ys 365
I kept this on the same "FIPS OpenSSL 3.0" thread because I'm not 100% sure
it's unrelated.
What am I missing here?
Thanks,
Jason
From: Matt Caswell
Sent: Thursday, October 28, 2021 6:03 PM
To: Jason Schultz ; Dr Paul Dale ;
openss
so.3
Thanks,
Jason
*From:* Matt Caswell
*Sent:* Thursday, October 28, 2021 2:00 PM
*To:* Jason Schultz ; Dr Paul Dale
; openssl-users@openssl.org
*Subject:* Re: OpenSSL 3.0 FIPS questions
On 28/10/2021 14:49, Jason Schultz wrote:
A call to OSSL_PROVIDER_
/libcrypto.so.3
Thanks,
Jason
From: Matt Caswell
Sent: Thursday, October 28, 2021 2:00 PM
To: Jason Schultz ; Dr Paul Dale ;
openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
On 28/10/2021 14:49, Jason Schultz wrote:
> A call to OSSL_PROVIDER_av
nks to everyone for their help with this, things are starting to make
more sense now.
*From:* Matt Caswell
*Sent:* Thursday, October 28, 2021 7:39 AM
*To:* Jason Schultz ; Dr Paul Dale
; openssl-users@openssl.org
*Subject:
_____
From: Matt Caswell
Sent: Thursday, October 28, 2021 7:39 AM
To: Jason Schultz ; Dr Paul Dale ;
openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
On 27/10/2021 17:28, Jason Schultz wrote:
> With these config files and the code above, the
> OSSL_PROVID
On 27/10/2021 17:28, Jason Schultz wrote:
With these config files and the code above, the
OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the
messages from the ERR_print_errors_fp() call:
2097C692B57F:error:1C8000D5:Provider routines:(unknown
function):missing config data:
. I'm wondering if that's needed since I
don't have any environment variables set up? I'm not sure what the default
search path is.
Jason
From: Matt Caswell
Sent: Wednesday, October 27, 2021 10:34 AM
To: Jason Schultz ; Dr Paul Dale ;
opens
On 26/10/2021 20:17, Jason Schultz wrote:
Thanks for all of the help so far. Unfortunately, I'm still struggling
with this. There could be a number of issues, starting with the
installation of OpenSSL. I basically followed the documentation and did
the following:
./Configure enable-fips
m
Ah, OK. Yes, I am running on the same machine. Thanks for clarifying.
From: Kory Hamzeh
Sent: Tuesday, October 26, 2021 9:15 PM
To: Jason Schultz
Cc: Dr Paul Dale ; openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
Actually, if you are
ith the
> non_fips_libctx is successful, but later calling X509_get_pubkey() returns
> NULL, implying maybe something is wrong with the non_fips_libctx as well.
>
> I've tried other combinations, but at this point I'm just guessing. Is there
> anything obvious I could be m
ules/.
Are you saying I still needed to do "openssl fipsinstall" after the 4 steps I
already did?
Thanks,
Jason
From: Kory Hamzeh
Sent: Tuesday, October 26, 2021 8:13 PM
To: Jason Schultz
Cc: Dr Paul Dale ; openssl-users@openssl.org
Subject: Re: Op
> NULL, implying maybe something is wrong with the non_fips_libctx as well.
>
> I've tried other combinations, but at this point I'm just guessing. Is there
> anything obvious I could be missing and I should be checking?
>
> Thanks,
>
> Jason
>
>
> Fr
sing and I should be checking?
Thanks,
Jason
From: Dr Paul Dale
Sent: Monday, October 25, 2021 9:37 PM
To: Jason Schultz ; openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
It was meant for the second method only. The first method is using di
hould be doing it if I use the first method as well.
Regards,
Jason
*From:* openssl-users on behalf of
Dr Paul Dale
*Sent:* Sunday, October 24, 2021 11:12 PM
*To:* openssl-users@openssl.org
*Subject:* Re: OpenSSL 3.
ems like I should be doing
it if I use the first method as well.
Regards,
Jason
From: openssl-users on behalf of Dr Paul
Dale
Sent: Sunday, October 24, 2021 11:12 PM
To: openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
The configuration
ds,
Jason
*From:* openssl-users on behalf of
Dr Paul Dale
*Sent:* Sunday, October 24, 2021 12:28 AM
*To:* openssl-users@openssl.org
*Subject:* Re: OpenSSL 3.0 FIPS questions
Oops, the second time this occurs "defp =
OSSL_PROVIDER_load(non_fips_l
fips, base, default,
etc?
Regards,
Jason
From: openssl-users on behalf of Dr Paul
Dale
Sent: Sunday, October 24, 2021 12:28 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
Oops, the second time this occurs "defp = OSSL_PROVIDER
Oops, the second time this occurs "defp =
OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp =
OSSL_PROVIDER_load(NULL, "default");"
Pauli
On 24/10/21 10:06 am, Dr Paul Dale wrote:
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
There are several approaches you could take. With two library contexts:
fips_libctx = OSSL_LIB_CTX_new();
non_fips_libctx = OSSL_LIB_CTX_new();
fipsp = OSSL_PROVIDER_load(fips_libctx, "fips");
basep = OSSL_PROVIDER_load(fips_libctx,"base"); /* can't load keys
without this */
One way to do what you want is with two config file, and and in the first line
of your main() function, add:
putenv(“OPENSSL_CONF=/path/to/your/conf”)
depending on whether you want to run in FIPS mode or not. Of course, this only
works if FIPS is needed application wide, not on a per connection
Quick aside: I know the 3.0 FIPS module is not "approved" yet, I'm just trying
to get my application updates done in advance.
I’m porting an application from OpenSSL 1.1.1, which was originally written for
OpenSSL 1.0.2, to OpenSSL 3.0. Going to 3.0, I need to incorporate FIPS usage.
My Linux a
21 matches
Mail list logo
