search for: ecparam

...i > > > > Aki, I just used the "EC key" instructions from the Dovecot MailCrypt wiki: > https://wiki.dovecot.org/Plugins/MailCrypt > > " > In order to generate an EC key, you must first choose a curve from the > output of this command: > > openssl ecparam -list_curves > > If you choose the curve prime256v1, generate and EC key with the command: > > openssl ecparam -name prime256v1 -genkey | openssl pkey -out > ecprivkey.pem > > Then generate a public key out of your private EC key > > openssl pkey -in ecprivkey.pem -p...

...cate signing request and the signed certificate. The csr created from a private key with [ openssl genpkey -algorithm RSA ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. But as stated in the initial message it does not work if the private key for the csr is generated with [ openssl ecparam -name brainpoolP512t1 -genkey ].

> On 11 April 2019 00:49 David Salisbury via dovecot <dovecot at dovecot.org> wrote: > > > >>> > >> Yes. I gave it a try here, and it seems to work. Does it give any extra > >> information if you include -i flag? > >> > >> Aki > >> > > > > Yes, I had tried that, and it doesn't give much extra information, at

Hi, facing [ no shared cipher ] error with EC private keys. This happens when the private key is generated with [ openssl ecparam -name brainpoolP512t1 -genkey ] with OpenSSL 1.1.0hh on the same machine Dovecot is running on. Tried some variations of [ ssl_cipher_list ] but to no avail - the [ no shared cipher ] error persists. Once the key is generated with [ openssl genpkey -algorithm RSA ] however the error is gone. Thu...

...Maybe there is some difference? > > Aki > Aki, I just used the "EC key" instructions from the Dovecot MailCrypt wiki: https://wiki.dovecot.org/Plugins/MailCrypt " In order to generate an EC key, you must first choose a curve from the output of this command: > openssl ecparam -list_curves If you choose the curve prime256v1, generate and EC key with the command: > openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem Then generate a public key out of your private EC key > openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem " -Da...

...is it enough to omit the mail_crypt_global_private_key from the userdb lookup? In other word, mail_plugins still active with mail_crypt, will that cause user account to be encrypted unexpectedly if no private key is given? 3. Example command to create EC key does not ask for password, openssl ecparam command does not seem to have password arg. If I want password-protection should I use RSA key which the doc tell to be discouraged?

...;> >> The csr created from a private key with [ openssl genpkey -algorithm RSA >> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. >> >> But as stated in the initial message it does not work if the private key >> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 >> -genkey ]. >> >> > Can you try, with your ECC cert, > > openssl s_client -connect server:143 -starttls imap > > and paste result? > This is for the certificate where the csr is generated with an EC private key and the [ no shared cipher...

...o: machine: debian 6 (x64) dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft for testing) creating keys+cert for ecc (i.e. curves prime192v1, secp521r1) # openssl ecparam -name prime192v1 -genkey -out prime192v1.key # openssl req -new -key prime192v1.key -out prime192v1.csr # openssl req -x509 -in prime192v1.csr -key prime192v1.key -out prime192v1.crt testing these in 2 windows # openssl s_server -cert prime192v1.crt -key prime192v1.key -www # openssl s_client no...

...ed > certificate. > > The csr created from a private key with [ openssl genpkey -algorithm RSA > ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. > > But as stated in the initial message it does not work if the private key > for the csr is generated with [ openssl ecparam -name brainpoolP512t1 > -genkey ]. > > Hi! Can you show doveconf ssl_cipher_list? Aki

...> certificate. > > The csr created from a private key with [ openssl genpkey -algorithm RSA > ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. > > But as stated in the initial message it does not work if the private key > for the csr is generated with [ openssl ecparam -name brainpoolP512t1 > -genkey ]. > > Can you try, with your ECC cert, openssl s_client -connect server:143 -starttls imap and paste result? Aki

...rom a private key with [ openssl genpkey -algorithm RSA >>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. >>>> >>>> But as stated in the initial message it does not work if the private key >>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 >>>> -genkey ]. >>>> >>>> >>> Can you try, with your ECC cert, >>> >>> openssl s_client -connect server:143 -starttls imap >>> >>> and paste result? >>> >> This is for the certifica...

...ale flushbyasid decodeassists pausefilter pfthreshold overflow_recov root at officelink01:~# openssl help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand...

...sr created from a private key with [ openssl genpkey -algorithm RSA > >> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. > >> > >> But as stated in the initial message it does not work if the private key > >> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 > >> -genkey ]. > >> > >> > > Can you try, with your ECC cert, > > > > openssl s_client -connect server:143 -starttls imap > > > > and paste result? > > > > This is for the certificate where the csr is gener...

...pkey -algorithm RSA > >>>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. > >>>>> > >>>>> But as stated in the initial message it does not work if the private key > >>>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 > >>>>> -genkey ]. > >>>>> > >>>>> > >>>> Can you try, with your ECC cert, > >>>> > >>>> openssl s_client -connect server:143 -starttls imap > >>>> > >>&g...

>> I've tried specifying an output file as well, per the script's command line options, >> but the output file is 0 bytes.? Does anyone have any suggestions?? I *think* I'm >> using it the way it's intended to be used, but maybe I'm not?! >> -Dave > > Hi! > Maybe the key you tried was not used to encrypt the file? > Aki Aki,

...e are no issues creating private keys, issuing csr, signing certs with that particular curve. Printing certs and verifying certs against keys is panning out too, comparing md5 hashes also no errors. So why would openssl not accept (limit) keys is has generated and verified with no error? [ openssl ecparam -list_curves ] ? secp112r1 : SECG/WTLS curve over a 112 bit prime field ? secp112r2 : SECG curve over a 112 bit prime field ? secp128r1 : SECG curve over a 128 bit prime field ? secp128r2 : SECG curve over a 128 bit prime field ? secp160k1 : SECG curve over a 160 bit prime field ? secp160r1 : SECG...

...y with [ openssl genpkey -algorithm RSA >>>>> ] and signed by a CA with [ ecdhe_ecdsa ] works with no error. >>>>> >>>>> But as stated in the initial message it does not work if the private key >>>>> for the csr is generated with [ openssl ecparam -name brainpoolP512t1 >>>>> -genkey ]. >>>>> >>>>> >>>> Can you try, with your ECC cert, >>>> >>>> openssl s_client -connect server:143 -starttls imap >>>> >>>> and paste result? >>>&gt...

...pausefilter pfthreshold overflow_recov > > root at officelink01:~# openssl help > Standard commands > asn1parse         ca                ciphers           cms > crl               crl2pkcs7         dgst              dhparam > dsa               dsaparam          ec                ecparam > enc               engine            errstr            gendsa > genpkey           genrsa            help              list > nseq              ocsp              passwd            pkcs12 > pkcs7             pkcs8             pkey              pkeyparam > pkeyutl           prime      ...

...ollows: Server: CentOS 7 x86_64 (Elastix 4 RC) with IP: 10.1.0.4 192.168.5.146 asterisk-11.21.0 patched to work around https://issues.asterisk.org/jira/browse/ASTERISK-25659 openssl-1.0.1e-51.el7_2.2.x86_64 [root at elx4 ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 [root at elx4 ~]# openssl ecparam -list_curves secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field Client: Fedora 23 x86_64 Linphone (linphone-3.6.1-10.fc23.x86_64) Firefox 43 (firefox-43.0.3-1.fc23.x86_64) Go...

...ng out too, comparing md5 hashes also no errors. So why </div> <div> would openssl not accept (limit) keys is has generated and verified with </div> <div> no error? </div> <div> <br> </div> <div> [ openssl ecparam -list_curves ] </div> <div> secp112r1 : SECG/WTLS curve over a 112 bit prime field </div> <div> secp112r2 : SECG curve over a 112 bit prime field </div> <div> secp128r1 : SECG curve over a 128 bit prime field </div>...