On 16/04/18 11:38, Matt Caswell wrote:
>
>
> On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote:
>> SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished
>
> There should be no reason to do this. The BIO's will get freed
> automatically by the SSL_free() call.
>
>
>> Is this a faulty beha
On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote:
> SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished
There should be no reason to do this. The BIO's will get freed
automatically by the SSL_free() call.
> Is this a faulty behavior of OpenSSL 1.1.0 or is the fault on my side?
This l
Hello,
we encountered a strange behaviour of OpenSSL 1.1.0 when our test with "sslscan" provokes an unfinished
handshake. The problem exists since OpenSSL 1.1.0 - there were no problems with OpenSSL 1.0.2x.
Our asynchronous communication approach uses memory BIOs in order to read/write data fr
On Thu, Jul 23, 2009 at 12:27:56PM -0500, Michael Kurecka wrote:
> I have no problem what I have so far. It is a stripped down version with
> openssl FIPS. Where shall I send it?
If you are willing to license the wpa_supplicant/hostapd changes under
the license used in the project, please send a
That seemed to work using
export LD_LIBRARY_PATH=/usr/local/ssl/fips/lib
I'm not getting the assertion failure but I am now getting a
segmentation fault "in memcpy () from /lib/libc.so.6" which I need to
look into. Back to my previous question of -- Is my script wrong or am
I
On Mon, Jul 27, 2009, Michael Kurecka wrote:
> I tried
>
> export LD_LIBRARY_PATH=/usr/local/ssl/fips
> and
> export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
> and
> export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
>
You need to set that to a directory that contains libssl.so.0.9.8 that is FIPS
ca
I tried
export LD_LIBRARY_PATH=/usr/local/ssl/fips
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
and all three failed to avert the assertion failure. How can I be
assured that the FIPS library is being run? Self-tests seem to run and
pass
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> I did not see anything which I assume means I am using the standard
> libssl. How do I correct this?
Well it is part of the link process when you build the application. It needs
to link and use the version of libssl in the 0.9.8k distribution and not
I did not see anything which I assume means I am using the standard
libssl. How do I correct this?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> I finally succeeded in adding debug to openssl, but it doesn't seem to
> be working completely. I was able to set the breakpoint at the point
> you mentioned Dr. Henson but I'm not sure how that will tell me what
> is being called. I am not able to br
I finally succeeded in adding debug to openssl, but it doesn't seem to
be working completely. I was able to set the breakpoint at the point
you mentioned Dr. Henson but I'm not sure how that will tell me what
is being called. I am not able to break on ssl3_init_finished_mac,
ssl3_connect or SSL_con
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> Failed again with a different error:
>
Erk, OK. I'd suggest starting with linux-generic32 and deleting
-fomit-frame-pointer and -O3 from Makefile and adding -g
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> Dr. Henson,
> I tried the change for MD5 you mentioned of using the EVP interface,
> but it isn't working as I am getting the forbidden algorithm error. Below
> is the new code. The init is passing but it is failing on the update. I
> noticed t
Dr. Henson,
I tried the change for MD5 you mentioned of using the EVP interface,
but it isn't working as I am getting the forbidden algorithm error. Below
is the new code. The init is passing but it is failing on the update. I
noticed that the flag is cleared after the init so I set the
EVP_
Failed again with a different error:
make[1]: Entering directory `/usr/src/openssl/crypto'
( echo "#ifndef MK1MF_BUILD"; \
echo ' /* auto-generated by crypto/Makefile for
crypto/cversion.c */'; \
echo ' #define CFLAGS "gcc -fPIC -DOPENSSL_PIC
-DOPENSSL_THREADS -D_REENTRANT -DDSO_
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Henson:
>
> I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
> mentioned and that worked OK but I got the following error when I ran make.
>
Argh... don't have a debug configuration for that platform. Try
deleting the
Jouni,
I have no problem what I have so far. It is a stripped down version with
openssl FIPS. Where shall I send it?
Dr. Henson:
I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
mentioned and that worked OK but I got the following error when I ran make.
#make
if [ -n "l
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Just to be clear
>
> my current config is:
> ./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
> make
> ./config fips (in the 0.9.8k directory)
> make
>
> I attempted:
> ./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
>
On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote:
> Yes in FIPS mode non-compliant ciphersuites are disabled and so should never
> be seen. If there is some way to use them which is triggering this in
> unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which
>
Just to be clear
my current config is:
./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config fips (in the 0.9.8k directory)
make
I attempted:
./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config -d fips (in the 0.9.8k directory)
make
but it said th
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Steve:
>
> How do I enable debug? I want to make sure I have it set right as it takes a
> while to rebuild.
I'd recommend using OpenSSL 0.9.8k throughout for that you should be able to
use:
./config -d fipscanisterbuild
BLOODY BIG SODDING E
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Dr Henson wrote:
>
> >No that wont bypass the MD5 check. You can use EVP and set the flag
> >EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
>
> I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
> can't find the EVP_
Dr Henson wrote:
>No that wont bypass the MD5 check. You can use EVP and set the flag
>EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
can't find the EVP_MD_CTX_NON_FIPS_ALLOW flag anywhere. Where is the flag
and h
If you look at the Configure script you will see different debug options
that the developers have setup. Search the Configure file for lines
with 'debug-' in them. You can adjust the Configure script to setup
your own as well, just follow the pattern. There are quite a few
different configs avai
Dr. Steve:
How do I enable debug? I want to make sure I have it set right
as it takes a while to rebuild.
David Schwartz wrote:
>Most likely, you're getting a connection from a non-FIPS endpoint that's
>forcing you to use a protocol that's not FIPS compliant. I'm not sure why
>you're seeing what you're seeing though -- it should just have reported
that
>it was unable to negotiate compatible protocols
On Wed, Jul 22, 2009, David Schwartz wrote:
>
> Michael Kurecka wrote:
>
> > Thank you for your help that is definitely a point in the right
> > direction; however, it leaves me more baffled. I found the only
> > SSL_CTX_new function that is in the code and it is being passed
> > the TLSv1_metho
Michael Kurecka wrote:
> Thank you for your help that is definitely a point in the right
> direction; however, it leaves me more baffled. I found the only
> SSL_CTX_new function that is in the code and it is being passed
> the TLSv1_method not an SSLv*_method which is what it should be
> accordin
rc/eap_peer/eap.c:368
> #12 0x0004e22c in eap_peer_sm_step (sm=0x8ad90) at ../src/eap_peer/eap.c:698
> #13 0x0004b9d0 in eapol_sm_step (sm=0x8ac68) at
> ../src/eapol_supp/eapol_supp_sm.c:900
No proper debugging symbols in the shared library AFAICS.
The actual assertion failure is caused b
>
> > What determines which SSL version is used? Is it the CTX object,
> > a configuration setting, etc.? I've tried tracing the code on
> > the OpenSSL side but it has me baffled even with a stack trace
> > I'm having trouble understanding its path. I would appreciate
> > any help you can give on
Michael Kurecka wrote:
> Thank you David for your bluntness. Trust me, I'm aware of how
> significant making wpa_supplicant FIPSable is. I've been working
> on it for several months. Over the past few months I've been in
> the process of removing non-compliant code, updating MD5 to SHA-1,
> etc.
isation error (you'd
normally never get an error with a software only interface) the context is
initialised so that any attempt to use the context produces a hard assertion
failure when you call *update().
The low level interfaces often don't return values and their use directly in
applic
I'm not going to comment on David's assertion's or anything about
wpa_supplicants, but lets take a step back:
SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS
140-2 when using FIPS-approved security functions (see the FIPS 140-2
implementation guide).
TLS 1.0 is som
Thank you David for your bluntness. Trust me, I'm aware of how significant
making wpa_supplicant FIPSable is. I've been working on it for several
months. Over the past few months I've been in the process of removing
non-compliant code, updating MD5 to SHA-1, etc. I'm close for the AP side
with host
Michael Kurecka:
> How do I disable SSLv3 so that I can use FIPS?
Sorry to be blunt, but you don't. A FIPS wpa_supplicant is a significant
task, you can't just flip a few switches and make one appear.
DS
__
OpenSSL Project
How do I disable SSLv3 so that I can use FIPS?
On Fri, Jul 17, 2009 at 4:22 PM, David Schwartz wrote:
>
> Michael Kurecka:
>
> > I am trying to run wpa_supplicant in FIPS mode.
>
> Why?
>
> > I don't think the MD5 function is even called
>
> MD5 is part of SSLv3.
>
> #6 0x4003e6b8 in ssl3_connec
Michael Kurecka:
> I am trying to run wpa_supplicant in FIPS mode.
Why?
> I don't think the MD5 function is even called
MD5 is part of SSLv3.
#6 0x4003e6b8 in ssl3_connect () from /usr/lib/libssl.so.0.9.8#7
0x4004ebf4 in SSL_connect () from /usr/lib/libssl.so.0.9.8#8 0x000526c0 in
tls_conne
I am trying to run wpa_supplicant in FIPS mode. The stack trace of the
failure is below. I'm assuming that an algorithm not supported by FIPS
is being used but I'm not sure which one since I thought I removed
them all. I replaced SHA-1 with
EVP_MD_CTX ctx;
size_t i;
unsigned int mac_len;
38 matches
Mail list logo
