with SM3.
Why doesn't openssl x509 tool display this name?
Does OpenSSL support this signature scheme?
Best regards,
John Jiang
/docs/man1.1.1/man1/ocsp.html
Though this option is supported by 1.1.1 series.
On Mon, Jul 6, 2020 at 6:15 AM John Jiang wrote:
> I just want to know how does OpenSSL implement RFC 6960 section 4.4.7.2
> Responder Signature Algorithm Selection.
>
> Could I take a OpenSSL responder t
, Jul 4, 2020 at 12:18 AM John Jiang wrote:
> Hi,
> I'm using OpenSSL 1.1.1.
>
> Can I configure the OCSP response signature algorithm?
> For a RSA issuer, it looks SHA256withRSA always be selected.
>
> PreferredSignatureAlgorithms extension in OCSP request may affect t
Hi,
I'm using OpenSSL 1.1.1.
Can I configure the OCSP response signature algorithm?
For a RSA issuer, it looks SHA256withRSA always be selected.
PreferredSignatureAlgorithms extension in OCSP request may affect this
algorithm in OpenSSL OCSP response. However, I prefer to use configuration.
Than
Hi,
Can I specify multiple certificates for tools s_server and s_client?
I need to check the certificate selection with certificate_authorities.
And it looks s_server has no option for certificate_authorities, however
s_client has -requestCAfile for that extension.
Best regards,
John
On Thu, Feb 27, 2020 at 9:27 PM Salz, Rich wrote:
>
>- Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
>
>
>
> TLS 1.3 doesn’t have those groups.
>
Per section Supported Groups in RFC 8446 [1], FFDHE groups could be
supported.
enum {
/* Elliptic Curve Groups (ECDHE)
I would have highlighted that OpenSSL 1.1.1d was being used in my testing.
On Thu, Feb 27, 2020 at 5:13 PM John Jiang wrote:
> Hi,
> It sounds FFDHE groups are already supported [1]
> But the tools, like s_client, also support them.
> Run the command: openssl s_client -tls1_3 -grou
Hi,
It sounds FFDHE groups are already supported [1]
But the tools, like s_client, also support them.
Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
it just raised the issue: Error with command: "-groups ffdhe2048"
If using P-256 or X25519, it worked fine.
I also tried optio
On Fri, Oct 25, 2019 at 8:50 PM Matt Caswell wrote:
>
>
> On 25/10/2019 09:39, Viktor Dukhovni wrote:
> > On Fri, Oct 25, 2019 at 03:33:43PM +0800, John Jiang wrote:
> >
> >> I'm using OpenSSL 1.1.1d.
> >> Just want to confirm if DHE_DSS cipher s
Hi,
I'm using OpenSSL 1.1.1d.
Just want to confirm if DHE_DSS cipher suites are not supported by this
version.
Please consider the below simple case,
1. s_server uses a DSA certifcate
2. force s_client to use TLS 1.2 and TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
(DHE-DSS-AES256-GCM-SHA384)
the connectio
RC4 and MD5 are both considered broken.
>
Don't worry, just for some testing.
Thanks!
>
> Pauli
> --
> Dr Paul Dale | Cryptographer | Network Security & Encryption
> Phone +61 7 3031 7217
> Oracle Australia
>
>
>
> On 26 Jun 2019, at 11:41 am, John Jiang wrote
Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
disabled.
Is there any way to re-enable these cipher suites?
Thanks!
On Thu, Jun 13, 2019 at 12:28 PM Viktor Dukhovni
wrote:
> On Thu, Jun 13, 2019 at 10:49:14AM +0800, John Jiang wrote:
>
> > I got the point: the server certificate is ECDSA with curve secp256r1.
> > It works with RSA certificate and curves
> > sepc256r1/sepc384r1/sepc52
I got the point: the server certificate is ECDSA with curve secp256r1.
It works with RSA certificate and curves
sepc256r1/sepc384r1/sepc521r1/x25519/x448.
On Thu, Jun 13, 2019 at 3:00 AM Viktor Dukhovni
wrote:
> On Wed, Jun 12, 2019 at 05:31:30PM +0800, John Jiang wrote:
>
> > >
On Wed, Jun 12, 2019 at 4:34 PM Viktor Dukhovni
wrote:
> On Wed, Jun 12, 2019 at 03:45:12PM +0800, John Jiang wrote:
>
> > Using OpenSSL 1.1.1.
> > Just want to confirm that if OpenSSL supports curves X25519 and X448 for
> > TLSv1.2.
>
> Yes, it does.
>
>
Hi,
Using OpenSSL 1.1.1.
Just want to confirm that if OpenSSL supports curves X25519 and X448 for
TLSv1.2.
Tried below commands,
openssl s_server -trace -state -cert server.cer -key server.key -accept port
openssl s_client -trace -state -CAfile ca.cer -tls1_2 -groups X25519
-connect localhost:port
Hi,
I'm using OpenSSL 1.1.1
I just use the below s_client command to test resumption.
openssl s_client -CAfile CA.cer -tls1_2 -sess_in openssl.sess -connect
localhost:9443
Is there any option to take this tool to use only session id or session
ticket for resumption?
Thanks!
I had tried TLS Fuzzer, and it worked for me.
I just wished that OpenSSL can do the similar things.
Thanks!
On Tue, Feb 26, 2019 at 9:56 PM Hubert Kario wrote:
> On Tuesday, 26 February 2019 07:22:52 CET John Jiang wrote:
> > Is it possible to check if peer implements middlebox comp
Is it possible to check if peer implements middlebox compatibility by
s_server/s_client?
It looks the test tools don't care this point.
For example, if a server doesn't send change_cipher_spec after
HelloRetryRequest, s_client still feels fine.That's not bad. But can I
setup these tools to check mi
org> wrote:
> s_client has -sess_out and -sess_in options that can be used
> to save session information to a file and read it in for a subsequent
> connection. Neither is used by default.
>
> -Ben
>
> On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote:
> > Does s
Does s_client resume any session in the local session file?
On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
>
>- The debug logs display two "SSL-Session" blocks in a full handshake.
>
> Only one "SSL-Session" block is displayed in a resumption.
Using OpenSSL 1.1.1.
The debug logs display two "SSL-Session" blocks in a full handshake.
Only one "SSL-Session" block is displayed in a resumption.
Why does full handshake has two sessions?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ion.
>
> Matt
>
>
> On 12/09/18 12:25, John Jiang wrote:
> > Very strange. I re-tried the same case, but the resumption failed.
> > The attached logs contain the full outputs in the both connections on
> > server and client sides.
> >
> > On Wed, Sep 12, 201
t; log including *both* connections, i.e. the original connection attempt
> to create the session, followed by the subsequent resume.
>
> Thanks
>
> Matt
>
>
> On 12/09/18 11:50, John Jiang wrote:
> > Could you please take a look at the attached s_client.log?
> >
Could you please take a look at the attached s_client.log?
It was outputted by s_client with options -trace and -state in the second
connection.
Matt Caswell 于2018年9月12日周三 下午4:48写道:
>
>
> On 12/09/18 09:34, John Jiang wrote:
> >
> > It looks the session was resumed, but
Matt Caswell 于2018年9月12日周三 下午4:16写道:
>
>
> On 12/09/18 08:07, John Jiang wrote:
> > I just build OpenSSL 1.1.1 on MacOSX.
> > Tried 0-RTT, and the commands like the followings,
> > openssl s_server -cert server.cer -key server.key -tls1_3 -early_data
> > -accept
I just build OpenSSL 1.1.1 on MacOSX.
Tried 0-RTT, and the commands like the followings,
openssl s_server -cert server.cer -key server.key -tls1_3 -early_data
-accept 9443
...
openssl s_client -CAfile ca.cer -tls1_3 -sess_in openssl.sess -early_data
data -connect localhost:9443
s_client reported
N
2018-06-20 17:01 GMT+08:00 Matt Caswell :
>
>
> On 20/06/18 07:11, John Jiang wrote:
> > 2018-06-19 6:21 GMT+08:00 Matt Caswell > <mailto:m...@openssl.org>>:
> >
> >
> >
> > On 18/06/18 21:23, Hubert Kario wrote:
> >
2018-06-19 6:21 GMT+08:00 Matt Caswell :
>
>
> On 18/06/18 21:23, Hubert Kario wrote:
> > On Friday, 8 June 2018 10:26:07 CEST Matt Caswell wrote:
> >> On 08/06/18 02:48, John Jiang wrote:
> >>> Is it possible to check Key/IV update feature via these tools?
2018-06-19 23:11 GMT+08:00 Jakob Bohm :
> On 19/06/2018 15:40, John Jiang wrote:
>
>> Using OpenSSL 1.1.1-pre7
>>
>> Please consider the following cases and handshaking results:
>> 1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
>>
Using OpenSSL 1.1.1-pre7
Please consider the following cases and handshaking results:
1. rsa_pss_pss_256 certificate + TLS_RSA_WITH_AES_256_GCM_SHA384 cipher
suite
Handshaking failed with no suitable cipher
2. rsa_pss_pss_256 certificate + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipher suite
Handsh
Is it possible to check Key/IV update feature via these tools?
Thanks!
2018-05-23 20:33 GMT+08:00 Matt Caswell :
>
>
> On 23/05/18 12:39, John Jiang wrote:
> > Hi,
> > If just using s_server and s_client, can I test the TLS 1.3 features,
> > likes HelloRetryRequ
Hi Matt,
Thanks for your reply!
2018-05-23 20:33 GMT+08:00 Matt Caswell :
>
> To test resumption first create a full handshake TLSv1.3 connection and
> save the session:
>
> $ openssl s_server -cert cert.pem -key key.pem
> $ openssl s_client -sess_out session.pem
>
> Close the s_client instance b
Hi,
If just using s_server and s_client, can I test the TLS 1.3 features, likes
HelloRetryRequest and resumption?
2018-04-29 18:43 GMT+08:00 Kurt Roeckx :
> The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS
> 1.3 brings a lot of changes that might cause incompatibility. For
> an
Anyway, I can download it via
https://www.openssl.org/source/openssl-1.1.1-pre6.tar.gz
John
2018-05-02 10:48 GMT+08:00 John Jiang :
> Hi,
> I don't see the link for openssl-1.1.1-pre6.tar.gz on page
> https://www.openssl.org/source/
>
> Thanks,
> John
>
>
> 20
Hi,
I don't see the link for openssl-1.1.1-pre6.tar.gz on page
https://www.openssl.org/source/
Thanks,
John
2018-05-01 21:06 GMT+08:00 OpenSSL :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
>OpenSSL version 1.1.1 pre release 6 (beta)
>==
o the debug output. Do you really need it
> there?
>
> I'm pretty certain that s_server outputs it in debug output.
>
> -Kyle H
>
> On Nov 26, 2017 18:59, "John Jiang" wrote:
>
>> Hi,
>> The following is my OpenSSL version info,
>> OpenSSL 1.1
Hi,
The following is my OpenSSL version info,
OpenSSL 1.1.0f 25 May 2017
I supposed the below command can give me some SNI info, but nothing was
found.
openssl s_client -debug -tlsextdebug -msg -connect -servername
< /dev/null | grep "server name"
But I found SNI extension with Wireshark while
38 matches
Mail list logo
