search for: subjectaltname

Hello, Does dovecot support the subject Alternative Name email value [1] as ssl_cert_username_field? If so, how should it be specified in the configuration? Thanks. [1] http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ -- Nicolas

...hat was being previewed in the 2.7.7rc series as well as some new content. Key highlight in this release (beyond items from 2.7.7rc series) are: * Allow providers to be selected in the run they become suitable * Showdiff is now not auto-enabled when running in noop mode * Provide default subjectAltNames while bootstrapping master (defaulting to puppet and puppet.<domain>) * Allow optional trailing comma in argument lists. * Output 4-digit file modes in File type Release Notes for 2.7.8 series -- https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes This release is av...

...08a6 (#2848) Rework the xmlrpc CA handler to use the modern SSL code 32be180 (#2848) Remove unused xmlrpc code 5f2a44d (#2848) Consistent return values from `subject_alt_names` accessors. 5e507f2 (#2848) Consistently use `subject_alt_names` as accessor name. 5ac2417 (#2848) Don''t strip the subjectAltName label when listing. 44cf3a2 (#2848) Don''t enable `emailProtection` for server keys. d66def9 (#2848) Only mark `subjectAltName` critical if `subject` is empty. 8174047 (#2848) Migrate `dns-alt-names` back to settings. f18df2b Wire up the `setbycli` slot in Puppet settings. efa61f2 (#2848) r...

We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure. All

Fedora Core 7 has just updated their Ruby package (was 1.8.6.36-3.fc7, is now 1.8.6.110-3.fc7), and the upgrade broke my Puppet installation, and there was a similar report from someone else. Communications between the puppetmasterd and the puppetd running on the same host broke down with the message: Could not retrieve configuration: Certificates were not trusted: hostname not match with

Hello, I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with OBJ_txt2nid). If I were to add this, it...

...d certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA] basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP [x509v3_DNSName] subjectAltName=DNS:$ENV::CERTDNS EOF $ CERTDNS=myipaddr; export CERTDNS $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \ -CAkey ca.key -CAcreateserial \ -extfile x509v3.cnf -extensions x509v...

I tried to set cn=myMachine instead of cn=192.168.1.x and...everything frezees! virsh -c qemu://.../system tries to connect forever. You really need static ip addresses in the cn field?? I think this is an HUGE bug: you are saying to me that each time I change network or ip (because, dear sirs, dhcp exists) I have to generate a whole new couple of certificates?? I hope it is not the case....

...ity window before it expires. You need to present Sonos with unexpired certificates. ? DNS name mismatch: Your certificate must match the DNS name used in the Sonos service catalog. If the URL in the Sonos service catalog is https://stremingservice.example.com/svc, then your certificate must have a subjectAltName or a Common Name matching streamingservice.example.com. Any mismatches will cause an outage. For example, this may occur if you introduce a Content Delivery Network (CDN) into your setup as this may affect the DNS names and certificates involved. ? Missing intermediate CA cert: Most certificate aut...

...ot and can this be different than the actual unix hostname? Ethon B. > On Oct 11, 2017, at 11:04 PM, Anvar Kuchkartaev <anvar at anvartay.com> wrote: > > If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be mx1.mydomain, mx2.mydomain but you can use imap.mydom...

Can someone help me understand the overall picture of SSL certificates in this scenario? I have a working dovecot/postfix/mysql server. It has a certificate. I now want to create a second, essentially duplicate configured server for use with replication. What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server?s domain

...ons: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=cran.rstudio.com * start date: Jul 24 00:00:00 2019 GMT * expire date: Aug 24 12:00:00 2020 GMT * subjectAltName: host "cran.rstudio.com" matched cert's "cran.rstudio.com" * issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to con...

Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ? mick -- Key ID C7D6E24C

If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be mx1.mydomain, mx2.mydomain but you can use imap.mydom...

Hi *! Just a heads up. The recent issues with the Ruby SSL Security Fix are now available on Debian too. I''ve updated the infos on http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 Summary: DSA 1410-1 and DSA 1411-1 updating ruby1.8 to 1.8.5-4etch1 cause puppet to fail, if the puppetmaster has no certificate matching the value of the client''s "server"

Hi All, I''m trying to configure puppetmaster and puppet clients using Ubuntu 11.10 EC2 Instances (ami-a562a9cc). I have enabled automatic certificate signing. But whenever I issue command from puppet client : *#puppet agent --server puppet --waitforcert 60 --test Certificates get signed but it throws an error and does not run catalog file. Error Message : err: Could not retrieve

...3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: CN=*.free-mobile.fr * start date: 2016-05-24 00:00:00 GMT * expire date: 2018-06-23 23:59:59 GMT * subjectAltName: smsapi.free-mobile.fr matched * issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA * SSL certificate verify ok. > GET /sendmsg?user=195xxxxxx&pass=jeXXUxxxxxxxxx&msg=Coupure%20electrique HTTP/1.1 > User-Agent: curl/7.38.0 > Host: smsapi.free-mobile.fr > Accept:...

Good afternoon everyone, This is my first post here. I was wondering if someone could clear my mind about this. I have a dedicated server with a single ip address assigned to it. I want to host couple of site which are hosted somewhere else and they have signed certificates. Now I want to host them all on this single server. Is it possible to bound more than one cert to a single IP based

...tes with a CommonName different from the server's real hostname. The Puppet clients quite correctly complains about hostname mismatch. A number of better and worse solutions have been suggested for this problem, especially in ticket #896. IMHO, there are two good solutions: Make puppet support SubjectAltName (there as patches for this in git, it seems), and/or instruct puppetca to use a different CN than the server's hostname. The last solution would be great - I'm even tempted to suggest that puppetca's default CN should be puppet.example.com, since that's the default server hostname...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, This question may be slightly OT for this list, but it does concern securing services on my FreeBSD servers :-) At the moment I have some existing (self-signed) SSL certs for Dovecot, Exim and Apache. It's mostly only me that uses them for now, but I'm planning on expanding that, so want to try and do things "right". My