Yes I used the PQ openssl based on liboqs
Since you were not specific on what the use case, and I was not certain
why you wanted a Kyber Public/Private key pair when other algorithms
are better suited to PQ authentication, I supplied the TLS example.
Regards
Mark Hack
On Mon, 2022-10-03 at 21:08
In this case you need to look at certificate / signature generation
separately from the key exchange. In classical terms, I can have anRSA
key with a RSA-SHA256 signature and use DHE elliptic curves to exchange
a secret without knowing the elliptic curve public private key pair.
For example to use
I may have a mixed Java environment. I will recheck on a clean VM when
I get a few minutes.
Regards
Mark Hack
On Thu, 2022-05-19 at 16:46 +0200, Djordje Gavrilovic wrote:
> Hm, not working here.
>
> openjdk version "1.8.0_312"
>
> OpenJDK R
0, Djordje Gavrilovic wrote:
> Thank you both for your answers! So much! Both of them very
> helpful. We are stuck with openjdk8 right now...but it is good
> to
> know that later versions will work as expected.
>
> Thank you guys
>
>
>
completed: 1 entries successfully imported, 0 entries failed
or cancelled
Warning:<1> uses the SHA1withRSA signature algorithm which is
considered a security risk. This algorithm will be disabled in a future
update.
Mark Hack
On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via openssl-users
:
openssl s_client -connect data.reversinglabs.com:443 -tls1_2
-servername data.reversinglabs.com
Check your server setup and ensure that a default virtual host has been
defined.
Mark Hack
On Tue, 2022-05-17 at 15:55 -0400, Geek Geek wrote:
> I run into the following issue when I use openssl 1.0
NIST-800-131a deprecated SHA1 signatures in January of 2013 along with
RSA1024 bit keys. You should be issuing certificates with at least
RSA2048 with SHA2 signatures, and preferably at least RSA3072 with SHA-
384 signatures and if you are re-issuing CA certs more bits is better.
Nothing was said
Use keytool -list -v to ensure that the original store actually
contains a private key
If there is no entry of Entry type: PrivateKeyEntry then the store has
no private key
Mark Hack
On Tue, 2022-02-15 at 18:30 +0100, mary mary wrote:Hello community,
> A beginner here.
>
> I woul
#x27;s Topics:
>
>
>
>1. RE: undefined symbol: OSSL_provider_init when running "make
>
> test" for OpenSSL 3.0 (Lee Staniforth)
>
>2. RE: [openssl-1.1.1l] TLS1.2 Server responses with Alert
>
> (Michael Wojcik)
>
&g
The server error is correct - the signature_algorithms_cert extension
does not offer rsa_pkcs1_sha256 (0x0401) which is the server
certificate signing algorithm.
If the client is written in Java, check java.security for
"jdk.certpath.disabledAlgorithms" and check the constraints.
On Fri, 2021-
Look at https://testssl.sh/
That is an openssl wrapper which enumerates ciphers and protocols ( and
a whole lot more)
Hexcode Cipher Suite Name
(OpenSSL) KeyExch. Encryption Bits Cipher Suite Name
(IANA/RFC)-
"openssl ciphers" will show you the correct names which in this case is
DHE-RSA-AES128-GCM-SHA256
On Wed, 2021-11-17 at 16:25 +0800, M K Saravanan wrote:
> Hi,
>
> Do I need to do any config to enable DHE based ciphers in openssl for
> command line usage?
>
> $ openssl s_client -cipher 'DHE_RSA_
Added to all the weaknesses in SSLv3, the only supported cipher suites
are either vulnerable or deprecated and not advisable.
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_
The docs are not the easiest to follow so here is what I did to order
curves from strongest to weakest.The file is /etc/pki/tls/openssl.conf
and should be close to your settings. Set the curves to what you want
as I did in the Curve line
openssl_conf = default_modules
[ default_modules ]
ssl_c
This is a Java error and not an openSSL error. This will be thrown if
the application did not specify a valid X509 Trust Manager for the
SSLContext.
On Fri, 2021-04-30 at 15:48 +0530, K V Rao via openssl-users wrote:
No X509TrustManager implementation available
You will need to be a lot more specific - this works fine
openssl s_client -connect localhost:443 | openssl x509 -noout -text
Can't use SSL_get_servername
depth=0 C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN =
fakeserver.com
verify error:num=18:self signed certificate
verify return:
RFC6066
Note that when a list of URLs for X.509 certificates is used, the
ordering of URLs is the same as that used in the TLS Certificate
message (see [RFC5246], Section 7.4.2), but opposite to the order in
which certificates are encoded in PkiPath. In either case, the
self-signed ro
I believe that Firefox does still support P-521 but Chrome does not.
Also be aware that if you set server side cipher selection and use
default curves, that OpenSSL orders the curves weakest to strongest (
even with @STRENGTH) so you will end up forcing P-256.
On Tue, 2019-10-15 at 17:24 +0200,
This was on 1.0.2 and I just checked 1.1.1, and for libssl I still only
see the call for libcrypto. I can recompile and confirm later in the
day to be 100% certain.
On Wed, 2019-09-25 at 16:26 +0100, Matt Caswell wrote:
>
> On 25/09/2019 15:26, Mark Hack wrote:
> > ssl_algs.c is
.
Patching ssl_algs.c corrects this and the performance improvement is
immediatly noticable. This is the patch applied and tested on PPC.
int SSL_library_init(void)
{
OPENSSL_cpuid_init_setup(); /* Identify the HW platform */
...
Regards
Mark Hack
20 matches
Mail list logo
