> In openssl-1.0.1/fips-2.0 it is not possible to call the low-level APIs when
> in FIPS 140-2 mode. Is there another alternative that I can use? E.g. some
> API in the FIPS module?
Sorry, no.
--
Principal Security Engineer, Akamai Technologies
IM: rs...@jabber.me Twitter: RichSalz
Hi,
I'm in the process of upgrading from openssl-0.9.8/fips-1.2 to
openssl-1.0.1/fips-2.0. Our system can be built both with and without the fips
module. Furthermore, it can be built in a limited feature set configuration (no
fips). The limited feature set config only calls low-level op
Hi,
I am trying to compile a FIPS enabled openssl. I was able to build 64 bit
openssl dll successfully .
However when trying to build a 32 bit openssl dll with fips . I am facing
an issue .
Below are the commands used on Visual Studio 32 bit command line . OS :
windows 7
1) perl Configure VC-WI
On 10/20/2013 08:29 AM, Oz, Tal (Tal) wrote:
> Hi,
>
> I can see there is an important note that FIPS 1.2 is no longer valid in its
> current form past 2010 (http://www.openssl.org/docs/fips/fipsnotes.html)
> There is also a reference to SP 800-131.
>
>>From reading it,
Hi,
I can see there is an important note that FIPS 1.2 is no longer valid in its
current form past 2010 (http://www.openssl.org/docs/fips/fipsnotes.html)
There is also a reference to SP 800-131.
>From reading it, it looks like it should be ok to use it until 2015.
For example, the random num
On Thu, Oct 10, 2013, Anil Kumar K K wrote:
> Hi OpenSSL experts,
>
> I have been trying to find out whether TLS verion 1.1 and 1.2 are supported
> in openssl package openssl-fips 1.2.
>
> Version string in the code says only TLS 1.o is supported.#define
> TLS1_VERS
Hi OpenSSL experts,
I have been trying to find out whether TLS verion 1.1 and 1.2 are supported
in openssl package openssl-fips 1.2.
Version string in the code says only TLS 1.o is supported.#define
TLS1_VERSION0x0301
But change log listed in the below link talks about TLS 1.2 also
On Wed, Oct 20, 2010 at 11:18 PM, Turner, Joe (DIJM)
wrote:
> I am working on compiling the fips canister on windows 7 x64 with VS 2010
> professional. When I run ms\do_fips- there are two issues.
>
> The first is on line 130 of do_fips.bat. the line should read ml64 –c –Fo
> ms\uptable.obj ms\u
On Tue, Oct 19, 2010, Susumu Sai wrote:
> Similar question.
> With the problem
> http://www.mail-archive.com/openssl-users@openssl.org/msg58527.html
> In order to make fipslink.pl work with MKS perl, in fipslink.pl, if I make a
> change
>
> that add a line like below:
>
> $sha1_exe =~ s
Henson
To: openssl-users@openssl.org
Sent: Mon, October 11, 2010 3:16:46 PM
Subject: Re: Crosscompiling openssl-fips-1.2 for arm-linux - still FIPS
compliant?
On Mon, Oct 11, 2010, Ronald Wahl wrote:
> Hi,
>
> I'm currently trying to cross compile openssl-fips-1.2 for arm-linux on a
&g
On Mon, Oct 11, 2010, Ronald Wahl wrote:
> Hi,
>
> I'm currently trying to cross compile openssl-fips-1.2 for arm-linux on a
> x86 host. This does abort at a certain point. The problem has been already
> reported and solutions are provided. See here:
>
> http://ww
Hi,
I'm currently trying to cross compile openssl-fips-1.2 for arm-linux on
a x86 host. This does abort at a certain point. The problem has been
already reported and solutions are provided. See here:
http://www.mail-archive.com/openssl-users@openssl.org/msg59904.html
I have not trie
On 13/08/2010 5:12 AM, Dave Thompson wrote:
I'm not sure why they even used an HMAC in the Policy.
Probably the 'priests' just liked it. It doesn't add anything.
Any actual security comes from having the digest, *or* HMAC,
protected by a different means than the subject data.
And unfortunately h
> From: owner-openssl-us...@openssl.org On Behalf Of David Stafford
> Sent: Thursday, 12 August, 2010 11:31
> To: openssl-users
> Subject: openssl-fips-1.2.crossbuild.diff.gz signature incorrect
>
> When attempting to verify the hmac signature of the file
> "openssl-fips
2010/8/12 홍성일 :
> Hi.
>
> Umm.. I'm so sorry .. I can't speak English Well.!!
>
> I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
> openssl-fips-1.2
> But This is build(link) error (LNK2001)!!
>
>
> In UserGuide-1.2 (http://www
When attempting to verify the hmac signature of the file
"openssl-fips-1.2.crossbuild.diff.gz" I get a wrong value. At least
it's wrong when compared with the Security Policy document.
Also, the file when retrieved from the web is not compressed as the
file name might imply, bu
Hi.
Umm.. I'm so sorry .. I can't speak English Well.!!
I want to build libosslfips.dll (Windows) in openssl-0.9.8o or
openssl-fips-1.2
But This is build(link) error (LNK2001)!!
In UserGuide-1.2 (http://www.openssl.org/docs/fips/UserGui
> Solution: Use the version 14.00.4 amd64 compiler from the April 2005 x64
> Platform SDK, or one of its close successors. Those need and include that
> library.
>
> The April 2005 x64 Platform SDK is still available from MSDN subscriber
> downloads as en_ws_2003_sp1_sdk_april_2005.iso . In
sr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:121:
error: expected `=', `,', `;', `asm' or `__attribute__' before
`WINAPI'
/usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:122:
error: expected `=', `,', `;',
On 05-08-2010 13:59, Vivek Madani wrote:
Hi,
I am trying to compile openssl-fips-1.2 on VS 2008 (64 bit) and getting a
linker error
LINK : fatal error LNK1181: cannot open input file 'bufferoverflowu.lib'
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visua
Hi,
I am trying to compile openssl-fips-1.2 on VS 2008 (64 bit) and getting a
linker error
LINK : fatal error LNK1181: cannot open input file 'bufferoverflowu.lib'
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio
9.0\
VC\Bin\amd64\link.EXE&qu
On 8/3/2010 1:17 PM, William A. Rowe Jr. wrote:
> On 8/3/2010 10:05 AM, Bryan wrote:
>> I see a "fips" directory in 0.9.8o. If I'm building OpenSSL with FIPS
>> on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile?
>
> This is well documented in the FIPS user guide and security pol
ocumented in the FIPS user guide and security policy, and
> if you haven't read them in detail, what you are compiling undoubtedly
> does not conform to the mandatory FIPS policy.
>
I've been building it the same way for several days (first the FIPS
module in openssl-fips-1.2)
On 8/3/2010 10:05 AM, Bryan wrote:
> I see a "fips" directory in 0.9.8o. If I'm building OpenSSL with FIPS
> on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile?
This is well documented in the FIPS user guide and security policy, and
if you haven't read them in detail, what you ar
I see a "fips" directory in 0.9.8o. If I'm building OpenSSL with FIPS
on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile?
__
OpenSSL Project http://www.openssl.org
User Support Mail
I have built several versions of openssh (through 5.5p1) together with then
current openssl releases, but not in FIPS mode using cygwin. The releases all
were built without any issues. For installation in Windows I started with the
opensshd.exe from the openssh.org site and updated the openssh a
On 21-07-2010 21:50, Bryan wrote:
On Wed, Jul 21, 2010 at 13:19, Jakob Bohm wrote:
On 21-07-2010 18:26, Bryan wrote:
On Wed, Jul 21, 2010 at 10:33, Jakob Bohmwrote:
On 19-07-2010 16:18, Bryan wrote:
I am trying to build openssl 0.9.8o with the fips-1.2 source. I'm
building it
On Wed, Jul 21, 2010, Bryan wrote:
>
> Well, the good thing is I am building this on an XP machine inside a
> VM, and I created a snapshot before I started all this, so backing out
> is an option to be able to start over and configure the environment
> correctly. This might even be what I have t
On Wed, Jul 21, 2010 at 13:19, Jakob Bohm wrote:
> On 21-07-2010 18:26, Bryan wrote:
>>
>> On Wed, Jul 21, 2010 at 10:33, Jakob Bohm wrote:
>>>
>>> On 19-07-2010 16:18, Bryan wrote:
>>>>
>>>> I am trying to build openssl 0.9.8o with the f
On 21-07-2010 18:26, Bryan wrote:
On Wed, Jul 21, 2010 at 10:33, Jakob Bohm wrote:
On 21-07-2010 16:18, Bryan wrote:
I am trying to build openssl 0.9.8o with the fips-1.2 source. I'm
building it using cygwin as the interface, since I am trying to script
this into an installation pr
On Wed, Jul 21, 2010 at 10:33, Jakob Bohm wrote:
> On 21-07-2010 16:18, Bryan wrote:
>>
>> I am trying to build openssl 0.9.8o with the fips-1.2 source. I'm
>> building it using cygwin as the interface, since I am trying to script
>> this into an installation
On 21-07-2010 16:18, Bryan wrote:
I am trying to build openssl 0.9.8o with the fips-1.2 source. I'm
building it using cygwin as the interface, since I am trying to script
this into an installation process.
When building with Visual Studio, you are better off using a perl
version i
I am trying to build openssl 0.9.8o with the fips-1.2 source. I'm
building it using cygwin as the interface, since I am trying to script
this into an installation process. The cygwin interface is using
Visual Studio 8 to build the source, using the cl.exe. After disabling
cygwin's &qu
All,
I have run into a validation error while attempting to perform a
fipscanisterbuild on IRIX 6.5 using the openssl-fips1.2 source code and
I am hoping that someone can help me get it working while still
maintaining the validity of the results.
Current command and summary output:
root@ 121# ./co
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Dr. Stephen Henson wrote on 04/08/2010 08:16 PM:
> On Thu, Apr 08, 2010, Gatewood (Woody) Green wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: RIPEMD160
>>
>> Setup:
>>
>> Built openssl-fips-1.2
On Thu, Apr 08, 2010, Gatewood (Woody) Green wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: RIPEMD160
>
> Setup:
>
> Built openssl-fips-1.2 per the Security Policy.
> Built openssl-0.9.8n with the fips option
>
> Notes:
>
> Successfully built "FIP
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Setup:
Built openssl-fips-1.2 per the Security Policy.
Built openssl-0.9.8n with the fips option
Notes:
Successfully built "FIPS-ified" version of wget, curl/libcurl, libssh2
and mod_ssl. Successfully means the work as advertised
On Thu, Mar 11, 2010, Adam Grossman wrote:
> hello,
>
> i just built fips 1.2, and then built a FIPs capable OpenSSL 0.9.8l as a
> shared lib. I then took my application, added in FIPS_mode_set(1), and
> it passed. But then i realized i did not switch over in my make file to
&
hello,
i just built fips 1.2, and then built a FIPs capable OpenSSL 0.9.8l as a
shared lib. I then took my application, added in FIPS_mode_set(1), and
it passed. But then i realized i did not switch over in my make file to
use "CC=fipsld" It still used "CC=gcc -fPIC".
On Tue, Jan 12, 2010, jim.r...@sncorp.com wrote:
> I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a
> debian-based linux filesystem. Build system is an x86-Knoppix machine.
>
> I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User
I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a
debian-based linux filesystem. Build system is an x86-Knoppix machine.
I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User
Manual and Security Policy.
After setting $CROSS_COMPILE and $HOSTCC
I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a debian-based linux filesystem. Build system is an x86-Knoppix machine. I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User Manual and Security Policy. After setting $CROSS_COMPILE and $HOSTCC as ne
No. Unless you can coerce the build tool into conforming to the
userland build system's commandlines, anyway.
-Kyle H
On Fri, Jul 24, 2009 at 6:14 AM, Aggarwal,
Pankaj wrote:
> Hi,
>
>
>
> I have a question regarding openssl-fips-1.2.tar.gz.
>
> I have built the
Hi,
I have a question regarding
openssl-fips-1.2.tar.gz<http://www.openssl.org/source/openssl-fips-1.2.tar.gz>.
I have built the fipscanister.lib from this distribution on windows. I want to
use the fipscanister.lib in windows kernel driver.
The Security Policy doesn't allow any modi
the ssltest.c
to
#ifndef _XOPEN_SOURCE
#define _XOPEN_SOURCE
#endif
Now it is working fine ..
Will this change impact any negative effect on the functionality.
Please help
Thanks
Rajan
Andrew Masterson wrote:
>
> make fails on openssl-fips-1.2 at
>
>
>
> ---
On Thu, Mar 26, 2009, ABDUL BASIT wrote:
> Hi Folks,
>
> I am using the patch provided by
> http://people.freebsd.org/~kan/openssl-gcc42.diff to prevent
> gcc 4.2.3 issuing warnings on openssl fips 1.2 build such as :-
>
> --
> p5_pbev2.c: In function 'PKCS
Hi Folks,
I am using the patch provided by
http://people.freebsd.org/~kan/openssl-gcc42.diff to prevent
gcc 4.2.3 issuing warnings on openssl fips 1.2 build such as :-
--
p5_pbev2.c: In function 'PKCS5_pbe2_set':
p5_pbev2.c:167: warning: function called through a non-compa
On Thu, Mar 12, 2009, ABDUL BASIT wrote:
> Kyle, Thanks for quick reply.
>
> my understanding is that the openssl fips-1.2 build will also produce the
> shared libraries
> (libssl.so.0.9.8 and libcrypto.so.0.9.8) that includes this resultant
> fipscanister.o,
> so I wo
Kyle, Thanks for quick reply.
my understanding is that the openssl fips-1.2 build will also produce the
shared libraries
(libssl.so.0.9.8 and libcrypto.so.0.9.8) that includes this resultant
fipscanister.o,
so I would just need to link against the resultant shared libraries ??
- Basit
On Thu
There is no prerequisite (other than compiler and development
environment) for building FIPS 1.2.
You *MUST* have OpenSSL 0.9.8j or later to build a version of openssl
that includes the resultant fipscanister.
-Kyle H
On Thu, Mar 12, 2009 at 8:06 AM, ABDUL BASIT wrote:
> Hello,
>
>
Hello,
is there any requirement that a particular version of openssl must be
installed on the host where
you are compiling openssl FIPS 1.2?
I am trying to compile openssl FIPS 1.2 natively on powerpc, and I have
openssl 0.9.8g on this system.
I am following the build instructions in user guide
Hi All,
Ours is a client server application, with Server: Apache/2.2.3, Interface:
mod_ssl/2.2.3, Library: OpenSSL/0.9.8. The Server has been modified to suit our
needs using C++. Its entry point is Init_Instance(). Apache has its own entry
point main(). The client is a MFC application.
Now I
Michal Trojnara wrote:
> Steve Marquess wrote:
>
>> Stunnel has official FIPS mode support.
>>
>
> I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2.
> Unfortunately it looks like fipsld is no longer installed during the
> open
at 7:24 PM, Michal Trojnara <
michal.trojn...@mobi-com.net> wrote:
>
> Steve Marquess wrote:
> > Stunnel has official FIPS mode support.
>
> I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2.
> Unfortunately it looks like fipsld i
Steve Marquess wrote:
> Stunnel has official FIPS mode support.
I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2.
Unfortunately it looks like fipsld is no longer installed during the
openssl-fips installation process. Can you confirm it? Is there a
recomme
make fails on openssl-fips-1.2 at
--
cc -I.. -I../include -I../fips -DOPENSSL_THREADS -qthreaded
-DDSO_DLFCN -DHAVE_DLFCN_H -q64 -O -DB_ENDIAN -qmaxmem=16384 -qro
-qroconst -c ssltest.c
"ssltest.c", line 131.9: 1506-236 (W)
Tue, Jan 20, 2009, joshi chandra wrote:
>
> >
> > Hi All,
> >
> > I have came across the error when i build openssl fips 1.2 for 64 bit .
> >
> > ./Configure fipscanisterbuild aix64-cc
> >
> > make was successful
> >
>
> Well other than t
On Tue, Jan 20, 2009, joshi chandra wrote:
>
> Hi All,
>
> I have came across the error when i build openssl fips 1.2 for 64 bit .
>
> ./Configure fipscanisterbuild aix64-cc
>
> make was successful
>
Well other than that command line violating the security p
Hi All,
I have came across the error when i build openssl fips 1.2 for 64 bit .
./Configure fipscanisterbuild aix64-cc
make was successful
make test results the following error
$ sh testss
make a certificate request using 'req'
rsa
Generating a 1024 bit RSA p
On Sun, Jan 11, 2009 at 7:11 AM, Steve Marquess
wrote:
> As an uncontrolled document the User Guide can contain "extraneous" detail and
> can be amended as often as necessary, and I try hard to keep it as technically
> complete and accurate as possible. So yes, the Security Policy is the
> formal
PGNet wrote:
On Fri, Jan 9, 2009 at 3:29 PM, Kyle Hamilton wrote:
If you read it, you too will see this. :)
Actually, I HAD already read section 4.2.1 of the UserGuide for *v1.2*,
"4.2.1Building the FIPS Object Module from Source
The specification of any other options on the command
On Fri, Jan 9, 2009 at 8:18 AM, Dr. Stephen Henson wrote:
> So either use a box supporting SSE2 or use a pure C build (no-asm) which
> will have poorer performance.
config with,
./Configure shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
linux-generic32 no-asm threads zlib \
enable-
Kyle Hamilton wrote:
You're looking at the User Guide. This isn't the right thing to look
at; the relevant document (and indeed the controlling document) is the
Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
and the relevant section is Appendix A, "Installation Instruction
Michael S. Zick wrote:
On Fri January 9 2009, Kyle Hamilton wrote:
> You're looking at the User Guide. This isn't the right thing to
> look at; the relevant document (and indeed the controlling
> document) is the Security Policy,
> http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf , and the
>
On Fri January 9 2009, Kyle Hamilton wrote:
> You're looking at the User Guide. This isn't the right thing to look
> at; the relevant document (and indeed the controlling document) is the
> Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
> and the relevant section is Appendix
You're looking at the User Guide. This isn't the right thing to look
at; the relevant document (and indeed the controlling document) is the
Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
and the relevant section is Appendix A, "Installation Instructions".
It's very likely t
You're looking at the User Guide. This isn't the right thing to look
at; the relevant document (and indeed the controlling document) is the
Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
and the relevant section is Appendix A, "Installation Instructions".
It's very likely t
and, just for reference, per guidance above, finally,
uname -a
Linux dt.loc 2.6.27.7-9-default #1 SMP 2008-12-04 18:10:04 +0100
i686 i686 i386 GNU/Linux
openssl version
OpenSSL 0.9.8j-fips 07 Jan 2009
thanks!
__
OpenSSL Pro
On Fri, Jan 9, 2009 at 3:29 PM, Kyle Hamilton wrote:
> If you read it, you too will see this. :)
Actually, I HAD already read section 4.2.1 of the UserGuide for *v1.2*,
"4.2.1Building the FIPS Object Module from Source
The specification of any other options on the command line, such as
./config
yle Hamilton wrote:
>> Delete the directory, untar it fresh, and reconfigure with that config line.
>
> ok,
>
>> rm -rf openssl-fips-1.2
>> tar zxf openssl-fips-1.2.tar.gz
>> cd openssl-fips-1.2/
>Directory: /usr/local/src/openssl/openssl-fips-1.2
>> ./confi
Kyle,
On Fri, Jan 9, 2009 at 2:37 PM, Kyle Hamilton wrote:
> Delete the directory, untar it fresh, and reconfigure with that config line.
ok,
> rm -rf openssl-fips-1.2
> tar zxf openssl-fips-1.2.tar.gz
> cd openssl-fips-1.2/
Directory: /usr/local/src/openssl/openssl-fips-1.
nd.
> make[1]: Leaving directory `/usr/local/src/openssl/openssl-fips-1.2/ssl'
> make[1]: Entering directory `/usr/local/src/openssl/openssl-fips-1.2'
> make[2]: Entering directory `/usr/local/src/openssl/openssl-fips-1.2'
> libcrypto.a(rc4_enc.o): In function `RC4':
&
per advice,
./config fipscanisterbuild no-asm
completes without error, but, now,
make
fails @,
...
/usr/bin/ranlib ../libssl.a || echo Never mind.
make[1]: Leaving directory `/usr/local/src/openssl/openssl-fips-1.2/ssl'
make[1]: Entering directory `/usr/local/src/openssl/openssl-fip
My mistake.
That's for "fipscanisterbuild".
Trying now ...
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
On Fri, Jan 9, 2009 at 12:25 PM, Kyle Hamilton wrote:
> In the fips-1.2 configuration step, use
> ./config fipscanisterbuild no-asm
As I had alread noted above, I did.
> So either use a box supporting SSE2 or use a pure C build (no-asm) which
> will have poorer performance.
If you're running it on a processor with SSE, and it's failing, what
does this tell you? SSE2 is required to use the asm code path. SSE
just doesn't cut it.
In the fips-1.2 configuration step, use
./config fipscanisterbuild no-asm
-Kyle H
On Fri, Jan 9, 2009 at 9:25 AM, PGN
Hi Stephen,
On Fri, Jan 9, 2009 at 8:18 AM, Dr. Stephen Henson wrote:
> You can get the answer with "openssl errstr" or by checking the source file
> referenced.
Noted. Thanks.
> So either use a box supporting SSE2 or use a pure C build (no-asm) which
> will have poorer performance.
I have no
On Thu, Jan 08, 2009, PGNet wrote:
>
> ...
> Testing SHA-512 ... passed.
> Testing SHA-384 ... passed.
> if [ -n "libcrypto" ]; then \
> ../util/shlib_wrap.sh ./fips_shatest < SHAmix.r | diff -w
> SHAmix.x - ; \
> fi
> ERROR:2d06c071:li
)
Subject:Re: Repeating crashes @ fips 1.2 'make' on OSX
LSN: Not Relevant
User Filed as: Not a Record
Hi,
On Thu, Jan 8, 2009 at 12:42 AM, Kyle Hamilton wrote:
> Which version of Xcode do you have installed?
XCode v3.1.2, build 1149
> Which version of gcc are you using (3
I've managed to build/install openssl 098j+fips12 on
(1) a PPC mac, running OSX 10.5.6
uname -a
Darwin mac 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24 17:39:01 PST
2008; root:xnu-1228.9.59~1/RELEASE_PPC Power Macintosh
(2) a shared, Debian host,
uname -a
Linux cobra 2.6.24.5-ser
On Thu, Jan 8, 2009 at 7:58 AM, Dr. Stephen Henson wrote:
> If you want to move the validated module elsewhere afterwards you can do
> provided you keep to the permission requirements of the security policy.
>
> Once you've installed the validated module you can then use OpenSSL 0.9.8j to
> build
On Thu, Jan 08, 2009, PGNet wrote:
>
> > This is an unfortunate side effect of gcc being stricter about function
> > pointers
> ...
> > The actual errors you see are not part of the validated module but part of
> > the rest of OpenSSL. If you complete the make process once (despite the
> > crashe
As a test, ignoring the UserGuide's admonition about user-config
options to FIPS build, with a TARGET = "darwin-ppc-cc", this,
./config --prefix=/usr/local/ssl-fips fipscanisterbuild
make
make install
installs FIPS as directed in "/usr/local/ssl-fips".
Then, building openssl 098j,
mv /usr/i
Hi,
On Thu, Jan 8, 2009 at 12:42 AM, Kyle Hamilton wrote:
> Which version of Xcode do you have installed?
XCode v3.1.2, build 1149
> Which version of gcc are you using (3.x or 4.x)?
gcc version 4.2.1 (Apple Inc. build 5566)
> On Wed, Jan 7, 2009 at 12:41 PM, PGNet wrote:
On Thu, Jan 8, 200
On Wed, Jan 07, 2009, PGNet wrote:
> I'm building fips 1.2 on OSX,
>
> uname -a
> Darwin pb.local 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24
> 17:39:01 PST 2008; root:xnu-1228.9.59~1/RELEASE_PPC Power Macintosh
>
> Config,
>
> cd /usr/local/src/o
9 at 12:41 PM, PGNet wrote:
> I'm building fips 1.2 on OSX,
>
> uname -a
> Darwin pb.local 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24
> 17:39:01 PST 2008; root:xnu-1228.9.59~1/RELEASE_PPC Power Macintosh
>
> Config,
>
>cd /usr/local/src/openssl-fips-1.2
>
I'm building fips 1.2 on OSX,
uname -a
Darwin pb.local 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24
17:39:01 PST 2008; root:xnu-1228.9.59~1/RELEASE_PPC Power Macintosh
Config,
cd /usr/local/src/openssl-fips-1.2
./config fipscanisterbuild
completes without an apparent
Thanks for the detailed reply! That answers all my
openssl-fips 1.2 questions for now. After more investigating
we believe we need to target only the following apps for
fips mode: apache, openssh, and our internal app blah, so
that's where we'll focus on.
-->Pat
--
Steve M
On Tue, Dec 23, 2008, Steve Marquess wrote:
>
>> Q3. If the above function call(s) needs to be added, how about other
>> changes like looking for the return code for ciphers now blocked by
>> fips_mode so the app deals with it? Probably a good idea.
>
> An excellent idea, though if you stick t
Patrick Rael wrote:
Hello, I have 6 questions about making a host FIPS-140-2 compliant.
Belated responses below...
I was able to build both openssl-fips-1.2 and openssl-0.9.8j-dev
(stable snapshot) on FreeBSD6.3 and combine the canister files,
install on a server, and adjust ldconfig so
: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Kyle Hamilton
Sent: Friday, December 19, 2008 5:22 PM
To: openssl-users@openssl.org
Subject: Re: FIPS 1.2 and Openssl.
openssl-0.9.8-stable-SNAP-20081219.tar.gz recognizes the 'fips'
configuration
I did know about the fipscanisterbuild thing, and
spaced it when I typed 'em out. I wasn't aware of the
--with-fipslibdir option, though.
Is that supposed to be where everything in the fips-1.0/ directory is?
(and why is it fips-1.0, instead of fips-1.2?)
-Kyle H
_
Kyle Hamilton wrote:
The Security Policy is absolutely clear on this point. (If you
haven't read it yet, you MUST, if you want to claim FIPS validation
for whatever you're putting it into.) You can copy it from /usr/local
to whereever you need it, but in that case you also have to edit the
Make
ssl-0.9.8j as suggested in the FIPS 140-2
> User Guide. According to the User Guide, the version in
> openssl-fips-1.2 is not a good version of openssl. I've downloaded
> openssl-0.9.8i and openssl-0.9.8-stable-SNAP-20081217 (which turns out
> to be another i version).
>
The 0
On Sat, Dec 20, 2008, Kyle Hamilton wrote:
> The Security Policy is absolutely clear on this point. (If you
> haven't read it yet, you MUST, if you want to claim FIPS validation
> for whatever you're putting it into.) You can copy it from /usr/local
> to whereever you need it, but in that case y
The Security Policy is absolutely clear on this point. (If you
haven't read it yet, you MUST, if you want to claim FIPS validation
for whatever you're putting it into.) You can copy it from /usr/local
to whereever you need it, but in that case you also have to edit the
Makefile for OpenSSL to loo
On Fri, Dec 19, 2008 at 03:22:17PM -0800, Kyle Hamilton wrote:
> The distribution will ALWAYS look for the FIPS files in
> /usr/local/ssl/fips-1.0/lib/, since that is where they are put when
> you follow the commands given in the Security Policy precisely (as you
> must, if you want the validation
ure.
>
> That brings us to:
> 2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2
> User Guide. According to the User Guide, the version in
> openssl-fips-1.2 is not a good version of openssl. I've downloaded
> openssl-0.9.8i and openssl-0.9.8-stable-SNAP-2008
on the list
about this it was suggested that I use the static libraries instead of
the fipsld procedure.
That brings us to:
2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2
User Guide. According to the User Guide, the version in
openssl-fips-1.2 is not a good version of open
On Fri, Dec 19, 2008 at 01:54:47AM +0100, Dr. Stephen Henson wrote:
> > If OPENSSL_config() calls exit() on error, Postfix must not use
> > OPENSSL_config(). Is the CONF_modules_load_file() interface safe in this
> > respect (will return errors, not exit)?
>
> OPENSSL_config() has that behaviour
1 - 100 of 151 matches
Mail list logo
