search for: secp521r1

...g a curve >>>> that is not acceptable for openssl as a server key. >>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem >>>> -port 5555 >>>> using cert generated with brainpool. Everything works if I use >>>> prime256v1 or secp521r1. This is a limitation in OpenSSL and not >>>> something we can really do anything about. >>>> Aki Tuomi >>>> Open-Xchange Oy >>> Which openssl version you are using? This end it is OpenSSL 1.1.0h. >>> There are no issues creating private keys, i...

...= file:/etc/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = INBOX mail_crypt_curve = secp521r1 mail_crypt_save_version = 0 mail_log_events = copy delete expunge flag_change mailbox_create mailbox_delete mailbox_rename undelete save mail_log_fields = uid box msgid size from subject mail_replica = tcps:mda1-1.example.com quota = count quota_clone_dict = proxy::quota quota_rule = *:bytes...

..."cite"> <div> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555 </div> </blockquote> <blockquote type="cite"> <div> using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about. </div> </blockquote> <blockquote type="cite"> <div> Aki Tuomi </div> <div> Open-Xchange Oy </div> </blockquote> &lt...

...less likely to be nefariously chosen. >> >> At least that's my understanding of the situation, which could be flawed. > > Oh, are those the ones with the NSA backdoor curve? > Allegedly they might. I use ecdsa certs on most of my websites, using secp384r1 I formerly used secp521r1 but suddenly Google with no warning stopped supporting it in chrome. That company is too powerful. The only other option (that has both browser and CA support) is prime256v1 Hopefully soon we will get a better option. I don't believe it is an issue with OpenSSH though.

...ps (len=10) >> ??? Type: supported_groups (10) >> ??? Length: 10 >> ??? Supported Groups List Length: 8 >> ??? Supported Groups (4 groups) >> ??????? Supported Group: x25519 (0x001d) >> ??????? Supported Group: secp256r1 (0x0017) >> ??????? Supported Group: secp521r1 (0x0019) >> ??????? Supported Group: secp384r1 (0x0018) >> >> Apparently [ brainpool ] would apparently not fit into any of those >> groups. Perhaps a bug in OpenSSL 1.1.0h thus. >> >> > Turned out not being a bug in OpenSSL after all. From the cli it works &g...

...ing following scenario: machine: debian 6 (x64) dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft for testing) creating keys+cert for ecc (i.e. curves prime192v1, secp521r1) # openssl ecparam -name prime192v1 -genkey -out prime192v1.key # openssl req -new -key prime192v1.key -out prime192v1.csr # openssl req -x509 -in prime192v1.csr -key prime192v1.key -out prime192v1.crt testing these in 2 windows # openssl s_server -cert prime192v1.crt -key prime192v1.key -www #...

Hi everyone, I'm trying to configure my email server to encrypt mails on a per user basis. I have the following in my conf: mail_plugins = $mail_plugins mail_crypt mail_attribute_dict = file:%h/Mail/dovecot-attributes plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes mail_crypt_private_password = %N{password} } And I'm getting %password unknown variable error. I use pam to store the passwords. All I want is to be able to hash the user password and use that to en...

...CATE----- > > > I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key. I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555 using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about. Aki Tuomi Open-Xchange Oy

...ve > ? imapsieve_mailbox1_causes = COPY > ? imapsieve_mailbox1_name = Junk > ? imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve > ? imapsieve_mailbox2_causes = COPY > ? imapsieve_mailbox2_from = Junk > ? imapsieve_mailbox2_name = INBOX > ? mail_crypt_curve = secp521r1 > ? mail_crypt_save_version = 0 > ? mail_log_events = copy delete expunge flag_change mailbox_create > mailbox_delete mailbox_rename undelete save > ? mail_log_fields = uid box msgid size from subject > ? mail_replica = tcps:mda1-1.example.com > ? quota = count > ? quota_clone...

...ders. As per the documentation @ https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ I believe this would be all the configuration I need: # Config mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 # or some other preferred curve mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes # necessary for encrypting keys with user password } # File: /etc/dovecot/dovecot-sql.conf.ext password_query = SELECT \ email as user, password, \ '%w' AS userdb_m...

> I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key. > > I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555 > > using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about. > > Aki Tuomi > Open-Xchange Oy Which openssl version you are using? This end it is OpenSSL 1.1.0h. There are no issues creating private keys, issuing csr, signing certs with that particular curve. Printin...

...ves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS) property. For both the ephemeral keys used in ECDH and the long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published by NIST. There are suspicions in the cryptographic community that the NSA has influenced the EC standards so they contain weaknesses that the NSA supposedly could exploit. There are two concerns I have heard of: 1) The Dual_EC_DRBG algorithm, which uses elliptic curve cry...

...ves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS) property. For both the ephemeral keys used in ECDH and the long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published by NIST. There are suspicions in the cryptographic community that the NSA has influenced the EC standards so they contain weaknesses that the NSA supposedly could exploit. There are two concerns I have heard of: 1) The Dual_EC_DRBG algorithm, which uses elliptic curve cry...

...y dovecot with the following in a conf file: > >> > >> ============== > >> > >> mail_attribute_dict = file:%h/Maildir/dovecot-attributes > >> mail_plugins = $mail_plugins mail_crypt > >> plugin { > >> > >> mail_crypt_curve = secp521r1 > >> > >> mail_crypt_save_version = 2 > >> > >> } > >> > >> ============== > >> > >> This works nice, all emails are being encrypted and every user/folder has keys. > >> But as I understood from your conversation t...

Hello Alice, On Wed, 2016-10-19 at 14:22 -0700, Alice Wonder wrote: > I formerly used secp521r1 but suddenly Google with no warning stopped > supporting it in chrome. That company is too powerful. Actually this is something the NSA insists on: https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/assets/publi...

...alling back to historical stages where my server only servers one TLS-curve: secp384r1 right now. One big reason to compile the new ersion with openssl1.1.0 was to bring CHACHA20-POLY1305 ciphers and X25519 curves to modern clients. The ciphers i am estimating are working fine, but X25519 and also secp521r1 ist now longer supported, like it was in dovecot 2.2.25. Is there something broken? Or a new (know missing) config feature? Or is it a bug ? Regards Torsten

...ms that you are using a curve >>> that is not acceptable for openssl as a server key. >>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem >>> -port 5555 >>> using cert generated with brainpool. Everything works if I use >>> prime256v1 or secp521r1. This is a limitation in OpenSSL and not >>> something we can really do anything about. >>> Aki Tuomi >>> Open-Xchange Oy >> Which openssl version you are using? This end it is OpenSSL 1.1.0h. >> There are no issues creating private keys, issuing csr, signing...

...t; Extension: supported_groups (len=10) > ??? Type: supported_groups (10) > ??? Length: 10 > ??? Supported Groups List Length: 8 > ??? Supported Groups (4 groups) > ??????? Supported Group: x25519 (0x001d) > ??????? Supported Group: secp256r1 (0x0017) > ??????? Supported Group: secp521r1 (0x0019) > ??????? Supported Group: secp384r1 (0x0018) > > Apparently [ brainpool ] would apparently not fit into any of those > groups. Perhaps a bug in OpenSSL 1.1.0h thus. > > Turned out not being a bug in OpenSSL after all. From the cli it works with no issues this way: [ op...

...Type: supported_groups (10) >>> ??? Length: 10 >>> ??? Supported Groups List Length: 8 >>> ??? Supported Groups (4 groups) >>> ??????? Supported Group: x25519 (0x001d) >>> ??????? Supported Group: secp256r1 (0x0017) >>> ??????? Supported Group: secp521r1 (0x0019) >>> ??????? Supported Group: secp384r1 (0x0018) >>> >>> Apparently [ brainpool ] would apparently not fit into any of those >>> groups. Perhaps a bug in OpenSSL 1.1.0h thus. >>> >>> >> Turned out not being a bug in OpenSSL after a...

...il as user, password FROM virtual_users WHERE email='%u'; /Added this/ password_query = SELECT \ email as user, password, \ '%w' AS userdb_mail_crypt_private_password \ FROM virtual_users WHERE email='%u'; 90-plugin.conf /Updated this section/ plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 /Have also tried all configurations this option set /#mail_crypt_require_encrypted_user_key = yes } /The user is in the mailserver SQL database:/ | user | password...