Re: Private Key Format Different in FIPS Mode

umdar (anmajumd)" wrote: > >We are using OpenSSL version 0.9.8l > >And what we find is that the DSA private key formats are different in FIPS >and non-FIPS mode > >In FIPS mode it starts with >-BEGIN PRIVATE KEY- > >Whereas in non-FIPS mode it starts with

Private Key Format Different in FIPS Mode

We are using OpenSSL version 0.9.8l And what we find is that the DSA private key formats are different in FIPS and non-FIPS mode In FIPS mode it starts with -BEGIN PRIVATE KEY- Whereas in non-FIPS mode it starts with -BEGIN DSA PRIVATE KEY- I understand that this is expected s

Re: PKCS12 keystore creation failing in fips mode

Hello Steve , Thanks for your response. Is there a corresponding API where we can impose this descert option? -Anamitra On 5/29/13 6:15 PM, "Dr. Stephen Henson" wrote: >On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: > >> We are trying to create pkcs12

PKCS12 keystore creation failing in fips mode

We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Expor

openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 ERROR

We are getting the following error in the syslogs secure:Nov 9 19:32:04 cls2-pub authpriv 3 sshd[9526]: error: openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 when we connect between two servers using ssh key based authentication. This issue happens only in FIPS mode and not in non FI

Re: sslv3 alert bad certificate:s3_pkt.c:1065:SSL alert number 42

Hi Dave, This is a close box without a server operator. Is there a way to determine why the cert chain was Disliked. Thanks, Anamitra On 10/26/12 3:14 PM, "Dave Thompson" wrote: >>From: owner-openssl-us...@openssl.org On Behalf Of Anamitra Dutta >>Majumdar >(anmaj

TLS handshake failure

One of our customers is trying to setup a TLS for SIP trunk. Self-signed certificates (2048 bit) & non encrypted configuration on SIP trunk work but a CA signed certificate does not. Going by this SSL/TLS detail example http:// t

Re: Why is bf_cbc allowed in FIPS mode !

The return value is 1 which is a success. Thanks Anamitra On 6/10/11 4:44 PM, "Dr. Stephen Henson" wrote: > On Fri, Jun 10, 2011, anmajumd wrote: > >> We are on version 0.9.8l of OpenSSL with FIPS module version 1.2 if that is >> what you are asking. >&g

Re: Why is bf_cbc allowed in FIPS mode !

We are on version 0.9.8l of OpenSSL with FIPS module version 1.2 if that is what you are asking. Thanks Anamitra On 6/10/11 4:37 PM, "Dr. Stephen Henson" wrote: > On Fri, Jun 10, 2011, anmajumd wrote: > >> >> We are preparing for a FIPS review with our lab. >

Why is bf_cbc allowed in FIPS mode !

We are preparing for a FIPS review with our lab. We have found that there is a piece of code that initializes the encryption context for bf_cbc which works perfectly fine in FIPS mode. Specifically this is the code snippet I am referring to EVP_EncryptInit(ctx, EVP_bf_cbc(), key, iv); out

Re: OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS

Thanks for your prompt response . Do you have the name of the patch to share with us? Thanks Anamitra On 2/23/11 1:42 PM, "Dr. Stephen Henson" wrote: > On Wed, Feb 23, 2011, anmajumd wrote: > >> >> We recently built FIPS compliant openssl 0.9.8q. Earlier we wer

OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS

We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anythi

OpenSSL fails to load private key in FIPS mode

Call to PEM_read_bio_PrivateKey function returns the following SSL Error in FIPS mode. error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for fips error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:0906A065:PEM routines:PEM_do_header:bad decrypt PE

Issues with c_rehash utility in FIPS mode

We are trying to generate the hash of the subject name in certificates in fips mode by using the ³openssl x509 ­hash² command. Apparently this utility uses md5 algorithm to calculate the hash of the subject name and therefore this operation is not allowed in FIPS mode. My question is , is there an

RE: known answer test and alogorithm test for Diffie-Hellman?

Have not seen a response to this. The FIPS_selftest() API does not perform any selt-tests on diffie-Hellman algorithm. Is it because it is a non-approved security function in the FIPS module? Do we need self tests on DH if DH key exchange is used by SSH in the system running in FIPS mode? Than