similar to: Support for ECDSA in OpenSSL?

I am asking this on behalf of the HIPL developers; http://infrahip.hiit.fi/ https://launchpad.net/hipl They have been working on getting their code consistant to the new libnetfilter architecture. Finally have Fedora 18 and 19 available, but have hit a stumbling block with Centos 6. They tell me they are not finding libnetfilter_queue. Here is their message to me: On 08/08/2013 02:03 PM,

I am switching the box that I did the HIPL rpm builds over to running from rpms built directly by the HIPL team (http://infrahip.hiit.fi/hipl/release/1.0.4/). I did the 'make uninstall' and then 'yum install hipl-all', but the hipl-firewall rpm did not install. Seems like I have a mess on my system with the various hipfw files. I 'manually' deleted a bunch of them

I am working with HIP for Linux: http://infrahip.hiit.fi/ We are looking to some major server support on currently Centos 6 cloud images. Problem is for other distros, hipl has moved on to libnetfilter_queue which is not supported in Centos 6. See: http://bugs.centos.org/view.php?id=6698 How can we get this as part of the standard install and maintained libs? thank you.

I followed the setup instructions from http://www.owlriver.com/tips/non-root/ (link from the Centos wiki). All this is done on another 'clean' system, so I have to read the terminal screen there and tell what went wrong here. I then followed my colleague's instructions to get the tar, untar, autogen, configure, and finally make rpm. Well it was that make rpm command that finally

Dear OpenSSH devs, I came accross this paper yesterday. http://eprint.iacr.org/2011/232 It states that they were able to recover ECDSA keys from TLS servers by using timing attacks agains OpenSSL's ECDSA implementation. Is that known to be exploitable by OpenSSH ? (In my understanding, it's easy to get a payload signed by ECDSA during the key exchange so my opinion is that it is).

https://bugzilla.mindrot.org/show_bug.cgi?id=1862 Summary: document ECDSA within the "-b" option of the ssh-keygen manpage Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Documentation

I've dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 , atm on Fedora32. I configure /etc/pki/tls/openssl.cnf to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect

Well I am working on building a kernel that will have the IPsec BEET mode patch available from infrahip.hiit.fi. I have some decent help, but really no one there is a seasoned Centos kernel builder (though they work with different FC kernels), and now they are mostly done for the day. I have been following the wiki on building a custom kernel, got my patch in ~/rpmbuild/SOURCES and away with

Hello. I am running OpenSSH 7.9p1 on my client and server. ssh-keyscan shows the server has ssh-rsa, ssh-ed25519, and ecdsa-sha2-nistp256 host keys. My /etc/ssh/ssh_known_hosts file contains the server's ssh-ed25519 host key. When I try to SSH to the server I get this error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Here you go: OpenSSH_7.9p1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /home/ryantm/.ssh/config debug1: /home/ryantm/.ssh/config line 4: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 13: Applying options for * debug2: resolving "{REDACTED}" port 22 debug2: ssh_connect_direct debug1: Connecting to

Hi, I just tried to generate keys for tinc. /usr/sbin/tinc generate-keys When generating the key, the rsa key are generated. But ik get de following error, what does it means. Generating ECDSA keypair: Generating EC key failed: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown groupError during key generation! Perry

I am looking for a remote console program that I can run over IPv6. I do not need it to supply its own security layer, as I will be running it over HIP (http://infrahip.hiit.fi/). I have discovered that VNCSERVER that comes with Centos does not support IPv6. I would have to pay for a copy of Enterprise VNC from RealVNC for IPv6. I am having strange font problems wiht tightVNC (which is

Hi to everybody, Can anybody tell me what packages I need to install Tinc 1.1pre2 in a server that it had installed a previous version installed? I tried to install it and when I execute the "make" it give me a lot of errors. Best regards, Ramses

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS)

In the past 24 hours multiple persons have contacted me regarding the use of elliptic curve cryptography in tinc 1.1 in light of the suspicion that the NSA might have weakened algorithms and/or elliptic curves published by NIST. The new protocol in tinc 1.1 (SPTPS) uses ECDH and ECDSA to do session key exchange and authentication, in such a way that it has the perfect forward secrecy (PFS)

Hello, For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: http://www.debian.org/security/2008/dsa-1571 In short, if you generated public/private keypairs for tinc between 2006 and May 7th of 2008 on a machine running Debian or a derivative, they may have been generated without a properly

Hello, For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: http://www.debian.org/security/2008/dsa-1571 In short, if you generated public/private keypairs for tinc between 2006 and May 7th of 2008 on a machine running Debian or a derivative, they may have been generated without a properly

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, and will be deprecated effective 11.0-RELEASE (and preceeding RCs). Please see r303716 for details on the relevant commit, but upstream no longer considers them secure. Please replace DSA keys with ECDSA or RSA keys as soon as possible, otherwise there will be issues when

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, and will be deprecated effective 11.0-RELEASE (and preceeding RCs). Please see r303716 for details on the relevant commit, but upstream no longer considers them secure. Please replace DSA keys with ECDSA or RSA keys as soon as possible, otherwise there will be issues when

I'm not sure if collision resistance is required for DH key derivation, but generally, SHA-1 is on its way out. If it's possible (if there's not a very large percentage of servers that do not support anything newer), it should be disabled.