On Sat, Jan 04, 2014 at 03:11:16PM -0500, Jeffrey Walton wrote:
> > ... A substantive comment that argues that DANE adds
> > nothing new to SMTP would begin by explaining in detail how SMTP
> > to MX TLS security is possible without DNS data integrity (thus
> > making it possible to not trust the
On Sat, Jan 4, 2014 at 2:42 PM, Viktor Dukhovni
wrote:
> ... A substantive comment that argues that DANE adds
> nothing new to SMTP would begin by explaining in detail how SMTP
> to MX TLS security is possible without DNS data integrity (thus
> making it possible to not trust the root zone signatu
On Sat, Jan 04, 2014 at 07:58:20PM +0100, Michael Str?der wrote:
> > While indeed SMTP with DANE TLS relies on DNSSEC to secure the
> > MX lookup, it also critically relies on DANE for two additional
> > pieces of information:
> >
> > - Downgrade resistant STARTTLS support signall
Viktor Dukhovni wrote:
> On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote:
>
>>> http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
>>>
>>> This is why I am working to implement and standardize SMTP with DANE TLS.
>>
>> DANE itself does not help.
On Sat, Dec 28, 2013 at 12:58:58PM -0600, Bobber wrote:
> >Does this modify the ciphers used for all connections, or just for
> >the server in question?
>
> All connections.
In that case I would go for the second cipherlist, though still
compact, it is a superset of the first and will interoperat
On 12/28/2013 12:51 PM, Viktor Dukhovni wrote:
Does this modify the ciphers used for all connections, or just for the
server in question?
All connections.
Any suggestions for what ciphers to put in the list besides RC4-MD5?
If you read my previous responses on this thread, you'll notice I
re
On Sat, Dec 28, 2013 at 12:23:21PM -0600, Bobber wrote:
> Thanks very much for your help Viktor. I was able to specify the
> RC4-MD5 cipher and it works.
>
> I am using Qmail with the John Simpson patch set by the way. There
> is a control file (tlsclientcipher) which John had not documented
>
|SMTP TLS, but I am not obligated to provide a comprehensive
|justification in response to every trollish one liner, the above
Luckily there is the UDPish EDNS0 extension from RFC 2671 as in
The default is 1280 (RFC 2671, 4.5.1.).
The minimum is 1024 (RFC 3226, 3.; note: not 1220!).
The m
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote:
There's your problem! This server (likely Exchange 2003) has a broken
implementation of 3DES CBC padding (search Postfix users archives for
my posts on the subject), and your cipher list is either long enough
to cause it to not see RC4-SHA and RC4-
On Sat, Dec 28, 2013 at 05:56:41PM +0100, Michael Str?der wrote:
> > http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
> >
> > This is why I am working to implement and standardize SMTP with DANE TLS.
>
> DANE itself does not help. It just shifts the trust an
Viktor Dukhovni wrote:
> With SMTP, PKIX certificate verification is pointless without explicit
> per-destination configuration:
>
> http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2
>
> This is why I am working to implement and standardize SMTP with DANE TLS.
On Fri, Dec 27, 2013 at 04:11:40PM -0600, Bobber wrote:
> > > TLS started w/ cipher DES-CBC3-SHA
> >
> >There's your problem! This server (likely Exchange 2003) has a
> >broken implementation of 3DES CBC padding (search Postfix users
> >archives for my posts on the subject), and your cipher list
On Fri, Dec 27, 2013 at 09:39:52PM +, Viktor Dukhovni wrote:
> On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote:
>
> > >=== TLS started w/ cipher DES-CBC3-SHA
> > >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The
> > >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.co
On 12/27/2013 03:39 PM, Viktor Dukhovni wrote:
On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote:
=== TLS started w/ cipher DES-CBC3-SHA
=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The
Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=mail.thelawrencegrou
On Fri, Dec 27, 2013 at 03:28:46PM -0600, Bobber wrote:
> >=== TLS started w/ cipher DES-CBC3-SHA
> >=== TLS peer subject DN="/C=US/ST=Missouri/L=Saint Louis/O=The
> >Lawrence Group/OU=IT/OU=Terms of use at www.verisign.com/rpa
> >(c)05/CN=mail.thelawrencegroup.com"
There's your problem! This se
On 12/27/2013 02:22 PM, Viktor Dukhovni wrote:
You're posting to the wrong forum. The problem is not OpenSSL, rather
you have an updated release of your MTA. (Is it Exim or Postfix? Go to
the corresponding mailing list). OpenSSL performs whatever certificate
verification your MTA asks for. Per
On Fri, Dec 27, 2013 at 02:07:56PM -0600, Bobber wrote:
> Yes, thanks Andrew, I got it. I see that it is expired. I am still a
> bit baffled. I upgraded my mail server just a couple of weeks ago
> from Debian Squeeze. Everything was fine before then. Is there a
> different check involved in the la
On Fri, Dec 27, 2013 at 02:54:55PM -0500, Patrick Patterson wrote:
> Why does no-one else notice? Probably because you've got your
> server set to actually validate TLS certs, as opposed to most of
> the world that doesn't. :)
With SMTP, PKIX certificate verification is pointless without explicit
Bobber wrote on 12/27/2013 02:47:47 PM:
> I don't see anywhere that it says expired other than this utility. How
> can I verify that it is really expired?
In case you don't trust your openssl install, here is an easy approach
using windows:
1. Select everything between -BEGIN CERTIFICATE---
On 12/27/2013 01:54 PM, andrew cooke wrote:
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote:
i am not following this in any detail, but if you look at the certificate you
included in your original email it expired in 2008. just look at it with
openssl -text -in
openssl
Hey there...
On 2013-12-27, at 2:47 PM, Bobber wrote:
>
> On 12/27/2013 01:29 PM, Viktor Dukhovni wrote:
>> On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
>>
>>> I recently upgraded my companies' mail server to 64 Debian Wheezy. I
>>> am using the Openssl package which is version 1.0.
On 12/27/2013 01:53 PM, andrew cooke wrote:
i am not following this in any detail, but if you look at the certificate you
included in your original email it expired in 2008. just look at it with
openssl -text -in
Ok, that's good. Thanks.
sorry if i'm jumping into something i've misund
On Fri, Dec 27, 2013 at 04:53:41PM -0300, Andrew Cooke wrote:
>
> i am not following this in any detail, but if you look at the certificate you
> included in your original email it expired in 2008. just look at it with
>
>openssl -text -in
openssl x509 -text -in
> sorry if i'm jump
i am not following this in any detail, but if you look at the certificate you
included in your original email it expired in 2008. just look at it with
openssl -text -in
sorry if i'm jumping into something i've misunderstood,
andrew
On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote:
On 12/27/2013 01:29 PM, Viktor Dukhovni wrote:
On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
I recently upgraded my companies' mail server to 64 Debian Wheezy. I
am using the Openssl package which is version 1.0.1e-2.
I am having problems when trying to send a message to one of our
On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
> I recently upgraded my companies' mail server to 64 Debian Wheezy. I
> am using the Openssl package which is version 1.0.1e-2.
>
> I am having problems when trying to send a message to one of our
> business partners. The SMTP session appe
Thanks for your help David.
Regards,
/carl h.
On Tue, Apr 20, 2010 at 9:54 PM, David Schwartz wrote:
>
> Piper Guy1 wrote:
>
>> > This is precisely what a browser does. Again, using the
>> > "https://www.amazon.com"; example, OpenSSL takes care of getting the
>> > certificate from the server, ma
allows the server to send these, lest the client does not
> have some of them. Starting from the trusted root certificate, the client
> can verify intermediate certificates in turn until it finally verifies the
> server certificate.
>
> Has that helped at all?
>
>
> ---
Piper Guy1 wrote:
> > This is precisely what a browser does. Again, using the
> > "https://www.amazon.com"; example, OpenSSL takes care of getting the
> > certificate from the server, making sure the certificate is valid,
> checking
> > that the server owns the certificate, and making sure the
>
that helped at all?
-Original Message-
From: owner-openssl-us...@openssl.org on behalf of piper.guy1
Sent: Mon 4/19/2010 1:27 PM
To: openssl-users@openssl.org
Subject: Re: Verisign client requirements
David,
Sorry for my late response. (pulled in another direction for a while).
But i s
David,
Sorry for my late response. (pulled in another direction for a while).
But i still have a few holes in my understanding (and maybe my head!!).
Here are some facts about our implementation:
1. The server does not have my root certificate.
2. I do not have the server's root certificate.
3.
Piper.guy1 wrote:
> Hi,
>
> Please understand I'm a newbie to security if my question sounds
> rather elementary.
>
> The embedded product I'm working on requires a secure connection to
> our server that uses a Verisign certificate to authenticate. I've been
> porting the OpenSSL examples from
I am using s_client and s_server right now and it is working for me.
I specify the -certs file and the CAfile for the root.
Josh wrote:
Hello,
We are getting an odd self-signed cert error when using openssl s_client
to test the connection for a web service on an internal server. This
servic
Hello,
> A follow-up question just for double check. The my_cert.pem file
> consists of two parts: [RSA private key] and [certificate (public
> key)]. Is this the correct sequence? I saw a certificate file that
> contains three parts: [certificate (?)], [RSA private key],
> [certificate (public key
Thanks, much.
- Dennis
Wolfgang Riedel wrote:
Hi Dennis,
you want (maybe)
-BEGIN CERTIFICATE-
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X
Hi Dennis,
you want (maybe)
-BEGIN CERTIFICATE-
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA
>Hello,
>> We have a web server running on Apache/Tomcat platform (Sun Solaris 10)
>> with a VeriSign certificate. I'm trying to use the same certificate with
>> openssl 0.9.8f for my stand-alone web services application (listening on
>> separate ports, of course). So I followed the procedure a
Thanks for the quick response.
The missing piece was Root CA certificate. I downloaded (1) VeriSign's
intermediate CA cert from VeriSign web site and (2) VeriSign's Root CA
from IE browser, and put them into one CA cert file. As you described,
the subject-issuer chain is now complete. Verifica
Hello,
> We have a web server running on Apache/Tomcat platform (Sun Solaris 10)
> with a VeriSign certificate. I'm trying to use the same certificate with
> openssl 0.9.8f for my stand-alone web services application (listening on
> separate ports, of course). So I followed the procedure as in
:[EMAIL PROTECTED] On Behalf Of Kaushal Shriyan
Sent: Tuesday, August 07, 2007 11:14 PM
To: openssl-users@openssl.org
Subject: Re: Verisign Certificate
Hi Kiran
Now the verisign has given me the certificate as SSL.der format so can
you please provide me the working example using openssl to convert
I'm looking for someone who ssl enabled apache.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ricardo Stella
Sent: Tuesday, August 07, 2007 1:53 PM
To: openssl-users@openssl.org
Subject: Re: Verisign Certificate
Kaushal Shriyan wrote:
>
Kaushal Shriyan wrote:
> Hi Kiran
>
> Now the verisign has given me the certificate as SSL.der format so can
> you please provide me the working example using openssl to convert it
> into SSL.pem
> format taking my file SSL.der in question
>
> Thanks again
Verisign has extensive information on h
Hi Kiran
Now the verisign has given me the certificate as SSL.der format so can you
please provide me the working example using openssl to convert it into
SSL.pem
format taking my file SSL.der in question
Thanks again
Sorry for the trouble
Thanks and Regards
Kaushal
On 8/6/07, C K KIRAN-K
Hi,
You should have received the certificate in PEM or DER format. No need
to save the file .txt format.
Do openssl -inform "whichever form PEM or DER" -in
-noout -text
This will dump the text form of the certificate.
Regards,
Kiran
From: [EMAIL PROTE
At 11:28 AM 3/30/00 , you wrote:
>This site distributes a free software called SecureAge which
>is working on Windows 95/98/NT. It will give the user a free
>certificate issued by that company, that certfiticate will enable
>the user to
> - send signed/encrypted email
> - exchange secure docum
Odpowiedz automatyczna:
Do 31 marca jestem na szkoleniu.
W pilnych sprawach prosze o kontakt z Romanem Iwanickim.
Z powazaniem,
Michal Trojnara
>>> "[EMAIL PROTECTED]" 03/31/00 19:21 >>>
hi,
On Fri, 31 Mar 2000, Mark H. Wood wrote:
> On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> > You mis
hi,
On Fri, 31 Mar 2000, Mark H. Wood wrote:
> On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> > You missed my point. Read on...
> >
> > > b) Certificates authenticate that the person is who they say they
> > > are.
hmmm... i have always thought the Certs from CA simply say yeah we know
a
mwood> Now I am surprised. The key only means that you have a
mwood> reasonably secure channel to an unknown endpoint. Do lots of
mwood> people really believe that it means any more than that? That
mwood> is frightening.
You wouldn't believe what J. Random Luser can believe...
--
Richard Lev
On Thu, 30 Mar 2000 [EMAIL PROTECTED] wrote:
> You missed my point. Read on...
>
> > b) Certificates authenticate that the person is who they say they
> > are.
> >
> > Trust goes to trusting that second statement, not the trustworthiness
> > of the company behind the statement.
> >
>
>
On Thu, 30 Mar 2000, Thomas Reinke wrote:
> [EMAIL PROTECTED] wrote:
> > So it seems to me that while the cert may certify that said organization
> > is who they say they are - nobody seems to ask if who they say they are
> > has any relevance to anything.
>
> [snip]
>
> Look back to the problem
This site distributes a free software called SecureAge which
is working on Windows 95/98/NT. It will give the user a free
certificate issued by that company, that certfiticate will enable
the user to
- send signed/encrypted email
- exchange secure document over the Internet
- chat securely wi
You missed my point. Read on...
> b) Certificates authenticate that the person is who they say they
> are.
>
> Trust goes to trusting that second statement, not the trustworthiness
> of the company behind the statement.
>
People in general presume that when they see the little key th
On Thu, 30 Mar 2000, Pluto wrote:
> On Tue, 28 Mar 2000, Michael Sierchio wrote:
>
> > > Consentration of economic power like we see in Verisign at this point is
> > > NEVER healthy - or am I overreacting?
> >
> > Shall we file a lawsuit?
>
> Where? Is there such a thing as an UN anti-trust
On Tue, 28 Mar 2000, Michael Sierchio wrote:
> > Consentration of economic power like we see in Verisign at this point is
> > NEVER healthy - or am I overreacting?
>
> Shall we file a lawsuit?
Where? Is there such a thing as an UN anti-trust judge? Maybe the WTO
could be interessted, but they
[EMAIL PROTECTED] wrote:
>
> So it seems to me that while the cert may certify that said organization
> is who they say they are - nobody seems to ask if who they say they are
> has any relevance to anything.
[snip]
Look back to the problem it is solving
a) SSL makes sure no-one can interc
Err Verisign bought Thawte last year :)
At 09:45 pm 28/03/00, you wrote:
>Gee,
>
>Before I get flamed for the Subject:
>Of course, Verisign and Thawte are American and South African
>companies, so cannot be a monopoly(Two American companies
>doing this likely would), and of course NSI, the majo
At 08:04 PM 3/28/00 , you wrote:
>Want some free certificate from the Internet?
>Try www.secureage.com
What does this have to do with certs? The site is about a security application, .. not
certs - have I missed something?
Lee
Leland V. L
SA
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of dreamwvr
> Sent: Tuesday, March 28, 2000 6:18 PM
> To: [EMAIL PROTECTED]; Hostmaster; [EMAIL PROTECTED]
> Subject: RE: Verisign/NSI/Thawte monopoly
>
>
> hi,
> IMHO
I looked closely into purchasing a cert from Thawte and it is still
something WE'll have to do. What strikes me though is that it seems to me
that there is no real value in such a thing.
I can for instance incorporate a company and shell out about $200 and get
my cert. After that everyone trust
On Tuesday, March 28, 2000 at 04:18:15 PM, [EMAIL PROTECTED] wrote:
> hi,
> IMHO someone should create a central trusted CA that is open sourced for
> all to trust however that would take some doing..;-)) ..anyone interested:-))
I'm game for putting in some time/effort - but I think you're po
Hi,
Take a look at http://www.openca.org
Sam Stern, Bethesda, MD, USA
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of dreamwvr
> Sent: Tuesday, March 28, 2000 6:18 PM
> To: [EMAIL PROTECTED]; Hostmaster; [EMAIL PROTECTED
Want some free certificate from the Internet?
Try www.secureage.com
- Original Message -
From: Tariq Habib <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 28, 2000 2:30 PM
Subject: RE: Verisign
> I fully support your point of view.
>
> &g
Odpowiedz automatyczna:
Do 31 marca jestem na szkoleniu.
W pilnych sprawach prosze o kontakt z Romanem Iwanickim.
Z powazaniem,
Michal Trojnara
>>> "[EMAIL PROTECTED]" 03/29/00 01:18 >>>
hi,
IMHO someone should create a central trusted CA that is open sourced for
all to trust however th
hi,
IMHO someone should create a central trusted CA that is open sourced for
all to trust however that would take some doing..;-)) ..anyone interested:-))
On Tue, 28 Mar 2000, Hostmaster wrote:
> There is no governing body that I am aware of. Is it to be yet
> another Amercian led thing? That
There is no governing body that I am aware of. Is it to be yet
another Amercian led thing? That is what got things to the state
they're in now.
Also, what would be an appropriate list to discuss these things, if
not openssl-users?
Bill Laakkonen
www.im1.net
> -BEGIN PGP SIGNED MESSAGE-
[EMAIL PROTECTED] wrote:
>
> Gee,
>
> Before I get flamed for the Subject:
> Of course, Verisign and Thawte are American and South African
> companies, so cannot be a monopoly
You are not well informed on the subject of law in the EU or US.
A merger, acquisition or other alliance that does or h
Hi there,
>It's time to have some kind of governing body
>to force the browser makers include all accredited
>CA's in the list of automatically trusted CA's.
>Not the ones that pay them big $$$.
Only if they also ensure that the CAs also pass some level of periodic
audit-review to ensure they're
This is way off-topic, but:
>force the browser makers include all accredited CA's in the list
Please define "accredited CA"
But somewhere else, not this list. :)
__
OpenSSL Project http://www.ope
-BEGIN PGP SIGNED MESSAGE-
It's time to have some kind of governing body
to force the browser makers include all accredited
CA's in the list of automatically trusted CA's.
Not the ones that pay them big $$$.
Cheers
Paul
On Tue, 28 Mar 2000, you wrote:
> Gee,
>
> Before I get flamed for
[EMAIL PROTECTED] wrote:
>
> I just found out that Verising has aquired NSI. A short while back they
> aquired Thawte .
> Consentration of economic power like we see in Verisign at this point is
> NEVER healthy - or am I overreacting?
Shall we file a lawsuit?
__
Gee,
Before I get flamed for the Subject:
Of course, Verisign and Thawte are American and South African
companies, so cannot be a monopoly(Two American companies
doing this likely would), and of course NSI, the major marketer of
Versign certs, is a registrar for domains, and this cannot be
co
I don't... This point has already been discussed in this mailing list. The
result is this: you can't trust a CA that delivers a certificate whatever
the informations you provide...
A CA is not only a technical piece of software to which you send a
request and from which you get a properly formatt
I fully support your point of view.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, March 28, 2000 5:20 AM
> To: [EMAIL PROTECTED]
> Subject: Verisign
>
>
> I just found out that Verising has aquired NSI. A s
Unfortunately its not likely a Canadian company could make any real
challenge in the US or SA.
Entrust may be trying to protect themselves as they have set up their own
CA based on the chaining Thawtes root rather than looking out for the good
of the market ...
Jeff
On Wed, 12 Jan 2000, Joe A
> Can anyone tell me what "block type is not 01" means? I get a
In PKCS #1, block type 01 is private operation.
So, your error messages mean wrong private key operation or padding.
You have verisign root cert?
-
ChangHee Lee.
Initiative Technology.
Tel. 82-42-488-9040
E-mail. [EMA
75 matches
Mail list logo