Displaying 20 results from an estimated 43 matches for "secp521r1".
2018 Jul 30
2
2.3.2.1 - EC keys suppport?
...g a curve
>>>> that is not acceptable for openssl as a server key.
>>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem
>>>> -port 5555
>>>> using cert generated with brainpool. Everything works if I use
>>>> prime256v1 or secp521r1. This is a limitation in OpenSSL and not
>>>> something we can really do anything about.
>>>> Aki Tuomi
>>>> Open-Xchange Oy
>>> Which openssl version you are using? This end it is OpenSSL 1.1.0h.
>>> There are no issues creating private keys, i...
2019 Oct 11
2
Panic: file smtp-client-connection.c: line 1212 (smtp_client_connection_established): assertion failed: (!conn->connect_succeeded)
...= file:/etc/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = INBOX mail_crypt_curve = secp521r1
mail_crypt_save_version = 0 mail_log_events = copy delete expunge
flag_change mailbox_create mailbox_delete mailbox_rename undelete save
mail_log_fields = uid box msgid size from subject mail_replica =
tcps:mda1-1.example.com quota = count quota_clone_dict =
proxy::quota quota_rule = *:bytes...
2018 Jul 30
2
2.3.2.1 - EC keys suppport?
..."cite">
<div>
I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555
</div>
</blockquote>
<blockquote type="cite">
<div>
using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about.
</div>
</blockquote>
<blockquote type="cite">
<div>
Aki Tuomi
</div>
<div>
Open-Xchange Oy
</div>
</blockquote>
<...
2016 Oct 19
2
SSH Weak Ciphers
...less likely to be nefariously chosen.
>>
>> At least that's my understanding of the situation, which could be flawed.
>
> Oh, are those the ones with the NSA backdoor curve?
>
Allegedly they might.
I use ecdsa certs on most of my websites, using secp384r1
I formerly used secp521r1 but suddenly Google with no warning stopped
supporting it in chrome. That company is too powerful.
The only other option (that has both browser and CA support) is prime256v1
Hopefully soon we will get a better option.
I don't believe it is an issue with OpenSSH though.
2018 Jul 31
2
2.3.2.1 - EC keys suppport?
...ps (len=10)
>> ??? Type: supported_groups (10)
>> ??? Length: 10
>> ??? Supported Groups List Length: 8
>> ??? Supported Groups (4 groups)
>> ??????? Supported Group: x25519 (0x001d)
>> ??????? Supported Group: secp256r1 (0x0017)
>> ??????? Supported Group: secp521r1 (0x0019)
>> ??????? Supported Group: secp384r1 (0x0018)
>>
>> Apparently [ brainpool ] would apparently not fit into any of those
>> groups. Perhaps a bug in OpenSSL 1.1.0h thus.
>>
>>
> Turned out not being a bug in OpenSSL after all. From the cli it works
&g...
2011 Oct 09
1
using ecc-certificates (ellyptic curve) will not establish connection
...ing following scenario:
machine:
debian 6 (x64)
dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian
openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft for testing)
creating keys+cert for ecc (i.e. curves prime192v1, secp521r1)
# openssl ecparam -name prime192v1 -genkey -out prime192v1.key
# openssl req -new -key prime192v1.key -out prime192v1.csr
# openssl req -x509 -in prime192v1.csr -key prime192v1.key -out prime192v1.crt
testing these in 2 windows
# openssl s_server -cert prime192v1.crt -key prime192v1.key -www
#...
2023 Feb 27
1
Auth variables unknown variable -- about to go crazy
Hi everyone,
I'm trying to configure my email server to encrypt mails on a per user
basis. I have the following in my conf:
mail_plugins = $mail_plugins mail_crypt
mail_attribute_dict = file:%h/Mail/dovecot-attributes
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
mail_crypt_require_encrypted_user_key = yes
mail_crypt_private_password = %N{password}
}
And I'm getting %password unknown variable error. I use pam to store the
passwords. All I want is to be able to hash the user password and use
that to en...
2018 Jul 30
3
2.3.2.1 - EC keys suppport?
...CATE-----
>
>
>
I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key.
I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555
using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about.
Aki Tuomi
Open-Xchange Oy
2019 Oct 14
0
Panic: file smtp-client-connection.c: line 1212 (smtp_client_connection_established): assertion failed: (!conn->connect_succeeded)
...ve
> ? imapsieve_mailbox1_causes = COPY
> ? imapsieve_mailbox1_name = Junk
> ? imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
> ? imapsieve_mailbox2_causes = COPY
> ? imapsieve_mailbox2_from = Junk
> ? imapsieve_mailbox2_name = INBOX
> ? mail_crypt_curve = secp521r1
> ? mail_crypt_save_version = 0
> ? mail_log_events = copy delete expunge flag_change mailbox_create
> mailbox_delete mailbox_rename undelete save
> ? mail_log_fields = uid box msgid size from subject
> ? mail_replica = tcps:mda1-1.example.com
> ? quota = count
> ? quota_clone...
2023 Feb 23
1
Setting up the mail-crypt plugin with virtual accounts that have no home directories
...ders.
As per the documentation @ https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ I believe this would be all the configuration I need:
# Config
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp521r1 # or some other preferred curve
mail_crypt_save_version = 2
mail_crypt_require_encrypted_user_key = yes # necessary for encrypting keys with user password
}
# File: /etc/dovecot/dovecot-sql.conf.ext
password_query = SELECT \
email as user, password, \
'%w' AS userdb_m...
2018 Jul 30
0
2.3.2.1 - EC keys suppport?
> I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key.
>
> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555
>
> using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about.
>
> Aki Tuomi
> Open-Xchange Oy
Which openssl version you are using? This end it is OpenSSL 1.1.0h.
There are no issues creating private keys, issuing csr, signing certs
with that particular curve. Printin...
2013 Sep 14
4
Elliptic curves in tinc
...ves published by NIST.
The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key
exchange and authentication, in such a way that it has the perfect forward
secrecy (PFS) property. For both the ephemeral keys used in ECDH and the
long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published
by NIST. There are suspicions in the cryptographic community that the NSA has
influenced the EC standards so they contain weaknesses that the NSA supposedly
could exploit. There are two concerns I have heard of:
1) The Dual_EC_DRBG algorithm, which uses elliptic curve cry...
2013 Sep 14
4
Elliptic curves in tinc
...ves published by NIST.
The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key
exchange and authentication, in such a way that it has the perfect forward
secrecy (PFS) property. For both the ephemeral keys used in ECDH and the
long-lived keys used for ECDSA, tinc uses the "secp521r1" curve, as published
by NIST. There are suspicions in the cryptographic community that the NSA has
influenced the EC standards so they contain weaknesses that the NSA supposedly
could exploit. There are two concerns I have heard of:
1) The Dual_EC_DRBG algorithm, which uses elliptic curve cry...
2018 May 20
0
Best mail encryption solution for per-user
...y dovecot with the following in a conf file:
> >>
> >> ==============
> >>
> >> mail_attribute_dict = file:%h/Maildir/dovecot-attributes
> >> mail_plugins = $mail_plugins mail_crypt
> >> plugin {
> >>
> >> mail_crypt_curve = secp521r1
> >>
> >> mail_crypt_save_version = 2
> >>
> >> }
> >>
> >> ==============
> >>
> >> This works nice, all emails are being encrypted and every user/folder has keys.
> >> But as I understood from your conversation t...
2016 Oct 20
0
SSH Weak Ciphers
Hello Alice,
On Wed, 2016-10-19 at 14:22 -0700, Alice Wonder wrote:
> I formerly used secp521r1 but suddenly Google with no warning stopped
> supporting it in chrome. That company is too powerful.
Actually this is something the NSA insists on:
https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/assets/publi...
2017 Jan 13
0
TLS feature missing
...alling back to
historical stages where my server only servers one TLS-curve: secp384r1
right now.
One big reason to compile the new ersion with openssl1.1.0
was to bring CHACHA20-POLY1305 ciphers and X25519 curves to modern clients.
The ciphers i am estimating are working fine, but X25519 and also
secp521r1 ist now longer supported, like it was in dovecot 2.2.25.
Is there something broken?
Or a new (know missing) config feature?
Or is it a bug ?
Regards Torsten
2018 Jul 30
0
2.3.2.1 - EC keys suppport?
...ms that you are using a curve
>>> that is not acceptable for openssl as a server key.
>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem
>>> -port 5555
>>> using cert generated with brainpool. Everything works if I use
>>> prime256v1 or secp521r1. This is a limitation in OpenSSL and not
>>> something we can really do anything about.
>>> Aki Tuomi
>>> Open-Xchange Oy
>> Which openssl version you are using? This end it is OpenSSL 1.1.0h.
>> There are no issues creating private keys, issuing csr, signing...
2018 Jul 31
0
2.3.2.1 - EC keys suppport?
...t; Extension: supported_groups (len=10)
> ??? Type: supported_groups (10)
> ??? Length: 10
> ??? Supported Groups List Length: 8
> ??? Supported Groups (4 groups)
> ??????? Supported Group: x25519 (0x001d)
> ??????? Supported Group: secp256r1 (0x0017)
> ??????? Supported Group: secp521r1 (0x0019)
> ??????? Supported Group: secp384r1 (0x0018)
>
> Apparently [ brainpool ] would apparently not fit into any of those
> groups. Perhaps a bug in OpenSSL 1.1.0h thus.
>
>
Turned out not being a bug in OpenSSL after all. From the cli it works
with no issues this way:
[ op...
2018 Jul 31
0
2.3.2.1 - EC keys suppport?
...Type: supported_groups (10)
>>> ??? Length: 10
>>> ??? Supported Groups List Length: 8
>>> ??? Supported Groups (4 groups)
>>> ??????? Supported Group: x25519 (0x001d)
>>> ??????? Supported Group: secp256r1 (0x0017)
>>> ??????? Supported Group: secp521r1 (0x0019)
>>> ??????? Supported Group: secp384r1 (0x0018)
>>>
>>> Apparently [ brainpool ] would apparently not fit into any of those
>>> groups. Perhaps a bug in OpenSSL 1.1.0h thus.
>>>
>>>
>> Turned out not being a bug in OpenSSL after a...
2019 Aug 22
0
Trying to install Mailcrypt, receive completely blank emails
...il as user, password FROM
virtual_users WHERE email='%u';
/Added this/
password_query = SELECT \
email as user, password, \
'%w' AS userdb_mail_crypt_private_password \
FROM virtual_users WHERE email='%u';
90-plugin.conf
/Updated this section/
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
/Have also tried all configurations this option set
/#mail_crypt_require_encrypted_user_key = yes
}
/The user is in the mailserver SQL database:/
| user | password...