[openssl-users] OpenSSL version 1.1.1 pre release 9 published

Hubert Kario hkario at redhat.com
Mon Aug 27 20:07:55 UTC 2018

On Monday, 27 August 2018 20:57:53 CEST Robert Moskowitz wrote:
> On 08/27/2018 02:33 PM, Hubert Kario wrote:
> > On Thursday, 23 August 2018 16:35:01 CEST Robert Moskowitz wrote:
> >> On 08/23/2018 09:00 AM, Tomas Mraz wrote:
> >>> On Wed, 2018-08-22 at 20:08 -0400, Robert Moskowitz wrote:
> >>>> On 08/22/2018 11:48 AM, Matt Caswell wrote:
> >>>>> On 22/08/18 00:53, Robert Moskowitz wrote:
> >>>>>> On 08/21/2018 06:31 PM, Matt Caswell wrote:
> >>>>>>> On 21/08/18 16:24, Robert Moskowitz wrote:
> >>>>>>>> Thanks!
> >>>>>>>> 
> >>>>>>>> Once Fedora beta picks this up, I will run my scripts against
> >>>>>>>> it and see
> >>>>>>>> if all cases of hash with ED25519 are fixed.
> >>>>>>> 
> >>>>>>> Unfortunately the command line usability changes for this
> >>>>>>> didn't make it
> >>>>>>> into the beta. They should still be in the final release.
> >>>>>> 
> >>>>>> Sigh.  That means you will get it right.  Right?  :)
> >>>>>> 
> >>>>>> Change seems simple enough.
> >>>>> 
> >>>>> The relevant change has now been merged to master.
> >>>> 
> >>>> Fedora had already built pre9.1.  But on the off chance, I will look
> >>>> at
> >>>> it with tomorrow's build.
> >>> 
> >>> I'm sorry but no, I am not updating Fedora with current git tree
> >>> checkout. You'll have to wait for the next prerelease or the final
> >>> version if there are no further prereleases.
> >> 
> >> Tomas,
> >> 
> >> Thanks for responding here.
> >> 
> >> I have been preparing an Internet Draft on how to build an ED25519 pki.
> >> I know have the choice of:
> >> 
> >> building my own 1.1.1 pre9 for testing.
> >> Wait to push the draft out until 1.1.1 is fully released.
> >> Fudge the draft by adding yet another caveat (yes there is a caveat
> >> section that I developed in creating the ECDSA pki draft) that the
> >> commands are for how it is suppose to work in production 1.1.1, not what
> >> I had to do in the prerelease.
> >> 
> >> Decisions decisions.  Thing is I want the draft out so I can push for
> >> EDDSA support in IEEE 802.1AR with the next meeting early Sept.
> > 
> > I'm not sure if providing command line examples for one particular tool
> > are a good idea...
> > 
> > Example certificates, sure, but not commands to generate them...
> "We can't test out the security part of the protocol because we cannot
> get certificates"
> "We ran our tests with security disable because we could not afford the
> cost and time for a test pki."
> "We did test with RSA certificates from vendor A." (and they were using
> old libs that would not support ecdsa, but marketed it as such.)"
> Over the years and in protocol design development, I have heard too many
> we can't.  So I set about with, "here is one way."  Since then I have
> had a few people actually thank me for making it possible for them to
> build an ecdsa pki for their product testing needs.  Just one justifies
> my effort.

well, I see nothing wrong with providing documentation and how-to's, I just 
don't see that it should be elevated to an Internet Draft level...

by its very nature it needs to be constantly updated, so having it in a static 
RFC is contrary to that

now, for generating testing certificates (and what's more important, the whole 
PKI) we are using this script to provide sensible defaults and easy way to 
generate certificates with just few options departing from those defaults:

to get a PKI you run those commands:
source certgen/lib.sh
x509KeyGen ca
x509KeyGen server
x509SelfSign ca
x509CertSign --CA ca server

The private key file will be printed by use of:
x509Key server
to get certificate file name you run:
x509Cert server

(easy switches are also provided to get DER files or PKCS#12 files instead of 
the default PEM format)

to get ecdsa certificate, you just need to change one of the above lines
with x509KeyGen to have `-t ecdsa` specified. Want RSA-PSS certificate? do `-t 

See runtest.sh for other examples.

It is compatible with all versions of openssl since RHEL-4 (so 0.9.7), if a 
given feature is supported in that version of openssl.

(while ed25519 support is not yet there, it will be in few weeks, I was 
running just basic tests of it, without involving full PKI)
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180827/06db1dd0/attachment-0001.sig>

More information about the openssl-users mailing list