Subject: A better approach to security
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, cacert-policy AT lists.cacert.org, cacert AT lists.cacert.org
- Subject: testing sha512,384,256,224 keys/certs in support of cacert's new roots
- Date: Tue, 30 Mar 2010 00:27:57 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Organization: CAcert
All,
It was questioned here about the feasibility of sha2 in our new roots
especially with regard to apache's httpd support.
It seems supporting a higher version that sha1 would be good if we can.
https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00018.html
It was working for a fairly recent apache httpd version (2.2.14). I'd like
you
test in as many applications as you can.
Brief instructions:
SSLCertificateFile eec.pem
SSLCertificateKeyFile eeckey.pem
SSLCACertificatePath roots/
put *root*.pem into /roots and run c_rehash roots/
ssl/tls verifcation can be performed with:
openssl -client -connect localhost:443 -showcerts -verify 3 -CApath root/
eec.pem is a end entity certificate with client, server and codesigning
enabled.
It is issued off subroot1 which is issued off root.
Here's a list of roots/end user certs for sha{224,256,384,512}withRSA roots,
keys certs. This url needs a CAcert client certificate to retrieve.
https://lists.cacert.org/wws/d_read/cacert-root/cacerttestroots.zip
Please play around and report back to the
cacert-sysadm AT lists.cacert.org
what
works and doesn't.
Email me if you have troubles.
--
Daniel Black
CAcert
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- testing sha512,384,256,224 keys/certs in support of cacert's new roots, Daniel Black, 03/29/2010
Archive powered by MHonArc 2.6.16.