(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
"Explicit curves are not allowed in fips mode");
return 0;
}
Thank you!
cheers,
-Felipe Gasper
as it should until
FIPS mode is enabled. Under FIPS mode, the "non-implemented" rsa_priv_enc() is
called and an error is returned. The simplified backtrace is:
#0 rsa_priv_enc // non-implemented engine function
#1 FIPS_rsa_sign_digest // FIPS canister
#2 pkey_rsa_sign
#3 EVP_SignFinal
0, Shirisha Dasari via openssl-users
> wrote:
> > Hi All,
> >
> > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> > compliance. Post integration, we have been able to run in FIPS mode, with
> > all self-tests passing as well. However, we
sha Dasari via openssl-users <
> openssl-users@openssl.org> wrote:
>
> Hi All,
>
> We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIPS mode, with
> all self-tests passing as well. Howe
Hi,
Yes. You have to use openssl provided build files.
Thanks,
Murugesh P.
On 7/7/20, Shirisha Dasari via openssl-users wrote:
> Hi All,
>
> We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIP
tegrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIPS mode, with all
> self-tests passing as well. However, we seem to be encountering issues in
> creation and parsing of ECDSA keys.
>
> A little background on how we b
Hi All,
We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
compliance. Post integration, we have been able to run in FIPS mode, with
all self-tests passing as well. However, we seem to be encountering issues
in creation and parsing of ECDSA keys.
A little background on how
* >FIPS ciphers are a subset of the ciphers that OpenSSL supports.
* Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS
version. (I suppose yes). But still your confirmation will be helpful.
Yes it is true for both.
* Also, current version is considered outdated, ev
Thanks for your answer, it clears up a path for me.Basically, when I build my code against OpenSSL library running with version 2.0 FIPS enabled, my code would work fine on systems running with same OpenSSL library version but non-fips mode.
$> openssl version
OpenSSL 1.0.2k-fips 26 Jan 2
Are you asking about the current (outdated) 2.0 module or the 3.0 module that
is still being developed?
In 2.0, once you enter FIPS mode you cannot leave it. In 3.0 you can switch
among FIPS and non-FIPS as you need to. See
https://www.openssl.org/docs/OpenSSL300Design.html for a description
Reposting the email, as it was not delivered unless we are subscribed to the list.
Thanks,
Prashant
- Original message -From: Prashant Sharma31/India/IBMTo: openssl-users@openssl.org, Mei-Mei Fu/Santa Teresa/IBM@IBMUSCc:Subject: OpenSSL in FIPS mode, does FIPS mode provide any extra
On 25/02/2020 11:12, Manish Patidar wrote:
> Thanks for reply. It really help to use fips lib.
>
> I have another doubts regarding the hmac stored in fipsinstall.conf. If
> some one modify the fips library after installation and modify the hmac
> in fipsinstall.conf accordingly, is openssl3.0 i
Thanks for reply. It really help to use fips lib.
I have another doubts regarding the hmac stored in fipsinstall.conf. If
some one modify the fips library after installation and modify the hmac in
fipsinstall.conf accordingly, is openssl3.0 is able to identify this and
fail the fips library loadin
On 14/01/2020 04:51, Manish Patidar wrote:
> Hi
>
> Can any guide me how to use fips api in openssl?
>
> I try to use like below but it always returns null.
>
> ctx = EVP_CIPHER_CTX_new() ;
> ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
>
> I am doubting fips provider is not l
Hi
Can any guide me how to use fips api in openssl?
I try to use like below but it always returns null.
ctx = EVP_CIPHER_CTX_new() ;
ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ;
I am doubting fips provider is not loaded.
Regards
Manish
Hi,
I am able to run an application using libcurl which in turn uses OpenSSL in
FIPS mode with following configuration
Help requested
Need opinion from seniors who know OpenSSL and libcurl codebase if
following is good from conceptual perspective with respect to OpenSSL,
libcurl.
a) Built
Hi all,
Need help in resolving an error or understanding the flow.
Openssl library we are using is FIPS capabled.
Openssl version is 1.0.2n with fips-2.0.16
Platform: Linux version 3.10.38-ltsi-WR6.0.0.11_standard (gcc version 4.8.1)
We have an application which uses libssl and libcrypto for its o
On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <
openssl-users@openssl.org> wrote:
> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
Jordan via openssl-users <
openssl-users@openssl.org> wrote:
> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
> OpenSSL into FIPS mode, with
Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force
OpenSSL into FIPS mode, without requiring a “module operator” to directly
initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor
On Mon Sep 10 11:26:25 UTC 2018, Hubert Kario wrote:
> On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote:
>> I'm running Windows 10.
>> I downloaded the FIPS module sources
>> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the
>> OpenSSL sources from https://ww
In FIPS mode, the default entropy gathering is not performed. You, the user,
must supply all entropy to the module.
See section 6.1.1 of the OpenSSL FIPS User Guide
(https://www.openssl.org/docs/fips/UserGuide-2.0.pdf).
Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security
andom"
Now we see that openssl is using /dev/random, but the problem is openssl
operations randomly fail when run multiple times with "PRNG not seeded"
error. This is in-spite of having rngd installed to boost entropy.
[root@debian ~]# OPENSSL_FIPS=1 openssl version
FIPS mode ON.
Open
On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote:
> I'm running Windows 10.
> I downloaded the FIPS module sources
> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the
> OpenSSL sources from https://www.openssl.org/source/openssl-1.0.2p.tar.gz .
> I built both
e application c
> an test to see if FIPS mode has been successfully performed." Therefore,
> for OpenSSL to switch to FIPS mode, it is required that the application
> call FIPS_mode_set(1). Can you please confirm that my understanding is now
> correct?
If you are using that spe
On Thursday, 6 September 2018 04:18:38 CEST Alessandro Gherardi via openssl-
users wrote:
> I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS
> mode (FIPS_mode_set(1)) if the FIPS registry
> entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Fips
I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS
mode (FIPS_mode_set(1)) if the FIPS registry entry
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled
is set to 1?
This is to emulate the Linux behavior - if I understand correctly, if
"strconv"
>> "github.com/spacemonkeygo/openssl"
>> )
>>
>> func init_fips() {
>> err := openssl.FIPSModeSet(true)
>> if err != nil {
>> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to se
; "io"
> "strconv"
> "github.com/spacemonkeygo/openssl"
> )
>
> func init_fips() {
> err := openssl.FIPSModeSet(true)
> if err != nil {
> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set
&g
t(true)
if err != nil {
panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set
fips mode.", err))
}
log.Print("OpenSSL FIPS mode is set to: True\n")
}
func main() {
init_fips()
laddr := "0.0.0.0:443"
var
rver with FIPS mode set. I am using Openssl
> library build with fips module 2.0.
> With Openssl 1.0.1u version, everything was running fine.
> Recently I upgraded to version 1.0.2o. With this version, under high
> traffic condition (more than 4k requests per minute), read request fails
&
Hello,
I have golang based openssl server with FIPS mode set. I am using Openssl
library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high
traffic condition (more than 4k requests per minute
Am 05.03.2018 um 20:39 schrieb Alan Dean:
> Thanks Matthias for your response.
>
> I have a different question:
>
> Per your suggestion in the previous email, FIPS_mode_set() can be
> moved inside of OPENSSL_init(), in order to force the FIPS mode
> enabled in the libra
Thanks Matthias for your response.
I have a different question:
Per your suggestion in the previous email, FIPS_mode_set() can be moved
inside of OPENSSL_init(), in order to force the FIPS mode enabled in the
library level.
However currently OPENSSL_init() is actually invoked from within
Am 05.03.2018 um 19:55 schrieb Alan Dean:
> Thanks a lot Matthias for the suggestion.
>
> I have few follow-up questions below:
>
Please see my other replies.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Am 05.03.2018 um 20:07 schrieb Salz, Rich via openssl-users:
>
> * Did you mean if an application uses the low level crypto algorithm
> functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then
> they won't work under FIPS mode (and hence may cause unpredict
* Did you mean if an application uses the low level crypto algorithm
functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't work
under FIPS mode (and hence may cause unpredictable issues)?
Yes.
It’s not unpredictable issues, but rather that your application cannot
plications which have their own configuration
> > and enable/disable FIPS mode explicitely, call FIPS_mode_set(0)
> > afterwards.
> >
> >
> > HTH,
> > Matthias
> >
>
> One more obstacle: In FIPS mode it is not allowed to use low level
> crypto al
Thanks a lot Matthias for the suggestion.
I have few follow-up questions below:
On Mon, Mar 5, 2018 at 2:57 AM, Dr. Matthias St. Pierre <
matthias.st.pie...@ncp-e.com> wrote:
>
>
> On 05.03.2018 10:46, Alan Dean wrote:
>
> Question 1: Is it even feasible to make the FIPS mo
Dr. Matthias St. Pierre wrote:
> On 05.03.2018 10:46, Alan Dean wrote:
>> Question 1: Is it even feasible to make the FIPS mode always enabled
>> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so
> The optimal location for inserting the FIP
sure that the FIPS initialization succeeded. However,
> an application which is not FIPS-aware won't check the result.
> * It can happen that applications which have their own configuration
> and enable/disable FIPS mode explicitely, call FIPS_mode_set(0)
> afterwards.
>
>
> HTH,
&
On 05.03.2018 10:46, Alan Dean wrote:
> Question 1: Is it even feasible to make the FIPS mode always enabled
> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so
> that most the applications which dynamically linked to libcrypto and
> libssl will be automatically
OpenSSL library, and
based on the OpenSSL FIPS Library User Guide, it seems like the only way to
make all these third party applications capable of running on FIPS mode
will require modifying all these software to inject the FIPS_mode_set() API
into the appropriate spots, so that FIPS mode can be
Hi All:
My understand is by using OPENSSL_config(), we will be able to enable the
FIPS mode globally on the system, is that correct?
My question is, if we enable FIPS mode through configuration and using
OPENSSL_config(), does it means for all the applications which link to
OpenSSL library, the
On 15.03.2017 10:50, Jayalakshmi bhat wrote:
> Hi All,
>
> OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have
> question associated with this.
>
> 1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation
> function*
> 2. Where
Hi All,
OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have
question associated with this.
1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation
function*
2. Where as the document
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
On Tue, Aug 02, 2016, jonetsu wrote:
> FIPS: Need to use FIPS versions of (EVP) methods ?
>
> In FIPS mode, is there a need to use the FIPS_* methods instead of the
> regular ones once FIPS_mode_set(1) was successfully executed ? For
> instance, is there a need to use FIPS_evp_sh
FIPS: Need to use FIPS versions of (EVP) methods ?
In FIPS mode, is there a need to use the FIPS_* methods instead of the
regular ones once FIPS_mode_set(1) was successfully executed ? For
instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1()
? Wouldn't the FIPS versi
> On Jul 28, 2016, at 11:00 AM, pratyush parimal
> wrote:
>
> Hi Thomas,
>
> Thanks for your response! It clears up matters a lot :)
>
> There's one thing that I thought of though -- even though I'm generating the
> salt via non-OpenSSL means, the actual function that I'm using for hashing i
Hi Thomas,
Thanks for your response! It clears up matters a lot :)
There's one thing that I thought of though -- even though I'm generating
the salt via non-OpenSSL means, the actual function that I'm using for
hashing is "SHA512" from FIPS OpenSSL.
Does the mere usage of salt that was generated
> On Jul 27, 2016, at 8:18 PM, pratyush parimal
> wrote:
>
> Hi all,
>
> I work on a consumer application which is striving to be fips-140-2 compliant.
>
> I'm using OpenSSL as recommended in the fips guide by invoking
> fips_mode_set(). However, in certain parts of the same application, I'm
Hi all,
I work on a consumer application which is striving to be fips-140-2
compliant.
I'm using OpenSSL as recommended in the fips guide by invoking
fips_mode_set(). However, in certain parts of the same application, I'm
using my own non-OpenSSL random number generator to generate salts for
hash
On 04/05/2016 08:15, mani kanta wrote:
Hello,
While the SSL handshake is happening,I am getting the error as below
SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not
allowed in fips mode.
ssl handshake went well up to client sending key exchange to server
and failing in
Hello,
While the SSL handshake is happening,I am getting the error as below
SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed
in fips mode.
ssl handshake went well up to client sending key exchange to server and
failing in the process of send client verify. Why this
Hello,
Does OpenSSL allows TLS 1.0 when running in FIPS mode ?
Thanks.
--
View this message in context:
http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
--
openssl-users mailing list
To unsubscribe: https
er
> I'll check on that. Certainly no engines
>
> I can check back in the dump and see where we are in the code in each method
> call
>
What would be useful is tracing what happens in EVP_DigestInit_ex() during
the X509_digest() call. For example does it detect FIPS mode p
No, nothing unusual. Is there anything from the build process that would be
useful in demonstrating this yes or no? I'm not the person responsible for the
build process but I'm pretty sure it was followed to the letter - however I'll
check on that. Certainly no engines
I can check back in the d
On Thu, Mar 24, 2016, Glen Matthews wrote:
> Hi
>
> Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
> the dialog box was displayed, and that's how I got the call stack.
>
> if (x->ex_flags & EXFLAG_SET)
> return;
> #ifndef OPENSSL_NO_SHA
> X509_dige
sions() - calculating another
digest at that point - and the test for FIPS_mode() worked, so I think we are
in FIPS mode all through that call stack.
glen
-Original Message-
From: Glen Matthews
Sent: Thursday, March 24, 2016 1:55 PM
To: 'openssl-users@openssl.org'
Subject: RE: [openssl-
: Thursday, March 24, 2016 1:36 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1
forbidden in FIPS mode - within openssl code
On Wed, Mar 23, 2016, Glen Matthews wrote:
> Hi
>
> Right, sorry about the wrong posting - and thanks
reading, the code should not be calling with EVP_sha1().
>
Is this a standard OpenSSL build or has it been modified in some way?
At what point do you enter FIPS mode?
The above call should be routed through to the SHA1 implementation in the
validated module. It's not clear why not at this poi
Jeremy
Farrell
Sent: Wednesday, March 23, 2016 3:48 PM
To: openssl-users@openssl.org
Cc: openssl-...@openssl.org
Subject: Re: [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS
mode - within openssl code
This is a question about using the OpenSSL libraries; should be in
opens
ocl.h(128):
OpenSSL internal error, assertion failed: Low level API call to digest
SHA1 forbidden in FIPS mode!
I notice the assertion message mentions a header from what looks like a
1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no
idea if this is relevant to the pr
BUILTIN_KEYGEN:key size too small)
>
> As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I
> printed out the key size just before calling the above function:
>
> KEYSIZE = 2048.
>
> What else could cause this function to report a key size to
greater in FIPS mode, so I
printed out the key size just before calling the above function:
KEYSIZE = 2048.
What else could cause this function to report a key size too small if it is
2048 bits? Is 2048 still FIPS-compliant?
BTW: this works if FIPS mode is off.
Thanks!
--
View this
Hi Jacob,
Any suggestions regarding how to fix the following errors:
140073969415840:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint
does not match:fips.c:232:
(I built the FIPS module and the OpenSSL library on Ubuntu linux)
Thanks,
Rich
On Thu, Feb 11, 2016 at 11:52 P
icate using the PKCS7_decrypt( )
> function. The error string is:
>
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
>
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was h
72077:PKCS7 routines:PKCS7_decrypt:decrypt error
This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
to glean any specified error that would verify this suspicion. I was hoping
someone would be nice enough to inspect this file and verify if there is any
non-FIPS-iness.
Hi Jakob,
This is the most severe FIPS error code, it means one of
> 3 things:
>
> 1. (official reason for this error code): Someone illegally
> modified the FIPS validated crypto code after it was
> compiled, do not use this computer until the cause has
> been thoroughly investigated and co
t does not
match:fips.c:232:
I tried few other openssl commands under the FIPS mode and got all the
same error messages. The non-FIPS mode was working fine.
What is the above error mean and what could have caused this error?
This is the most severe FIPS error code, it means one of
3 things:
1. (offic
l commands under the FIPS mode and got all the same
error messages. The non-FIPS mode was working fine.
What is the above error mean and what could have caused this error?
--
Thanks,
Rich
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
L. According to some
> > posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an
> > error as md5 is not an enabled cipher in FIPS mode.
>
> It depends on the version. Recent versions of OpenSSL will give a "FIPS
> mode not supported" error for
&
md5 is not an enabled cipher in FIPS mode.
It depends on the version. Recent versions of OpenSSL will give a "FIPS
mode not supported" error for
env OPENSSL_FIPS=1 openssl md5 ...
Whereas that command for a properly built FIPS-enabled OpenSSL will give
a "not permitted in FIPS mode&q
Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
have no affect against a non-FIPS enabled OpenSSL. According to some posts
you can do 'OPENSSL_FIPS=1 openssl md5' which should return an error as md5
is not an enabled cipher in FIPS mode.
On Wed, Feb 10, 2016
SL lib on my system, and I was
> wondering what's the easiest way to find out whether my OpenSSL is really
> FIPS capable or not.
>
> e.g. is there any way to run some openssl commands to find out, such as
> "openssl ciphers -v", and what cipher suite should definite
and what cipher suite should definitely not show up
in FIPS mode.
Thanks,
Rich
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Thanks Steve.
I think the way to use OPENSSL_config() and openssl.conf to enable FIPS
mode basically still requires each application to explicitly invoke
OPENSSL_config() API in order to truly enable the FIPS mode, is that
correct?
If that's the case, then basically there's no way
Thanks Steve.
I think the way to use OPENSSL_config() and openssl.conf basically still
requires each application to explicitly invoke OPENSSL_config() API in
order to truly enable the FIPS mode, is that correct?
If that's the case, then basically there's no way to really globally enabl
On 01/28/2016 07:11 PM, security veteran wrote:
> Hi All:
>
> Is there a way to enable FIPS mode globally, instead of having to
> explicitly invoke the FIPS_mode_set() API from each application, for
> enabling the FIPS mode?
>
> ...
Kinda-sorta, via OPENSSL_config() and
Hi All:
Is there a way to enable FIPS mode globally, instead of having to
explicitly invoke the FIPS_mode_set() API from each application, for
enabling the FIPS mode?
The reason I ask is, it will be much easier to enable FIPS mode if there're
many applications which rely on OpenSSL for c
Hi everyone,
If I have a HTTPS client and server both using OpenSSL with FIPS modules,
and supporting both FIPS and non-FIPS mode, will the SSL server and client
keys and certificates need to be changed between operating on FIPS and
non-FIPS mode?
Thanks,
Rich
On Mon, Jan 18, 2016, Marcos Bontempo wrote:
> Hello,
> I wrote a C code which enter in FIPS mode with fips_mod_set(1).
> But, when I call MD5 functions after setting FIPS mode, I get this error:
> md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call
>
MD5 is not considered a safe function to use hence it is forbidden in FIPS
mode. Can you use a different hash function ( such as SHA-something ) for
your use case?
On Mon, Jan 18, 2016 at 4:43 PM, Marcos Bontempo wrote:
> Hello,
>
> I wrote a C code which enter in FIPS mode with fips_
> I wrote a C code which enter in FIPS mode with fips_mod_set(1).
>
> But, when I call MD5 functions after setting FIPS mode, I get this error:
>
> md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call
> to digest MD5 forbidden in FIPS mode! Aborted.
>
Hello,
I wrote a C code which enter in FIPS mode with fips_mod_set(1).
But, when I call MD5 functions after setting FIPS mode, I get this error:
md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to
digest MD5 forbidden in FIPS mode! Aborted.
Does anybody know what is
aches end with the following error
message.
"error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips
mode."
It would be much appreciated if anyone can let me know why I'm hitting
this, and if there is any way of getting around it.
Thanks,
Mahoda
On Wed, Nov 11, 2015, jonetsu wrote:
> Hello,
>
>
> There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL
> 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to
> handle a certificate using a non-FIPS component. I think I found
Hello,
There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL
1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to
handle a certificate using a non-FIPS component. I think I found the commit
that fixes this, although it is part of a quite huge
In 1.0.1e the following is observed when using OpenSSL in FIPS mode:
% OPENSSL_FIPS=1 openssl pkcs12 -export -in
/tmp/ipsec.d/certs/192.168.11.1 -inkey
/tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out
/tmp/ipsec.d/192.168.11.1.p12 -password pass:""
3067167952:erro
Hi All:
I tried to enable the FIPS mode by making the following changes in my
openssl.cfg config file.
After making the changes, I verified that I can no longer run the non FIPS
approval algorithm such as MD5 by running openssl command, which is
expected:
openssl md5 123.txt
However, I can
>From the User Guide of OpenSSL FIPS Object Module v2.0, page 54, it
mentioned the FIPS mode can be initialized indirectly by indirect call vial
OPENSSL_config() API.
My question is, from where should we call this API?
If we use Apache and Python as examples, does that mean both of them need
Thanks Steve.
If we use Apache and Python as examples, does that mean both of them need
to invoke OPENSSL_Config() in order to enable the FIPS mode?
And if that's the case, how do we make them invoke OPENSSL_Config() API?
Also regarding the openssl.cfg changes mentioned in the User Guide,
s modules, and I was
> testing the new lib files by replacing the original library files such
> as libcrypto.so with the new ones.
>
> From the FIPS user guide I understand that any applications which need
> to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set
> to
brary files such
as libcrypto.so with the new ones.
>From the FIPS user guide I understand that any applications which need
to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set
to enable the FIPS mode.
This sounds like a big issue to me: there are may other libraries/
servic
; builtin function with a call to the RSA_X931_generate_key_ex() function,
> and/or the struct creation function should explicitly set the rsa_keygen
> method. Correct?
>
Well you don't have to modify the FIPS module at all. The FIPS capable OpenSSL
can be modified to call FIPS_r
does not conform to X9.31 (and therefor is not acceptable under
186-2).
In testing, it appears when running in FIPS mode and calling the wrapper
function, the non-approved builtin function is the one that is called.
The default RSA struct creation function, defined in
"fips/fips_rsa_lib.c:FIPS_rs
tp://openssl.6102.n7.nabble.com/FIPS-mode-entropy-callback-for-rsa-key-tp59114.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
pected.
> >
> > My openssl version is OpenSSL 0.9.8zf-fips.
> >
> > Please let me know how can I generate the new key in BEGIN RSA PRIVATE
> KEY
> > format.
> >
>
> You can't because the format isn't allowed in FIPS mode because it uses
>
mat.
>
You can't because the format isn't allowed in FIPS mode because it uses
MD5 for key derivation.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
op
Hi All,
I am trying to create a pem format key for my existing key by using the
below command.
openssl rsa -in my_rsa_key -outform PEM -out my_res_newkey_pem
The new key format is -BEGIN PRIVATE KEY-.
But I am expecting -BEGIN RSA PRIVATE KEY-
In nonFIPS mode i am getting ---
1 - 100 of 348 matches
Mail list logo
