an exec(), then renegotiate the SSL connection.
What is the easiest way to send *just* a Hello Request from a server?
Thanks!
-Felipe Gasper
Mississauga, Ontario
()?
Thank you!
-Felipe Gasper
Houston, TX
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi everyone,
Would there be interest/approval in prefixing [openssl-users] onto the
subject of messages from this list? This kind of thing is standard on
most mailing lists of this kind that I’ve seen.
It makes it easier to distinguish the “context” of a message
at-a-glance.
-F
___
If I have an SSL certificate, it is possible to create a CSR with that
certificate’s subject and public key?
-F
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
wiki/Server_Name_Indication) gives quite a
few, but I thought maybe folks here could contribute something additional.
-Felipe Gasper
__
OpenSSL Project http://www.openssl.org
User Support Mailing
I read somewhere that subject commonName is now deprecated in favor of
subjectAltName.
Are there certs out there "in the wild" with no subject CN, only SAN?
-FG
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Does anything out there describe the changes in cnf file format among
the different OpenSSL versions?
-F
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopen
On 2.11.12 3:23 PM, Ken Goldman wrote:
I create a self signed certificate using
> openssl req -new -x509 -key ... -out ... -days ...
It then prompts for the country, state, locality, etc.
Is there a way to enter that data on the command line or in a
configuration file to avoid the prompts? I
Hi all,
What ways other than the interactive command shell are available for
setting a CSR’s challenge password attribute?
I can’t find a command-line switch that does it, and perl’s
Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either.
Thanks!
-Felipe Gasper
Houston, TX
Hi all,
What ways other than the interactive command shell are available
for setting a CSR’s challenge password attribute?
I can’t find a command-line switch that does it, and perl’s
Crypt::OpenSSL::PKCS10 doesn’t seem to know about it, either.
Thanks!
-Felipe Gasper
Houston
57 matches
Mail list logo
