On Sat, Apr 25, 2015 at 12:49:21AM +, Perrow, Graeme wrote:
> Using OpenSSL 1.0.1m on 64-bit Windows and Linux.
>
> I have implemented RSA encryption using the RSA_public_encrypt and
> RSA_private_decrypt functions and various padding types. This is working
> fine except that in very rare cas
Using OpenSSL 1.0.1m on 64-bit Windows and Linux.
I have implemented RSA encryption using the RSA_public_encrypt and
RSA_private_decrypt functions and various padding types. This is working fine
except that in very rare cases, my test fails because decrypting succeeds when
it should fail. I'm b
Some of the algorithms still invoke the FIPS flavor of the algorithm
even when FIPS is disabled. For example, this code is from
EVP_DigestUpdate().
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
#ifdef OPENSSL_FIPS
return FIPS_digestupdate(ctx, data, count);
#else
On Fri, Apr 24, 2015, jonetsu wrote:
> Hello,
>
> > In FIPS mode SSL 3.0 is not allowed: that has always been the
> > case.
>
> % openssl version
> OpenSSL 1.0.1f 6 Jan 2014
>
> % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
>
> ECDHE-RSA-AES256-SHASSLv3
> ECDHE-ECDSA-AES256-SHA SSLv3
> D
In my last email I ran the benchmark on Fedora 21 (big mistake). Here are the
results when running it back on the 28/56 core RHEL 6.5 server showing
contention in a different place (fips). Is there a reason it would be calling
into the FIPS code to get a lock of FIPS is not enabled?
Contenti
Hello,
> In FIPS mode SSL 3.0 is not allowed: that has always been the
> case.
% openssl version
OpenSSL 1.0.1f 6 Jan 2014
% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA SSLv3
DHE-RSA-AES256-SHA SSLv3
DHE-DSS-AES256-SHA SSLv3
[snip
When you create the private key given to SSL_CTX, be sure to instantiate
a private key for each thread as well. If you share the same key across
all threads, this can introduce contention.
Here are the type 1 & 2 locks:
# define CRYPTO_LOCK_ERR 1
# define CRYPTO_LOCK_EX_DATA
We are using a single SSL_CTX across all the threads, so I will create multiple
SSL_CTX per thread. I implemented dynlock callbacks yesterday, but I didn’t
see them being used in the tests I did. I also added atomic counters to see
what type of locks are having contention (see logs below):
Mo
On Fri, Apr 24, 2015, Rajeswari K wrote:
> Hello openssl-users,
>
> I have an issue with update of ECDSA digests in our environment.
>
> We have our own digest functions for init, update and final where we
> registered with these functions for NID_sha1, NID_sha256, NID_sha384 and
> NID_sha512. T
On Fri, Apr 24, 2015, jonetsu wrote:
>
> ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
>
> https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
>
> Specifically:
>
> "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
> 1.0, SSL
> 2.0, SSL 3.0, TLS 1
On Fri, Apr 24, 2015 at 03:55:18PM +, Salz, Rich wrote:
> To generate the signature look at the pkeyutl app. (Sorry, don?t
> remember any other details)
Typically, signatures are created with:
openssl dgst -sha256 -sign key.pem ...
See the dgst(1) manpage.
--
Viktor.
___
WS-Security? Blast from the past … ☺
To fill in the BinarySecurityToken field, take the PEM version of the cert,
strip off the leading and trailing marker lines ---BEGIN… and output that. To
generate the signature look at the pkeyutl app. (Sorry, don’t remember any
other details)
--
Senior A
What OpenSSL command is required to generate a proper
“Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)”
Signature Value
I have the following guidelines in generating the SignatureValue
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"
Enc
Hello everyone,
I am using OpenSSL sockets and I have the problem I described in the following
thread, i.e. a bunch of memory-leaks that happen most likely because I don't
uninitialize OpenSSL properly. I believe this to be the cause, because the
errors appeared exactly at the moment when I swi
Hi,
... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
Specifically:
"FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0"
"FCS_TLSS_EXT.2.2 The TSF shall deny connections
Hello openssl-users,
I have an issue with update of ECDSA digests in our environment.
We have our own digest functions for init, update and final where we
registered with these functions for NID_sha1, NID_sha256, NID_sha384 and
NID_sha512. These digests were updated at openssl, via ENGINE_set_dig
16 matches
Mail list logo
