Hi team,
Do you know how to programmatically specify the path of fipsmodule.cnf and load
it in application without using openssl.cnf in OpenSSL 3.0?
Historically, my product uses customized OpenSSL and doesn't have an
openssl.cnf.
I need to use FIPS module, and I try to load it, it fails un
On Thu, Nov 24, 2022 at 09:48:42AM +0530, Satyam Mehrotra wrote:
> I have encrypted pkcs#8 key file . Is there any openssl command buy which I
> can view the algorithm used to encrypt it ( i mean aes or des3 )
Removing blank lines and passing to "asn1parse" you get:
$ openssl asn1parse -in /
Hi ,
I have encrypted pkcs#8 key file . Is there any openssl command buy which I
can view the algorithm used to encrypt it ( i mean aes or des3 )
Appreciate for anyone's quick help :)
-BEGIN ENCRYPTED PRIVATE KEY-
MIIFFjBIBgkqhkiG9w0BBQ0wOzAjBgkqhkiG9w0BBQwwFgQQVL5oYwC9daKlhnjT
qnRoAwI
On 11/2/22 23:08, Anupam Dutta via openssl-users wrote:
I want to upgrade the openssl version from 3.0.2 to 3.0.7. My OS
version is Ubuntu 22.04.1 LTS (Jammy Jellyfish). Please help .It is urgent
Ubuntu has already dealt with the new vulnerabilities. If you do the
normal package upgrade proce
Hi Team,
I want to upgrade the openssl version from 3.0.2 to 3.0.7. My OS version is
Ubuntu 22.04.1 LTS (Jammy Jellyfish). Please help .It is urgent.
Regards,
Anupam
On 26/10/2022 18:33, pepone.onrez wrote:
Hi,
I'm trying to understand how to handle TLS alerts, I have set up a
callback with
SSL_CTX_set_info_callback(_ctx, ssl_info_callback);
And I can see alerts sent by the peer, does the application need to call
SSL_shutdown upon receiving
a
Hi,
I'm trying to understand how to handle TLS alerts, I have set up a callback
with
SSL_CTX_set_info_callback(_ctx, ssl_info_callback);
And I can see alerts sent by the peer, does the application need to call
SSL_shutdown upon receiving
a fatal alert, or is this done automatically b
Subject: I have finally figured out how to export Private Key from
Fortigate firewall and successfully install Godaddy Wildcard SSL
certificate in UniFi Cloud Key Gen 2 Plus Network Controller
Good day from Singapore,
Author: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date: 26 Oct
Dear Team,
Please provide me the list of API's(or any sample programs) to be used at
server/client side to process session ticketing.
Currently we are in the process of migrating from session ID usage to session
ticketing.
Regards,
Sethu V
On Mon, Oct 17, 2022 at 10:28:45AM +0200, Tim Meusel wrote:
> Hi!
> I maintain a Ruby script that does PKCS#7 signing and afterwards some
> enryption with AES-128-CFB. A trimmed down version:
>
> certpath = '/tmp/cert.pem'
> keypath = '/tmp/key/pem'
> data = 'teststring'
> key = OpenSSL::PKey::RS
Hi!
I maintain a Ruby script that does PKCS#7 signing and afterwards some
enryption with AES-128-CFB. A trimmed down version:
certpath = '/tmp/cert.pem'
keypath = '/tmp/key/pem'
data = 'teststring'
key = OpenSSL::PKey::RSA.new(File.read(keypath), '1234')
cert = OpenSSL::X509::Certificate.new(F
ENGINE_load_private_key() function
to load and use asymmetric private key in the hardware device.
How to set and use symmetric key in the hardware device ? is there any
example for my case?
#/**本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或
Hi all,
When the openssl interactive mode was still possible, you could set up an
engine and then use it as follows:
OpenSSL> engine -t dynamic -pre
SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/pkcs11/onepin-opensc-pkc
omes quite difficult to work on low-level
> implementations and it might require including some definitions of data
> structures.
>
> Besides this side-notes, the issue we are facing is related to how to link
> the OID for the public key algorithm with the NID for the dynamically added
facing is related to how to
link the OID for the public key algorithm with the NID for the
dynamically added one. Let me explain with some code.
When our LibPKI starts up, it initializes the crypto layer and adds the
Composite method by using the EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD:
// We
How do I actually select the protocol for ALPN? I have this:
SSL_client_hello_cb_fn set_alpn_cb(SSL* ssl, int* alert, const unsigned char*
arg)
{
constexpr int ext_type{
TLSEXT_TYPE_application_layer_protocol_negotiation };
int extensions[1]{ ext_type };
std::size_t
ge, no? And if it is, how do I parse the ClientHello message to
extract it and respond?
The unsupported protocol error usually means there is a mismatch between
the supported TLS versions on the client and the server. For example if
the server only supports TLSv1.3 and the client only sup
fter sorting them out I have another issue: this
error came up:
Lines 625 and 626:
handshake: unsupported protocol (SSL routines,
tls_early_post_process_client_hello)
This is likely a HTTP/2 upgrade request inside a TLS ClientHello message, no?
And if it is, how do I parse the ClientHello mess
On Thu, 2022-06-09 at 13:14 +, Beilharz, Michael wrote:
> well, i use:
>
> pkcs12 -in "cert.p12" -clcerts -nokeys -out cert.PEM" -passin
> pass:
> pkcs12 -in "cert.p12" -nocerts -out tmpkey.PEM -passin pass: -
> passout pass:
Instead of this step you can just use:
pkcs12 -in "cert.p12" -noce
sprüngliche Nachricht-
Von: Hubert Kario
Gesendet: Donnerstag, 9. Juni 2022 14:59
An: Beilharz, Michael
Cc: openssl-users@openssl.org
Betreff: Re: AW: How to figure out if .P12 is RSA or ECC crypted
On Thursday, 9 June 2022 14:54:48 CEST, Beilharz, Michael wrote:
Well, i have to convert the
4:59
An: Beilharz, Michael
Cc: openssl-users@openssl.org
Betreff: Re: AW: How to figure out if .P12 is RSA or ECC crypted
On Thursday, 9 June 2022 14:54:48 CEST, Beilharz, Michael wrote:
> Well, i have to convert the .P12 into .PEMs and there are different
> steps with openssl.exe the c
penssl pkey` command...
Regards
Michael
-Ursprüngliche Nachricht-
Von: openssl-users Im
Auftrag von Viktor Dukhovni
Gesendet: Donnerstag, 9. Juni 2022 14:40
An: openssl-users@openssl.org
Betreff: Re: How to figure out if .P12 is RSA or ECC crypted
On Thu, Jun 09, 2022 at 10:16:24AM +, Bei
ke to offer only one import option and the
import routine analyse the .P12 to decide RSA or ECC import routine.
Regards
Michael
-Ursprüngliche Nachricht-
Von: openssl-users Im Auftrag von Viktor
Dukhovni
Gesendet: Donnerstag, 9. Juni 2022 14:40
An: openssl-users@openssl.org
Betreff: Re:
On Thu, Jun 09, 2022 at 10:16:24AM +, Beilharz, Michael wrote:
> I retrieve .P12 certificates, they can be RSA or ECC crypted
PKCS#12 objects are encrypted with a *symmetric* password: 3DES, AES,
... Perhaps you're confusing the public key algorithm in the
certificate (or corresponding priva
–in cert.p12
shows at a RSA crypted P12 as friendlyName valid and by using a ECC crypted P12
valid_ec
Is this the correct way to figure out the kind of how aP12 is crypted?
Thanks for any help ☺
Regards
Michael
as applied, the sender decided not to proceed
>> with
>> >> negotiation.
>> >> However, I can't find a way to generate this alert in openssl,
>> although
>> >> openssl can handle receiving it.
>> >> How do I make a
section 6.2:
>> access_denied: A valid certificate or PSK was received, but when
>> access control was applied, the sender decided not to proceed with
>> negotiation.
>> However, I can't find a way to generate this alert in openssl, although
>>
SK was received, but when
>> access control was applied, the sender decided not to proceed with
>> negotiation.
>> However, I can't find a way to generate this alert in openssl, although
>> openssl can handle receiving it.
>> How do I make a call
can't find a way to generate this alert in openssl, although
openssl can handle receiving it.
How do I make a callback return a non-defined (as in not defined in the
headers) alert?
This is not currently possible.
OpenSSL has an internal table which maps verify errors to TLS alerts:
enssl, although
openssl can handle receiving it.
How do I make a callback return a non-defined (as in not defined in the
headers) alert?
Best regards,
Christian
12 command does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.
Regards,
David
>
> From: openssl-users On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users@o
Try adding the following command line arguments: -outform pem
From: openssl-users On Behalf Of Beilharz,
Michael
Sent: Wednesday, May 25, 2022 3:10 AM
To: 'openssl-users@openssl.org'
Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs
CAUTION: Email originated exter
nvert a .P12 certificate, which is crypted/created with ECC.
The first command still works (I think so, 'cause there are no errors):
openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -passin
pass:
But not the rest of the commands. I tried to use the ec or ec
Since OpenSSL 3.0,
one can use the -copy_extensions` option of openssl req to copy over any
SANs contained in the CSR to the cert being created
or use -addext to directly specify extensions without the need to use a
config file,
or simply use the -x509 and -subj options to build a cert from scratch
Henning Svane wrote:
> I am using OpenSSL 1.1.1f Is there a way to make a SAN certificate
> based on the CSR I have created in Exchange. I need a self-signed
> certificate for testing.
I'm not exactly sure what you think a SAN certificate is.
I guess one with a SubjectAltName extens
Hi
I am using OpenSSL 1.1.1f
Is there a way to make a SAN certificate based on the CSR I have created in
Exchange.
I need a self-signed certificate for testing.
Regards
Henning
l.org
Objet : Re: How does a client get the server's SAN/DNS strings
> On 17 Apr 2022, at 11:29 am, Michel wrote:
>
> What a beautiful source code !
> If only all software could be written like this !
The Postfix project aims for code quality, security and backwards
compatibility
> On 17 Apr 2022, at 11:29 am, Michel wrote:
>
> What a beautiful source code !
> If only all software could be written like this !
The Postfix project aims for code quality, security and backwards
compatibility over hastily deployed shiny new features. You'll
find many examples of careful/corr
Waouh, waouh, waouh !!!
What a beautiful source code !
If only all software could be written like this !
Thanks for the example Viktor.
>
https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_cl
ient.c#L756-L794
--
Viktor.
On Sat, Apr 16, 2022 at 03:02:16PM -0700, Hal Murray wrote:
> openssl-us...@dukhovni.org said:
> > Can you explain *why* you want the list of DNS names?
> > Is this just for logging..
>
> Yes, just for logging.
https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_client.
ope it helps, it is very late in the night here.
Michel.
-Message d'origine-
De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de
Hal Murray
Envoyé : dimanche 17 avril 2022 00:02
À : openssl-users@openssl.org
Objet : Re: How does a client get the server's
openssl-us...@dukhovni.org said:
> Can you explain *why* you want the list of DNS names?
> Is this just for logging..
Yes, just for logging.
--
These are my opinions. I hate spam.
On Sat, Apr 16, 2022 at 01:18:57PM -0700, Hal Murray wrote:
> I can get the subject and issuer with
> X509_get_subject_name and X509_get_issuer_name
>
> I'm looking for something similar to get the SAN/DNS strings used to verify
> that this certificate is valid for the hostname provided via SS
nssl.org] De la part de
Hal Murray
Envoyé : samedi 16 avril 2022 22:19
À : openssl-users@openssl.org
Objet : How does a client get the server's SAN/DNS strings
I can get the subject and issuer with
X509_get_subject_name and X509_get_issuer_name
I'm looking for something similar to get th
I can get the subject and issuer with
X509_get_subject_name and X509_get_issuer_name
I'm looking for something similar to get the SAN/DNS strings used to verify
that this certificate is valid for the hostname provided via SSL_set1_host
Any API will be slightly complicated since there may be mo
tion.
> Also what (open source) ca software do you recommend instead?
I've never had to build a production CA, so I don't have any suggestions, I'm
afraid. And even if I had, I don't know what your use cases are, so I wouldn't
know how well they mapped to my (hypothetical) ones. Different entities will
have some difference in requirements.
--
Michael Wojcik
Hi,
I have hard time figuring how to use --api=x.y.z regarding
OPENSSL_API_COMPAT define.
https://github.com/openssl/openssl/blob/openssl-3.0.1/INSTALL.md#api-level
https://www.openssl.org/docs/man3.0/man7/OPENSSL_API_COMPAT.html
Say I have #define OPENSSL_API_COMPAT 0x010101000L in one
On 10.03.2022 20:17, Michael Ströder via openssl-users wrote:
>
> Are you 100% sure all the software used by your relying participants is
> capable of handling the X509v3 extensions involved?
>
> In practice I saw software miserably fail validating such certs and CRLs. Or
> also CAs failed to gen
> From: openssl-users On Behalf Of
> Michael Ströder via openssl-users
> Sent: Thursday, 10 March, 2022 12:17
>
> On 3/10/22 14:06, edr dr wrote:
> > At the same time, I do not want to store passwords used for
> > certificate creation in cleartext anywhere.
Personally, I'd be leery of using open
On 3/10/22 14:06, edr dr wrote:
I would like to be able to automate the process of updating CRLs in
order to be able to keep the CRL validity time short.
Understandable.
At the same time, I do not want to store passwords used for
certificate creation in cleartext anywhere.
It's a pity that the
enough the verification still recognizes revoked certs included in the crl
as valid:
$ openssl verify -CAfile ~/tmp/ca3/rootca/certs/ca.cert.pem -CRLfile
~/tmp/ca3/intermediate/indirect-revoker/crl/ca.crl.pem
~/tmp/ca3/intermediate/revoked/certs/ca.cert.pem
/home/me/tmp/ca3/intermediate/revoked/certs/
On Sun, Mar 06, 2022 at 02:39:55AM +, loic nicolas wrote:
> Hello,
>
> I can't figure out how OpenSSL connections work.
>
> I would like to use 2 bios (rbio, wbio) which will be shared for all my
> connections.
I'm not sure why you would want to do this. Why wo
Hello,
I can't figure out how OpenSSL connections work.
I would like to use 2 bios (rbio, wbio) which will be shared for all my
connections.
The problem is that I really don't understand the error messages.
I never get an SSL_ERROR_WANT_WRITE error code, I only get SSL_ERROR_WANT_
Ask LibreSSL for support here. LibreSSL it **not** OpenSSL.
Pauli
On 4/3/22 3:55 pm, Edward Tsang via openssl-users wrote:
the openssl I'm using is in mac
openssl version -a
LibreSSL 2.8.3
On Thu, Mar 3, 2022 at 8:05 PM Edward Tsang wrote:
Ok here is what I tried but still complaining
> On 3 Mar 2022, at 11:55 pm, Edward Tsang via openssl-users
> wrote:
>
> the openssl I'm using is in mac
> openssl version -a
> LibreSSL 2.8.3
LibreSSL is not OpenSSL. This is not the right forum for LibreSSL
questions.
--
Viktor.
the openssl I'm using is in mac
openssl version -a
LibreSSL 2.8.3
On Thu, Mar 3, 2022 at 8:05 PM Edward Tsang wrote:
> Ok here is what I tried but still complaining about unknown options
> -verify_hostname
> openssl s_client -connect google.com -CAfile etc/auth/cacert.pem
> -verify_hostname goog
On Thu, Mar 03, 2022 at 08:05:34PM -0800, Edward Tsang via openssl-users wrote:
> Ok here is what I tried but still complaining about unknown options
> -verify_hostname
> openssl s_client -connect google.com -CAfile etc/auth/cacert.pem
> -verify_hostname google.com -verify_return_error
Perhaps y
Ok here is what I tried but still complaining about unknown options
-verify_hostname
openssl s_client -connect google.com -CAfile etc/auth/cacert.pem
-verify_hostname google.com -verify_return_error
unknown option -verify_hostname
usage: s_client args
On Thu, Mar 3, 2022 at 4:10 PM Viktor Dukhovni
> On 3 Mar 2022, at 6:09 pm, Edward Tsang via openssl-users
> wrote:
>
> openssl s_client -CApath . -CAfile ./cacert.pem -verify_hostname example.com
>
> All I get is "unknown option -verify_hostname
> usage: s_client args"
>
> Have tried combinations of that and check out of doc... really no
Hi,
I am having a very hard time to get the command line working.
Basically just trying to verify hostname via opoenssl command line:
openssl s_client -CApath . -CAfile ./cacert.pem -verify_hostname
example.com
All I get is "unknown option -verify_hostname
usage: s_client args"
Have tried comb
Thanks for your information.
Issue have raised:
https://github.com/openssl/openssl/issues/17681
-邮件原件-
发件人: Dr. Matthias St. Pierre [mailto:matthias.st.pie...@ncp-e.com]
发送时间: 2022年2月10日 0:03
收件人: Chenxinping ; openssl-users@openssl.org
主题: RE: How run the specific test case //答复: How to
Hi list members,
I got a file 'document.pdf' and a 'document_pdf.cms. Using 'openssl pkcs7'. It
seems to be DER encoded and I can extract multiple certs, a CA, an intermediate
and a signer's certificate. I have tried some variants of 'openssl cms
-verify', but most end with a
~~~
Error reading
The problem lies with the Perl script, not the C program.
The perl script generates the file 17-renegotiate.cnf.default from the template
file 17-renegotiate.cnf.in.
The environment variable “${ENV::TEST_CERTS_DIR}” should have been replaced by
Perl.
Please open an issue on GitHub, it’s easier
_load(conf, test_get_argument(0), NULL) > 0' failed @
test/ssl_test.c:550
# [0] compared to [0]
# ERROR: @ test/ssl_test.c:553
发件人: Dr. Matthias St. Pierre [mailto:matthias.st.pie...@ncp-e.com]
发送时间: 2022年2月9日 23:31
收件人: Chenxinping ; openssl-users@openssl.org
主题: RE: How run the specific t
Ah ok, maybe I slightly misunderstood your question. From your transcript I
infer that the testsuite ran the perl script `generate_ssl_tests.pl`, which
generated some test files an then ran the binary `ssl_test` as follows:
./test/ssl_test ./test-runs/test_ssl_new/17-renegotiate.cnf.default
If
lient received no alert.
ok 15 - iteration 15
ok 16 - iteration 16
ok 17 - iteration 17
# OPENSSL_TEST_RAND_ORDER=1644408281
not ok 1 - test_handshake
发件人: Dr. Matthias St. Pierre [mailto:matthias.st.pie...@ncp-e.com]
发送时间: 2022年2月9日 19:31
收件人:
From: openssl-users On Behalf Of
Chenxinping via openssl-users
Sent: Wednesday, February 9, 2022 4:49 AM
To: openssl-users@openssl.org
Subject: How to run a simple test case
The config file have some ENV variable and will result fail to load the config
file, How to run a simple test case
The config file have some ENV variable and will result fail to load the config
file, How to run a simple test case?
Example:
./test/ssl_test ./test-runs/test_ssl_new/17-renegotiate.cnf.default
ERROR: @ test/ssl_test.c:553
您好,您的邮件我已收到,我会尽快阅读,谢谢!
> On 26 Jan 2022, at 9:14 am, Bartlomiej wrote:
>
> I have a PEM file on the device which can contain an encrypted/non-encrypted
> private key. When it's encrypted, it's using PBES/PBKDF. The file is accessed
> from a C++ application which uses the OpenSSL library. If the key is
> encrypted, t
Hello,
I have a PEM file on the device which can contain an
encrypted/non-encrypted private key. When it's encrypted, it's using
PBES/PBKDF. The file is accessed from a C++ application which uses the
OpenSSL library. If the key is encrypted, then it should be PKCS#8, but
checking it is PKCS
f
> "Distinguished Names" in server "certificate request" extensions, when
> soliciting client certificates. This can be necessary to, e.g., solicit
> client certificates from Java applications, which select the certificate
> to use based on the names suggested
您好,您的邮件我已收到,我会尽快阅读,谢谢!
ot;Distinguished Names" in server "certificate request" extensions, when
soliciting client certificates. This can be necessary to, e.g., solicit
client certificates from Java applications, which select the certificate
to use based on the names suggested by the server.
> How can I se
bytes received, data <
>
I took some tcpdump to analyze the data received from the client and
replied back to the client. I can see that the Distinguished Name has a
length of 0.
[image: image.png]
I apologize in advance for the question and the poor details. How can I set
in my SSL code the v
Subject: How to renew and install SSL certificate for
Virtualmin/Webmin, Apache web server, Dovecot and Postfix for a
company in Singapore on 6 Dec 2021 Mon
Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 6 Dec 2021 Monday Singapore Time
Type of
"openssl ciphers" will show you the correct names which in this case is
DHE-RSA-AES128-GCM-SHA256
On Wed, 2021-11-17 at 16:25 +0800, M K Saravanan wrote:
> Hi,
>
> Do I need to do any config to enable DHE based ciphers in openssl for
> command line usage?
>
> $ openssl s_client -cipher 'DHE_RSA_
> I am extremely for making such a basic stupid mistake.
I am extremely sorry.
On Wed, 17 Nov 2021 at 21:19, M K Saravanan wrote:
>
> Thanks Matt.
>
> I am extremely for making such a basic stupid mistake.
>
> On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote:
> >
> >
> >
> > On 17/11/2021 08:25
Thanks Matt.
I am extremely for making such a basic stupid mistake.
On Wed, 17 Nov 2021 at 18:33, Matt Caswell wrote:
>
>
>
> On 17/11/2021 08:25, M K Saravanan wrote:
> > Hi,
> >
> > Do I need to do any config to enable DHE based ciphers in openssl for
> > command line usage?
> >
> > $ openssl
On 17/11/2021 08:25, M K Saravanan wrote:
Hi,
Do I need to do any config to enable DHE based ciphers in openssl for
command line usage?
$ openssl s_client -cipher 'DHE_RSA_WITH_AES_128_GCM_SHA256' -connect
10.10.16.100:443
You have the wrong name for this ciphersuite. OpenSSL uses its own
Hi,
Do I need to do any config to enable DHE based ciphers in openssl for
command line usage?
$ openssl s_client -cipher 'DHE_RSA_WITH_AES_128_GCM_SHA256' -connect
10.10.16.100:443
Error with command: "-cipher DHE_RSA_WITH_AES_128_GCM_SHA256"
139775998456896:error:140E6118:SSL
routines:ssl_cipher
unsubscribe
Get Outlook for iOS<https://aka.ms/o0ukef>
From: openssl-users on behalf of Dr Paul
Dale
Sent: Wednesday, November 10, 2021 2:20:03 PM
To: openssl-users@openssl.org
Subject: Re: OpenSSL-3.+ how to configure [random]?
I'm pretty sure the
al, Uri - 0553 - MITLL wrote:
> Yes, it's related to https://github.com/openssl/openssl/issues/16996, and
yes - the same solution worked.
>
> There's something wrong with how PKCS#11 engine deals with (or presents
itself as) rand provider.
> In any case, rem
it's related to https://github.com/openssl/openssl/issues/16996, and yes -
the same solution worked.
There's something wrong with how PKCS#11 engine deals with (or presents itself
as) rand provider.
In any case, removing PKCS#11 engine from the [engines] section alleviated this
Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes -
the same solution worked.
There's something wrong with how PKCS#11 engine deals with (or presents itself
as) rand provider.
In any case, removing PKCS#11 engine from the [engines] section alleviated thi
Dr Paul Dale" wrote:
> >
> > >Currently I've no idea and can't reproduce locally :(
> >
> > Maybe you'd know how to force the "-engine rdrand" path through
> > "openssl.cnf"?
> >
> > >A rogue confi
On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>
> > Currently I've no idea and can't reproduce locally :(
>
> Maybe you'd know how to force the "-engine rdrand" path thr
dylib
#default_algorithms = ALL
#CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
PBE_PARAMS = "gost12_512"
Where does "rdrand" engine fit in, and how do I tell OpenSSL to load it?
There's no "dynamic_path" that I know of.
I don't think the rdrand en
't reproduce locally :(
Maybe you'd know how to force the "-engine rdrand" path through "openssl.cnf"?
A rogue configuration file could cause the DRBGs/seeds to fail. Do you
have seed=rdrand line in the random section? That will cause the
seeding
On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>Currently I've no idea and can't reproduce locally :(
Maybe you'd know how to force the "-engine rdrand" path through "openssl.cnf"?
>A rogue configuration file could cause the DRBGs/seeds
seed_properties
> This sets the property query used when fetching the
randomness source.
>
> I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list
-seeds", I guess "seed = rdrand"
e property query used when fetching the
randomness source.
>
> I want to configure this [random] to use CTR-DRBG, using RDRAND as
"seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK.
What properties can I set, if any? How does th
ndom] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list
-seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this
"[random]" relate to the RDRAND *engine* (see below)?
$ openssl3 engine
d = rdrand" should be OK. What
properties can I set, if any? How does this "[random]" relate to the RDRAND
*engine* (see below)?
$ openssl3 engine rdrand -t
(rdrand) Intel RDRAND engine
[ available ]
Thanks!
--
Regards,
Uri Blumenthal Voice: (
Thank you very much
Regards,
Shariful Alam
On Fri, Sep 3, 2021 at 10:29 AM Matt Caswell wrote:
>
>
> On 03/09/2021 17:24, Shariful Alam wrote:
> > Thank you very much.
> > So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64
> > hex format?
>
> It's a hex format. "base64 hex"
>
>
>
>
On 03/09/2021 17:24, Shariful Alam wrote:
Thank you very much.
So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64
hex format?
It's a hex format. "base64 hex" makes no sense. base64 is not hex, and
vice versa.
Matt
Regards,
Shariful
On Fri, Sep 3, 2021 at 7:55 AM
Thank you very much.
So the output of "*openssl rsa -in mykey.pem -text -noout*" is a base64 hex
format?
Regards,
Shariful
On Fri, Sep 3, 2021 at 7:55 AM Matt Caswell wrote:
>
>
> On 03/09/2021 14:49, Billy Brumley wrote:
> >>> Hello,
> >>> Is there any command-line tool to get the plain text r
On 03/09/2021 14:49, Billy Brumley wrote:
Hello,
Is there any command-line tool to get the plain text rsa private key
like the following format from .pem file?
openssl rsa -in mykey.pem -noout -text
It would in fact be much more educational to advocate pkey, which is
cryptosystem agnostic
> > Hello,
> > Is there any command-line tool to get the plain text rsa private key
> > like the following format from .pem file?
>
> openssl rsa -in mykey.pem -noout -text
It would in fact be much more educational to advocate pkey, which is
cryptosystem agnostic
openssl pkey -in mykey.pem -noout
1 - 100 of 4192 matches
Mail list logo
