search for: crls

On 2015/2/16 16:28, Jochen Bern wrote: > On 02/16/2015 04:23 PM, Reindl Harald wrote: >>> "The CA file should contain the certificate(s) followed by the >>> matching CRL(s). Note that the CRLs are required to exist. For a >>> multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL >>> Intermediate CA cert >>> Intermediate CA CRL >>> Root CA cert >>>...

Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one fi...

...r certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED. This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871, namely i_info("proxy=%d, require_crl=%d, error=%d",...

...;s needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL" On 2015/2/16 06:42, Wolfgang Gross wrote: > On 16 Feb 2015 at 21:59, Nick Edwards w...

...ls=52 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=3 smb_pid=588 smb_uid=101 smb_mid=1024 smt_wct=0 smb_bcc=0 [2008/08/15 12:25:22, 10] smbd/open.c:open_file_ntcreate(1347) open_file_ntcreate: fname=jdoe/Application Data/Microsoft/SystemCertificates/My/CRLs, after mapping access_mask=0x1 [2008/08/15 12:25:22, 5] smbd/files.c:file_new(123) allocated file structure 1332, fnum = 5428 (5 used) [2008/08/15 12:25:22, 4] smbd/open.c:open_file_ntcreate(1605) calling open_file with flags=0x0 flags2=0x0 mode=0700, access_mask = 0x1, open_access_mask = 0x1 [...

After updates to grub2 and kernel in CentOS 7, today, systems will no longer boot in Secure Boot mode. I'm not positive, but I think grub2 is the culprit. Is anyone else seeing the same problem?

...ntos/grubx64.efi --------------------------------------------- certificate address is 0x7fb81b3cb808 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Red Hat Inc. No signer email address. Signing time: Thu Mar 26, 2015 There were certs or crls included. --------------------------------------------- [root at vagrant ~]# pesign --show-signature --in /var/tmp/grub2-17/boot/efi/EFI/centos/grubx64.efi --------------------------------------------- certificate address is 0x7fde869bd808 Content was not encrypted. Content is detached; signature...

Hi! We are pleased to announce the availability of Dirmngr version 1.0.3. Dirmngr is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. Dirmngr also handles OCSP requests as an alternative to CRLs. Although Dirmngr can be invoked on demand, it should in general be installed as a system daemon. Get it from: ftp://ftp.gnupg.org/gcrypt/dirmngr/dirmngr-1.0.3....

...of "X.509 certificates support in OpenSSH" Please to update your bookmarks/favorites with new location: http://roumenpetrov.info/openssh Old location is available too: http://satva.skalasoft.com/~rumen/openssh What's new: * support "Certificate Revocation Lists" (CRLs) * ssh-keyscan can show hostkey with certificates * information about X.509 certificates support added to all necessary manual pages * Distinguished name/Subject in RFC2253 format and item order is not important * script to create CRL used in tests * test scripts for ssh-agent and CR...

...s.crt This doesn't work either (and the Dovecot Wiki shows it used without "<"): ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt And "ssl_require_crl = no" to silence "unable to get certificate CRL" log messages. I don't need it to check CRLs on the backend's certificate chain.

...d I issued a few client certificates. No server configuration is needed when a new client is added, when a client is revoked the a CRL <https://en.wikipedia.org/wiki/Certificate_revocation_list> must updated and pushed to all servers. By the way I didn't get glusterfs servers to accept my CRLs, do some people use it? Notes: * groups are not handled right now and since users may change groups regularly I don't think it would be a great idea to freeze them in a certificate. The bricks could possibly do an ldap lookup in order to retrieve and cache the groups for an uid. * Clients ob...

...nstead of a password. So I searched and found this wiki page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication> But that Wiki page says: > The CA file should contain the certificate(s) followed by the matching > CRL(s). Note that the CRLs are required to exist. I have now messed three hours or so with OpenSSL to get a CRL generated for my self-signed certificate, but I can't get that to work (the problem appearently being that OpenSSL doesn't play well with private keys on smartcards). It doesn't make sense anyway, why...

...pam_setcred() unless setcred=yes PAM passdb argument was given. * Moved around settings in dovecot-example.conf to be in more logical groups. + Local delivery agent (deliver binary) works again. + LDAP: Added support for SASL binding. Patch by Geert Jansen + ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log invalid sent certificates. If verbose_ssl=yes, log even the valid certificates. When using the username from the certificate, use CommonName. Based on patch by HenkJan Wolthuis + PAM: Set PAM_TTY which is needed by some PAM plugins + dovecot --exec-mail ext <...

...pam_setcred() unless setcred=yes PAM passdb argument was given. * Moved around settings in dovecot-example.conf to be in more logical groups. + Local delivery agent (deliver binary) works again. + LDAP: Added support for SASL binding. Patch by Geert Jansen + ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log invalid sent certificates. If verbose_ssl=yes, log even the valid certificates. When using the username from the certificate, use CommonName. Based on patch by HenkJan Wolthuis + PAM: Set PAM_TTY which is needed by some PAM plugins + dovecot --exec-mail ext <...

...ificates. > No server configuration is needed when a new client is added, when a > client is revoked the a CRL > <https://en.wikipedia.org/wiki/Certificate_revocation_list> must updated > and pushed to all servers. > By the way I didn't get glusterfs servers to accept my CRLs, do some > people use it? > > Notes: > * groups are not handled right now and since users may change groups > regularly I don't think it would be a great idea to freeze them in a > certificate. The bricks could possibly do an ldap lookup in order to > retrieve and ca...

...3 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9605:error:0906D06C:PEM routines:PEM_r...

...9;'Certificate'', :foreign_key => ''issuer_id'' has_many :current_crl, :class_name => ''CRL'', :finder_sql => ''SELECT id, issuer_id, last_update, MAX(next_update) '' + ''AS next_update FROM crls GROUP BY id'' end end end

...are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: > > "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: > > Issuing CA cert > Issuing CA CRL > Intermediate CA cert > Intermediate CA CRL > Root CA cert > Root CA CRL" that is how you can and should build your PEM fi...

...either (and the Dovecot Wiki shows it used without > "<"): > > ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt > > And "ssl_require_crl = no" to silence "unable to get certificate CRL" > log messages. I don't need it to check CRLs on the backend's > certificate chain.

..." (subject) with escaped symbols or in UTF-8 charset. If unescaped certificate subject contain characters with code above 127(us-ascii) it is handled always as UTF-8 string. - LDAP queries in conformance to [RFC2254] In validation process "X.509 store" lookup for certificates and CRLs in files stored on file system. If is enabled (at configure time) this lookup can query LDAP server too. Attributes in query should be escaped and the versions before current escape attributes as is described in [RFC2253]. Now attributes are escaped in addition as is recommended in [RFC2254]....