Hi ,
I have gone through security policy (
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user guide.(
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf).
I have changed the configuration option to
1. opensslfips1.2
./config fipscanisterbuild
make
2. openssl 9.8j
./Configure -DSS
Aw, shoot. I see this is a re-issue of your question and others have
provided better answers already a few hours ago.
Keeping your browser open all night doesn't make gmail show a fresh
bunch when you wake up. Time for first coffee, pronto...
Anyway, check that add_all_algo thing anyway. Given you
Nothing glaring, except of course that this error is [almost] always
caused by the absence of a call to
OpenSSL_add_all_algorithms();
which is used to set up SSL with all the available ciphers, hashes, etc.
(And given your init code, I don't see
SSL_load_error_strings()
around either, which he
Miroslav Kratochvil wrote:
> Thanks for fast reply.
>
> On Thu, Jan 22, 2009 at 7:48 PM, Patrick Patterson
> wrote:
>> On January 22, 2009 01:41:18 pm Miroslav Kratochvil wrote:
>>> 2] I want it to reject the certificates which are present in a
>>> certificate revocation list (possibly multiple r
On Thu, Jan 22, 2009 at 08:51:20PM -0500, Dave Thompson wrote:
> Except as noted above, this sounds reasonable. I assume you realize
> that ALL includes, and could possibly negotiate, some weak ciphers;
> but since you're explicitly adding eNULL you apparently don't care.
> It certainly should be
> From: owner-openssl-us...@openssl.org On Behalf Of Dan Arcari
> Sent: Wednesday, 21 January, 2009 16:18
> I'm wondering if someone can help me with a "no shared cipher" error
occurring when I attempt
> SSL_accept? I'll try to explain what's being done as succinctly as
possible:
> 1. There are t
> From: owner-openssl-us...@openssl.org On Behalf Of Miguel
> Sent: Wednesday, 21 January, 2009 13:23
> I m simulating a CA to sign the request of my client applications
> and I have a doubt about how openssl works.
> I generate an private key like:
> openssl dsaparam -genkey 1024 -out dsapriva
On Thu, Jan 22, 2009 at 9:08 PM, Carter Browne wrote:
> Both openvpn and stunnel provide the ability to use directories of
> certificates which are accepted or rejected using the openssl
> libraries. Both provide the ability to have a CRL directory which can
> be changed dynamically as well as a
Both openvpn and stunnel provide the ability to use directories of
certificates which are accepted or rejected using the openssl
libraries. Both provide the ability to have a CRL directory which can
be changed dynamically as well as a single merged PEM file which is only
read at startup. You migh
Thanks for fast reply.
On Thu, Jan 22, 2009 at 7:48 PM, Patrick Patterson
wrote:
> On January 22, 2009 01:41:18 pm Miroslav Kratochvil wrote:
>> 2] I want it to reject the certificates which are present in a
>> certificate revocation list (possibly multiple revocation lists),
>> which is supplied
Hello,
I'm wondering if someone can help me with a "no shared cipher" error
occurring when I attempt SSL_accept? I'll try to explain what's being done
as succinctly as possible:
1. There are two classes, SocketListener and SocketClient. Each does the
following as part of SSL initialization (pseud
Hi There:
On January 22, 2009 01:41:18 pm Miroslav Kratochvil wrote:
> Hello,
>
> I've been trying to find any usuable and complete documentation about
> CRL checking and several other things, but I failed, so I'm asking
> here.
> I want to do this:
>
> 1] I already have a program which connects/a
Hello,
I've been trying to find any usuable and complete documentation about
CRL checking and several other things, but I failed, so I'm asking
here.
I want to do this:
1] I already have a program which connects/accepts SSL connections,
and verifies the other peer's certificate against CA certifi
On Jan 22, 2009, at 5:11 PM, Wes Hardaker wrote:
RS> As a workaround you can use connected UDP sockets. Just use
accept()
RS> and connect() as you would with TCP connections and create new
BIO and
RS> SSL objects for every connection. I have tested that and it works
RS> pretty well so far.
On Thu, Jan 22, 2009 at 08:13:47AM -0600, Blasdel, Jerry wrote:
> I am trying to build OpenSSL-fips-1.2 on a Solaris 10 machine with Sun
> Studio 8 and force it to build 32-bit objects. Is there a way I can do
> that without changing the makefile and thus violating the fips validation?
The easie
> On Thu, 22 Jan 2009 06:10:36 +0100, Robin Seggelmann
> said:
RS> As a workaround you can use connected UDP sockets. Just use accept()
RS> and connect() as you would with TCP connections and create new BIO and
RS> SSL objects for every connection. I have tested that and it works
RS> pre
See
http://www.mail-archive.com/openssl-users@openssl.org/msg55632.html
for a basic, similar example where BIO_s_mem is used as a temporary
buffer, which automatically adapts its store to contain all the data,
which has not yet been read (fetched from the BIO).
Alternatevely, you may consider us
Hi can you provide an example for using BIO_s_mem(to store the
ciphertext?
thanks
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Victor Duchovni
Sent: Thursday, January 15, 2009 3:00 PM
To: openssl-users@openssl.org
Subject: R
All,
I am trying to build OpenSSL-fips-1.2 on a Solaris 10 machine with Sun Studio 8
and force it to build 32-bit objects. Is there a way I can do that without
changing the makefile and thus violating the fips validation?
Thanks,
JB
Yeah. You're violating the Security Policy of the FIPS-validated
module, and thus you will NEVER get a validated build. READ THE
SECURITY POLICY.
You need to use './config fipscanisterbuild' or './config
fipscanisterbuild no-asm'. If you don't use one of these configs,
you're not going to get a
Hi All,
Can any one tell me please where i am going wrong .
Thanks
Rajan
On Wed, Jan 21, 2009 at 11:52 PM, joshi chandran wrote:
> I have used the same security policy step .
>
> openssl fips 1.2
> 1. ./Configure fipscansiterbuild aix-cc
> 2. make
> 3. make install
>
> openssl 9.8j
> 1. ./Co
21 matches
Mail list logo
