ed stack randomization, SSH logins from
remote that fail, etc. etc..
Kind regards,
--
Jochen Bern
Systemingenieur
E jochen.b...@binect.de
W www.binect.de
ne was already issued, so at least the server admin would
prefer to have the old SC revoked but *not* the new one.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
enario.
Back then, I "fixed" the "problem" by appending A,B,C,... to the CN -
which was possible because we're using *actual CAs* there. For server
certs, where you need the CN to match the FQDN, you might want to add an
OU with a timestamp so as to have the *DN* as a whole differ ...
Kind regards,
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
tall it so as to install a current
version from a different source.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
set_var EASYRSA_REQ_CITY"San Francisco"
> set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
> set_var EASYRSA_REQ_EMAIL m...@example.net
> set_var EASYRSA_REQ_OU "My Organizational Unit"
> set_var EASY
nteresting. Unless, maybe, it's a boatload of
("typo"?) aliases from the same organization.
[Remembers manually splitting others' PGP pubkeys into single-user-ID
ones after signing parties so as to send every freshly-signed ID only to
the *one* address stated in it]
Regards,
--
J
rs when a new cert is issued. I'ld say you'ld get users
and their pitchforks asking for multiple SINGLE-attribute/value certs
real fast.
Regards,
--
Jochen Bern
Systemingenieur
Fon:+49 6151 9067-231
Fax:+49 6151 9067-290
E-Mail: jochen.b...@binect.de
www.binect.de
w
branch you're adminning from.
(*) Of course, there *are* other techniques to work around the problem,
but.)
Regards,
--
Jochen Bern
Systemingenieur
Fon:+49 6151 9067-231
Fax:+49 6151 9067-290
E-Mail: jochen.b...@binect.de
www.binect.de
www.facebook.de/binect
Binect ist ausgezeichnet
course, if you need it.)
Kind regards,
--
Jochen Bern
Systemingenieur
www.binect.de
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 09/27/2017 10:10 PM, Michael Wojcik wrote:
> On Behalf Of Jochen Bern
> Sent: Wednesday, September 27, 2017 06:51
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>>
icates by
means of a) the CA keypair that issued it (the pubkey being represented
in the signature) and b) the serial number, *not* pubkey / DN / ..., of
the invalid cert. If that's not unique, revoking one of the affected
certs will have the effect of revoking them all.
Regards,
--
Jochen Bern
S
CA chain in addition to its
own certificate, anyway, so it's debatable whether you even *need* the
result of the client's verification as an input to send the root as well.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Sign
eezing available
entropy out of various less-than-predictable hardware and OS states is
what *all* non-hardware entropy gatherers ultimately do, from the Linux
kernel's /dev/random mechanisms to haveged to what-have-you.
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
7;s practical for real-world data centers; implementation and
> equipment costs are low.
[has been trying to acquire a better *NTP* source than public unsigned
servers in certain data centers for 8+ years] :-C
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
sm
rver (and, if present, reverse proxy
solution) you're using.
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
smime.p7s
Description: S/MIME Cryptographic Signature
15 matches
Mail list logo
