On Wed, Feb 10, 2016 at 09:03:35PM -0500, Jeffrey Walton wrote:
> As far as I know, there are no constants for TLS 1.0 and 1.1, so we
> can't extend this in clients:
>
> const SSL_METHOD* method = SSLv23_method();
> ctx = SSL_CTX_new(method);
> ...
>
> const long flags = SSL_OP_NO
> On Feb 10, 2016, at 9:28 PM, Jeffrey Walton wrote:
>
>> You should then disable unwanted protocols that are too weak. In master
>> use the new min/max version controls and avoid the SSL_OP_NO_
>> macros. In 1.0.x, use the macros to disable some contiguous set of protocol
>> versions starting
>> How do we work around a server that seems to require SSLv23_method?
>
> Don't think of this as a work-around. You SHOULD use the version-flexible
> method (renamed from SSLv23_method() to TLS_method() in master).
>
> You should then disable unwanted protocols that are too weak. In master
> use
> On Feb 10, 2016, at 9:03 PM, Jeffrey Walton wrote:
>
> How do we work around a server that seems to require SSLv23_method?
Don't think of this as a work-around. You SHOULD use the version-flexible
method (renamed from SSLv23_method() to TLS_method() in master).
You should then disable unwan
Do an initial config to get the symlinks copied, then do your 'real' config.
This will be fixed next time :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
How do we work around a server that seems to require SSLv23_method?
That is, they accept the SSLv3 record layer and TLS 1.2 protocol, but
they reject record layers and protocols that only specify TLS 1.2?
As far as I know, there are no constants for TLS 1.0 and 1.1, so we
can't extend this in clie
Hi All:
I tried to build a FIPS capable OpenSSL Ubuntu package (using the Ubuntu
12.04 debian meta file).
The Ubuntu package uses Configure for configuring the source tree with the
following parameters:
*ARCH_CONFARGS := enable-ec_nistp_64_gcc_128CONFARGS = --prefix=/usr
--openssldir=/usr/lib
I tried to build openssl 1.0.2f on MacOS with the following configuration
options "Configure no-bf" but it failed because there is no header file
blowfish.h in include/openssl directory.
This does not happen in 1.0.2d where include/openssl/blowfish.h is a
symbolic link to ../../crypto/bf/blowfish.h
Hi Everyone,
I installed the FIPS capable openssl library (which was built by myself) on
my Ubuntu linux box.
For some reason, I keep running into the following errors whenever I run
ssh related command:
ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information
available (required by
The FIPS module will explicitly deny any attempt to use unapproved
algorithms when it's in FIPS mode. It's only when it's not in FIPS mode
that you might be able to use the unapproved algorithms, because the
generated library will use the original code and not the FIPS canister.
So, if you want t
Thanks Kyle. So basically I can just use Configure for building FIPS
capable OpenSSL library, as long as I pass the right parameters to it right?
Also if I use Configure, do I need to explicitly turn off the non-FIPS
approved algorithms, like passing "no-rc4" as a parameter to the Configure
comman
./config autodetects the platform and such, passing various parameters
to Configure. So, after you've built the canister, you can do as you want.
So, to do this, figure out from ./config what parameters it passes to
Configure in the presence of the 'fips' argument, then modify the
command line the
On 2/10/2016 12:47 PM, Steve Marquess wrote:
> Since you're required to start with the official tarball, and aren't
> allowed to change the contents of the tarball, not even a teeny tiny
> little bit, there is no point in dumping the tarball contents into
> your local source code management/versi
On 02/10/2016 03:23 PM, cloud force wrote:
> Hi Everyone,
>
> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
>
> From the OpenSSL doc it mentioned we need to do ./config fips in order
> to build openssl under tips mode. I tried that and it worked well.
>
> Now I am buildin
Thanks Kyle.
Yes, for building FIPS canister I did exactly the same thing as it
mentioned in the security policy doc.
My questions above were mainly regarding building the OpenSSL library
itself with the fipscanister.o modules.
In the doc it said we should just do "*config fips*", and since the
My understanding is, you must follow the steps given in the Security
Guide *exactly*, with no deviation, in order to produce a validated
binary of the FIPS canister. In other words, you *must not* try to use
Configure when attempting to build the FIPS canister because it does not
match the steps g
Thanks Lesley and Steve for the answers.
Rich
On Wed, Feb 10, 2016 at 12:02 PM, Steve Marquess
wrote:
> On 02/10/2016 02:56 PM, Lesley Kimmel wrote:
> > Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
> > have no affect against a non-FIPS enabled OpenSSL. According to s
Hi Everyone,
I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
>From the OpenSSL doc it mentioned we need to do ./config fips in order to
build openssl under tips mode. I tried that and it worked well.
Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the
pack
On 02/10/2016 02:56 PM, Lesley Kimmel wrote:
> Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
> have no affect against a non-FIPS enabled OpenSSL. According to some
> posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an
> error as md5 is not an enabled ciphe
Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
have no affect against a non-FIPS enabled OpenSSL. According to some posts
you can do 'OPENSSL_FIPS=1 openssl md5' which should return an error as md5
is not an enabled cipher in FIPS mode.
On Wed, Feb 10, 2016 at 1:49 PM, Les
I think you can run 'OPENSSL_FIPS=1 openssl ciphers -v'. I believe that if,
FIPS is compiled in properly you should get output. Otherwise an error
should occur.
On Wed, Feb 10, 2016 at 1:41 PM, cloud force
wrote:
> Hi everyone,
>
> I built and installed the FIPS capable OpenSSL lib on my system,
Hi everyone,
I built and installed the FIPS capable OpenSSL lib on my system, and I was
wondering what's the easiest way to find out whether my OpenSSL is really
FIPS capable or not.
e.g. is there any way to run some openssl commands to find out, such as
"openssl ciphers -v", and what cipher suit
Hello,
According to this thread:
http://openssl.6102.n7.nabble.com/config-and-no-zlib-td42924.html
it would make sense to execute Configure with both "no-comp" and "zlib" options.
If I understand correctly, this would avoid to have the openssl library to use
compression for SSL/TLS by
Some good news for a change, but if you neither know nor care what FIPS
120-2 is you're not missing anything.
The final "X9.31 RNG transition" change letter update for the third
validation (#2398) of the OpenSSL FIPS Object Module v2.0 trilogy
(#1747/#2398/#2747) was approved yesterday. This appro
24 matches
Mail list logo
