search for: subjectaltnames

Hello, Does dovecot support the subject Alternative Name email value [1] as ssl_cert_username_field? If so, how should it be specified in the configuration? Thanks. [1] http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ -- Nicolas

...hat was being previewed in the 2.7.7rc series as well as some new content. Key highlight in this release (beyond items from 2.7.7rc series) are: * Allow providers to be selected in the run they become suitable * Showdiff is now not auto-enabled when running in noop mode * Provide default subjectAltNames while bootstrapping master (defaulting to puppet and puppet.<domain>) * Allow optional trailing comma in argument lists. * Output 4-digit file modes in File type Release Notes for 2.7.8 series -- https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes This release is ava...

...lt-names` back to settings. f18df2b Wire up the `setbycli` slot in Puppet settings. efa61f2 (#2848) rename subject-alt-name option to dns-alt-names f103b20 (#2848) Rename `certdnsnames` to match new behaviour. 363b47b (#2848) Use `certdnsnames` when bootstrapping a local master. 49334ff (#2848) CSR subjectAltNames handling while signing. 5f2af93 (#2848) List subject alt names in output of puppet cert --list bb475ec (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names bab9310 (#2848) Rewrite SSL Certificate Factory, fixing `subjectAltName` leak. fca1ff0 (#2848) Reject unknown (== all)...

We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure. All

Fedora Core 7 has just updated their Ruby package (was 1.8.6.36-3.fc7, is now 1.8.6.110-3.fc7), and the upgrade broke my Puppet installation, and there was a similar report from someone else. Communications between the puppetmasterd and the puppetd running on the same host broke down with the message: Could not retrieve configuration: Certificates were not trusted: hostname not match with

Hello, I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

I tried to set cn=myMachine instead of cn=192.168.1.x and...everything frezees! virsh -c qemu://.../system tries to connect forever. You really need static ip addresses in the cn field?? I think this is an HUGE bug: you are saying to me that each time I change network or ip (because, dear sirs, dhcp exists) I have to generate a whole new couple of certificates?? I hope it is not the case....

Johan, the Sonos information here is spot on. You are missing the intermediate certs. While your stream will work fine in common browsers where the certificates are already available, they won't necessarily work in other places. Once you concatenate the right certificates in, DigiCert has an online tool you can use to check that you have it correct: https://www.digicert.com/help/ If you

My icecast https stream (https://vertenradio.com:8443/stream) does not work on a Sonos ONE player. It might have something to do with the ssl handshake. >From the developer page from sonos i found this: Some common reasons for SSL handshake failures include: ? Expired certificate: Every certificate has a validity window before it expires. You need to present Sonos with unexpired

I thought I read somewhere that the hostnames on replicated dovecot servers had to be different. Is this simply the hostname you specify in the config for dovecot and can this be different than the actual unix hostname? Ethon B. > On Oct 11, 2017, at 11:04 PM, Anvar Kuchkartaev <anvar at anvartay.com> wrote: > > If you are using different hostname for each server then you need

Can someone help me understand the overall picture of SSL certificates in this scenario? I have a working dovecot/postfix/mysql server. It has a certificate. I now want to create a second, essentially duplicate configured server for use with replication. What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server?s domain

Hi All, I think there is a memory error in the libcurl connection code that typically happens when libcurl reads big chunks of data. This potentially affects all code that use url() with the libcurl download method, which is the default in most builds. In practice it tends to happen more with HTTP/2 and if the connection is wrapped into a gzcon(). macOS Catalina has a libcurl build with HTTP/2

Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ? mick -- Key ID C7D6E24C

If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be

Hi *! Just a heads up. The recent issues with the Ruby SSL Security Fix are now available on Debian too. I''ve updated the infos on http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 Summary: DSA 1410-1 and DSA 1411-1 updating ruby1.8 to 1.8.5-4etch1 cause puppet to fail, if the puppetmaster has no certificate matching the value of the client''s "server"

Hi All, I''m trying to configure puppetmaster and puppet clients using Ubuntu 11.10 EC2 Instances (ami-a562a9cc). I have enabled automatic certificate signing. But whenever I issue command from puppet client : *#puppet agent --server puppet --waitforcert 60 --test Certificates get signed but it throws an error and does not run catalog file. Error Message : err: Could not retrieve

Sorry, but when reply I to the list its been moderated and there?s no answer. My last message doesnt even appear ?on http://lists.alioth.debian.org/pipermail/nut-upsuser/2016-June/010182.html The command line works fine and it gave: * Hostname was NOT found in DNS cache * Trying 212.27.40.200... * Connected to smsapi.free-mobile.fr (212.27.40.200) port 443 (#0) * successfully set certificate

Good afternoon everyone, This is my first post here. I was wondering if someone could clear my mind about this. I have a dedicated server with a single ip address assigned to it. I want to host couple of site which are hosted somewhere else and they have signed certificates. Now I want to host them all on this single server. Is it possible to bound more than one cert to a single IP based

Greetings! As you undoubtedly know, the fixes for CVE 2007-5162 in ruby break installations where puppetca has created certificates with a CommonName different from the server's real hostname. The Puppet clients quite correctly complains about hostname mismatch. A number of better and worse solutions have been suggested for this problem, especially in ticket #896. IMHO, there are two good