search for: pkix

Is there some reason to use a mail.domain.com cert for mail rarher than just using domain.com for everything? Historically the subdomain were used because they were on different hardware. That is www was on one machine and mail was on another. ? Original Message ? From: dovecot at dovecot.org Sent: March 14, 2019 3:56 PM To: dovecot at dovecot.org Reply-to: jtam.home at gmail.com

...ently work on a project that require SSH server with FIPS and using OpenSSL v3. There is no way to work with OpenSSL v3 due to many reasons. If you like to get FIPS capable secsh implementation compatible with OpenSSL FIPS validated modules 1.2 and 2.0 , RedHat ES, or Oracle Solaris you could use PKIX-SSH. Regards, Roumen Petrov -- Advanced secure shell implementation with X.509 certificate support http://roumenpetrov.info/secsh/

With PKIX validation the certificate should match the hostname. With SMTP, the hostname should match the reverse IP though often it does not. Using subdomains gives you flexibility. with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is a need for...

Hi, more or less a year ago Kurt Roeckx provided an initial port towards the OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has been complained about a missing compat layer of the new vs the old API within the OpenSSL library [2]. This is how I reconstructed the situation as of today and I am not aware of any progress in regard to the newer library within the OpenSSH project.

...ine of learning the 'best' options to use for OpenSSL and dealing with the default SSL virtual host for Apache, I discovered that the localhost cert created (I believe) during firstboot has the X509v3 extensions set as a CA cert (eg basicConstraint CA:TRUE). I was once very involved in PKIX and legal issues on certificate policy. Having the localhost cert being a CA cert, thus allowed to sign other certs, MAY have legal implications in the USofA and EU. Why was this chosen? Why is not -extensions v3_req used in the certificate creation? Oh you can see this for yourself with: o...

I just finished up a port of Andy Polyakov's excellent dvd+rw-tools to FreeBSD, and he has incorporated the patches into his release: http://fy.chalmers.se/~appro/ http://fy.chalmers.se/~appro/linux/DVD+RW/ http://fy.chalmers.se/~appro/linux/DVD+RW/tools/ (version 5.8.4.4.4) These tools support DVD-R, DVD-RW, DVD+R, and DVD+RW format dvd burners, including the popular Sony

Thomas Calderon <calderon.thomas at gmail.com> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with

I am told by yum localinstall that I need this for TinyCA2. When I search for it, it seems like it SHOULD be part of basic perl package, but it is hard to argue with yum on dependencies.....

https://bugzilla.mindrot.org/show_bug.cgi?id=3603 Bug ID: 3603 Summary: ssh clients can't communicate with server with default cipher when fips is enabled at server end Product: Portable OpenSSH Version: 9.4p1 Hardware: All OS: Linux Status: NEW Severity: critical

Hi, We currently work on a project that require SSH server with FIPS and using OpenSSL v3. Patching OpenSSH for this looks to be a massive job. Is it something that is considered on your side? Is it currently a work in progress by somebody else as far as you know? Or something that has been partially done and aborded in the past, that could be relevant? We just started considering making this and

..."x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1" The implementation realised in previous version 5.3 is not fully in conformance with "draft-ietf-secsh-x509-02.txt" * correct nid for OCSP responder location All version before 5.4 search for nid "id-pkix-ocsp-service-locator" instead for correct one "id-ad-ocsp" to find location of OCSP responder. * public key permit X.509 certificate for authentication Now the public key listed in authorized keys file permit too a X.509 certificate with public key that match it to be use...

...) Note client and server use the first listed in for X509KeyAlgorithm for signing and accept all listed as is documented in ssh_config(5) and sshd_config(5) manual pages. So if you user version before 5.3(released on 21 Jan 2006 ) you must update. Third party clients and servers could check for PKIX in ssh identification string to adjust at run time prefered signature hash. Regards, Roumen Petrov -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/

...ing the PKCS#11 support you can drop the opensc code, users can use the opensc PKCS#11 provider in order to access their keys. Does the current implementation of ssh-agent is the final one? I am asking this before I implement code that may be dramatically changed (For example, support X509 and PKIX). Best Regards, Alon Bar-Lev.

...es to it. OpenBSD hates loadable modules. So you cannot expect support for such functionality. > >> If so it's possible sshd's multiprocess model and/or file descriptor handling is confusing it. > This seems like a reasonable explanation based on what I've seen so far. PKIX-SSH support loadable modules(engines) and so, try to ensure proper management of cryptographic library. This includes slightly different management of file descriptors taking into account that some openssl configurations require open descriptors to devices. Also note that this could be a loadab...

On 11/02/2016 01:43 AM, Colin Watson wrote: > On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote: >> Attached is a patch that add supports for building against OpenSSL >> 1.1.0. I also made a github pull request for it at: >> https://github.com/openssh/openssh-portable/pull/48 > Hi, > > Debian unstable now has OpenSSL 1.1.0 as the default, so I'll have to

On Fri, Mar 10, 2023 at 10:27?AM Joel GUITTET <jguittet.opensource at witekio.com> wrote: > We currently work on a project that require SSH server with FIPS and > using OpenSSL v3. Gently: this is meaningless. You probably mean one of the following: 1. The SSH server implementation is required to use only cryptographic algorithms that are FIPS-approved. 2. The SSH server

Dear Damien, On Wed, Apr 19, 2023 at 9:55?AM Damien Miller <djm at mindrot.org> wrote: > > On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote: > > > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > > LibreSSL's libcrypto as well as

Hi Damien, > I don't know anything about cryptodev-linux, but I assume it's an openssl engine? Cryptodev-linux is a kernel module that provides access to kernel crypto drivers, especially hardware-accelerated crypto, through the /dev/crypto device. Openssl implements an engine which interfaces to it. > If so it's possible sshd's multiprocess model and/or file descriptor

On Mon, 14 Nov 2016, Jakub Jelen wrote: > Thank you for the comments. I understand the upstream directions and > that the OpenSSL step is not ideal. The distros will probably have to > carry these patches until the changes will settle down a bit. AFAIK Red Hat employs at least one OpenSSL maintainer. What is their view on this situation? > Other possible solution we were discussing

Hi, I wonder, how can i use openssh Public key authentification with ActivCard pkcs11 x509 certificate store and login to only my account reading/using username provided from certificate DN, or principal name,friendly name ? b111887 and e411617 is administrator on this os. I have rights to put e411617 pub keys to b111887 home folder authorized keys. And because openssh ask's me to provide