Displaying 20 results from an estimated 64 matches for "ocsp".
2016 Mar 03
2
Implementation of TLS OCSP Stapling
On 03-03-16 14:09, Gedalya wrote:
> On 03/03/2016 07:30 AM, Stephan Bosch wrote:
>> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base.
> Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys....
OCSP status querying isn't the same as verifying stapled OCSP responses
though. Can't find Thunderbird's support for stap...
2016 Jun 17
2
https and self signed
On 17.06.2016 19:57, ????????? ???????? wrote:
>>> Then OCSP stapling is the way to go but it could be a real PITA to
>>> setup for the first time and may not be supported by older browsers
>>> anyway.
>>>
>> not really, because the same server tells the client that the SSL
>> certificate is good, as the SSL certifica...
2016 Mar 03
4
Implementation of TLS OCSP Stapling
Hi all,
About a year ago, Torsten already asked for OCSP stapling
(http://dovecot.org/pipermail/dovecot/2015-April/100632.html).
Unfortunately, there was no answer to his question.
Now RFC 7633 ("TLS Feature Extension",
https://tools.ietf.org/html/rfc7633, a.k.a. "Must Staple") has landed,
revocation is getting serious! I personally...
2016 Jun 17
2
https and self signed
On 17.06.2016 16:27, ????????? ???????? wrote:
> Walter H. ????? 2016-06-16 22:54:
>> On 16.06.2016 21:42, ????????? ???????? wrote:
>>>
>>> I don't think OCSP is critical for free certificates suitable for
>>> small businesses and personal sites.
>>>
>> this is philosophy;
>>
>> I'd say when you do it then do it good, else don't do it;
>
> Then OCSP stapling is the way to go but it could be a real PITA t...
2016 Mar 03
2
Implementation of TLS OCSP Stapling
Op 3-3-2016 om 13:04 schreef A. Schulze:
>
> dovecot:
>
>> So I would like to know if Dovecot is planning to feature OCSP stapling.
>> That way I know for sure my "must staple" certificates can be used by
>> Dovecot. And in my opinion, every TLS offering daemon should be up to
>> par to the capabilities of TLS.. Not lag behind :)
>>
>> What's your opinion on this matter?
>...
2016 Mar 03
3
Implementation of TLS OCSP Stapling
On 03-03-16 13:04, A. Schulze wrote:
>
> dovecot:
>
>> So I would like to know if Dovecot is planning to feature OCSP stapling.
>> That way I know for sure my "must staple" certificates can be used by
>> Dovecot. And in my opinion, every TLS offering daemon should be up to
>> par to the capabilities of TLS.. Not lag behind :)
>>
>> What's your opinion on this matter?
>...
2018 May 01
2
OCSP Stapling and Certificate Transparency
Hi,
For CAs that do not include a signed certificate timestamp in their newly-issued certificates, does Dovecot support either OCSP stapling or the Certificate Transparency TLS extension?
If the TLS extension is supported, how does the admin configure the timestamp for each certificate?
I?m wondering if any MUAs will follow Google?s lead and insist on CT.
Thank you!
-Felipe Gasper
Mississauga, Ontario
2017 Apr 16
1
Simple OCSP server ??
What about the pki package that comes with Centos?
pki-server and pki-ca?
On 04/16/2017 11:54 AM, Alice Wonder wrote:
> Oh I don't know, their github works.
>
> However it seems that it isn't able to deal with more than one ocsp
> signing key.
>
> On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
>>
>>
>> On 04/14/2017 10:41 PM, Alice Wonder wrote:
>>> https://www.openca.org/ might fit my needs.
>>
>> their Centos repo does not exist, it seems?
>>
>>>
>>&g...
2017 Apr 16
2
Simple OCSP server ??
...be using a wildcard in DNS with an intermediary that
>> signs the user x.509 certificates.
>>
>> Using an intermediary to sign their certificates though means I can't
>> just revoke their certificates by removing the DNS certificate, I'll
>> need to provide an OCSP server for when one of their private keys gets
>> compromised.
>>
>> I found
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
>>
>> but it looks like that is intended for enterprise,...
2018 Oct 31
1
OCSP Stapling and Certificate Transparency
...8 at 19:03 Felipe Gasper < felipe at felipegasper.com
>> <mailto:felipe at felipegasper.com>> wrote:
>>
>>
>> Hi,
>>
>> For CAs that do not include a signed certificate timestamp in their
>> newly-issued certificates, does Dovecot support either OCSP stapling
>> or the Certificate Transparency TLS extension?
>>
>> If the TLS extension is supported, how does the admin configure the
>> timestamp for each certificate?
>>
>> I?m wondering if any MUAs will follow Google?s lead and insist on CT.
>>
>> T...
2017 Apr 15
2
Simple OCSP server ??
...e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't
just revoke their certificates by removing the DNS certificate, I'll
need to provide an OCSP server for when one of their private keys gets
compromised.
I found
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good si...
2017 Apr 16
0
Simple OCSP server ??
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp
signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
>
>
> On 04/14/2017 10:41 PM, Alice Wonder wrote:
>> https://www.openca.org/ might fit my needs.
>
> their Centos repo does not exist, it seems?
>
>>
>> On 04/14/2017 06:29 PM, Alice Wonder wrote:
>...
2016 Jun 16
2
https and self signed
On 16.06.2016 21:42, ????????? ???????? wrote:
>> that is right, but hink of your potential clients, because
>> wosign has a problem - slow OCSP, ...
>> because their server infrastucture is located in China, and not the
>> best bandwidth ...
>>
>> when validity checks of the used SSL certificate very probable fail,
>> it is worse than not using SSL ...
>
> I don't think OCSP is critical for free cert...
2017 Apr 15
0
Simple OCSP server ??
...> Instead, I will be using a wildcard in DNS with an intermediary that
> signs the user x.509 certificates.
>
> Using an intermediary to sign their certificates though means I can't
> just revoke their certificates by removing the DNS certificate, I'll
> need to provide an OCSP server for when one of their private keys gets
> compromised.
>
> I found
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
> but it looks like that is intended for enterprise, more complex than I
> need....
2018 May 01
0
OCSP Stapling and Certificate Transparency
...<br>
</div>
<div>
<br>
</div>
<div>
Hi,
</div>
<div>
<br>
</div>
<div>
For CAs that do not include a signed certificate timestamp in their newly-issued certificates, does Dovecot support either OCSP stapling or the Certificate Transparency TLS extension?
</div>
<div>
<br>
</div>
<div>
If the TLS extension is supported, how does the admin configure the timestamp for each certificate?
</div>
<div>
<br>
</div>...
2015 Apr 25
1
google-earth crashes on CentOS 6.6
...0212:ERROR:net_util.cc(2195)] Not implemented reached in bool
net::HaveOnlyLoopbackAddresses()
Failed to load "/opt/google/earth/free/libinput_plugin.so" because
"/usr/lib64/libstdc++.so.6: version `GLIBCXX_3.4.14' not found (required
by ./libLeap.so)"
[0425/000213:ERROR:nss_ocsp.cc(581)] No URLRequestContext for OCSP handler.
[0425/000213:ERROR:nss_ocsp.cc(581)] No URLRequestContext for OCSP handler.
<SNIP>
Another crash happened while handling crash!
[mlapier at peach /]$
NOTE: google-earth-stable.x86_64 0:7.1.2.2041-0 was running on my system
a couple of weeks ago...
2016 Jun 17
1
https and self signed
On 17.06.2016 22:39, ????????? ???????? wrote:
>> yes and no, but faking a valid OCSP response that says good instead of
>> revoked is also possible ...
>
> Could you please provide any proof for that statement? If it were true
> the whole PKI infrastructure should probably be thrown out of the
> window. )
question back: is the SHA2 discussion a real security im...
2015 Apr 26
0
TLS OCSP Stapling
Hi,
is there a plan to support TLS OCSP stapling in the near future?
Regards Torsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150426/c30801b...
2016 Jun 16
2
https and self signed
On 15.06.2016 15:57, ????????? ???????? wrote:
> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
>
> http://www.startssl.com
> http://buy.wosign.com/free
that is right, but hink of your potential clients, because
wosign has a problem - slow OCSP, ...
because their server infrastucture is located in China, and not the best
bandwidth ...
when validity checks of the used SSL certificate very probable fail,
it is worse than not using SSL ...
Walter
2016 Jun 17
0
https and self signed
>> Then OCSP stapling is the way to go but it could be a real PITA to
>> setup for the first time and may not be supported by older browsers
>> anyway.
>>
> not really, because the same server tells the client that the SSL
> certificate is good, as the SSL certificate itself;
> the...