Re: OpenSSL FIPS certificate #4282

A good question. In a nut shell: the 3.0.0 FIPS provider is designed to work with all 3.0.x releases.  We actively test this as part of our CI loops and it's the way to claim FIPS compliance when using OpenSSL 3.0.7.  You need to build 3.0.7 (with or without FIPS support) and the 3.0.0 FIPS pr

OpenSSL FIPS certificate #4282

The OpenSSL project has obtained certificate #4282 from NIST for the FIPS provider. Nice. However, the certificate and accompanying security policy specifically list version 3.0.0 while the current release is

Re: Openssl FIPS 186-4 Support

bject module (FOM) 2.0.13, which is available in > public domain, claims to have 186-4 support as per the documentation. > However, I didn't find the specific diff/API, which added this support. > > Ref : > https://github.com/oracle/solaris-openssl-fips > > Could someo

Openssl FIPS 186-4 Support

pport. Ref : https://github.com/oracle/solaris-openssl-fips Could someone help me point out which API or code section corresponds to supporting fips 186-4 in the oracle FOM module ? Thanks, Pramod.

RE: openssl fips patch for RSA Key Gen (186-4)

> From: openssl-users On Behalf Of Matt > Caswell > Sent: Tuesday, 5 January, 2021 09:35 > > On 05/01/2021 11:41, y vasavi wrote: > > > > We currently FOM 2.0 module for FIPS certification. > > It doesn't have support for RSA Key generation(186-4) > > > > Are there any patches available ? > > Defi

Re: openssl fips patch for RSA Key Gen (186-4)

On Tue, Jan 05, 2021 at 04:34:36PM +, Matt Caswell wrote: > > > On 05/01/2021 11:41, y vasavi wrote: > > > > Hi All, > > > > We currently FOM 2.0 module for FIPS certification. > > It doesn't have support for RSA Key generation(186-4) > > > > Are there any patches available ? > > Definite

Re: openssl fips patch for RSA Key Gen (186-4)

On 05/01/2021 11:41, y vasavi wrote: > > Hi All, > > We currently FOM 2.0 module for FIPS certification. > It doesn't have support for RSA Key generation(186-4) > > Are there any patches available ? Definitely there are no official ones (I'm also not aware of any unofficial ones). The 3.0 m

openssl fips patch for RSA Key Gen (186-4)

Hi All, We currently FOM 2.0 module for FIPS certification. It doesn't have support for RSA Key generation(186-4) Are there any patches available ? Thanks, Vasavi.

Re: OpenSSL FIPS for 1.1.x

https://github.com/oracle/solaris-userland/tree/master/components/openssl/openssl-fips-140/fipscanister-dev/patches > > I can't comment on those patches because I know nothing about them. But > there is no official module from the OpenSSL Project that works with > 1.1.x and certainly no

Re: OpenSSL FIPS for 1.1.x

On 10/08/2020 16:25, Vijay Chander wrote: > > Thank you Matt. > > Our FIPS compliance vendor is recommending the following for openssl 1.1 > from Oracle. >   > https://github.com/oracle/solaris-userland/tree/master/components/openssl/openssl-fips-140/fipscanister-dev/patche

Re: OpenSSL FIPS for 1.1.x

Thank you Matt. Our FIPS compliance vendor is recommending the following for openssl 1.1 from Oracle. https://github.com/oracle/solaris-userland/tree/master/components/openssl/openssl-fips-140/fipscanister-dev/patches Thanks, -vijay On Mon, Aug 10, 2020 at 8:08 AM Matt Caswell wrote

Re: OpenSSL FIPS for 1.1.x

On 10/08/2020 16:01, Vijay Chander wrote: > Hi, > > This link here below only seems to talk about 1.0.x > https://wiki.openssl.org/index.php/FIPS_Library_and_Android > > Is there a wiki for openssl fips for openssl-1.1.0x ? There is no FIPS module for the 1.1.x series

OpenSSL FIPS for 1.1.x

Hi, This link here below only seems to talk about 1.0.x https://wiki.openssl.org/index.php/FIPS_Library_and_Android Is there a wiki for openssl fips for openssl-1.1.0x ? Thanks, -vijay

Help - Building OpenSSL FIPS for 64 bit Android

Hi All, I am seeking help on generating FIPS compliance OpenSSL libs for Android Native Application. I am trying to build openssl-1.0.2t with the FIPS module openssl-fips-2.0.16 to support 64-bit android devices, I have tried following the steps on the Openssl wiki <https://wiki.openssl.

Re: openssl-fips-2.0.16 : RSA key generation !!

FOM will not be revalidated. Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia > On 2 Jan 2020, at 3:11 pm, Hareesh D wrote: > > Hi, > > In the openssl-fips-2.0.16 version, I see that some validati

openssl-fips-2.0.16 : RSA key generation !!

Hi, In the openssl-fips-2.0.16 version, I see that some validations are missing (generating probable primes P, Q as part of RSA key generation) which are mentioned in NIST.FIPS.186-4.pdf. B.3.3 -> Process : Points 4.4, 4.7, 5.4, 5.5 and 5.8. Can someone please confirm this behaviour. Thanks !!

OpenSSL FIPS mode for libcurl

Hi, I am able to run an application using libcurl which in turn uses OpenSSL in FIPS mode with following configuration Help requested Need opinion from seniors who know OpenSSL and libcurl codebase if following is good from conceptual perspective with respect to OpenSSL, libcurl. a) Built static

Re: help - building OpenSSL fips for 64 bit Android

>that the setenv-android.sh script doesn't account for 64 bit architectures. Correct. The current FIPS module has not been modified for quite some time, and your platform is not supported. If you cannot follow the steps *exactly* you cannot claim FIPS validation. The OpenSSL project is wo

Re: help - building OpenSSL fips for 64 bit Android

Forgot to mention I am trying to cross compile on a MacBook Pro (15-inch, 2017) running MacOS 10.14.5 -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

help - building OpenSSL fips for 64 bit Android

I am trying to build openssl-1.0.2s with the fips module openssl-fips-ecp-2.0.16 to support 64 bit android devices, I have tried following the steps on the wiki <https://wiki.openssl.org/index.php/FIPS_Library_and_Android> and noticed that the setenv-android.sh script doesn't account

Re: Drbg kat test data: Openssl-fips 2.0.16

Manish asked: > There is DRBG kat test data in fips_drbg_selftest.h. (Openssl-fips-2.0.16) > Can anyone let me know, What is the source of this constant arrays. NIST > link or any other source will be helpful? I'm pretty sure that the test data for the DRBG KAT (known answer test)

Drbg kat test data: Openssl-fips 2.0.16

Hi There is DRBG kat test data in fips_drbg_selftest.h. (Openssl-fips-2.0.16) Can anyone let me know, What is the source of this constant arrays. NIST link or any other source will be helpful? Regards Manish

Re: openssl-fips configure parameters to force IANA cipher suite compliance

On 02/07/2019 22:13, Larry Jordan via openssl-users wrote: I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. Not

openssl-fips configure parameters to force IANA cipher suite compliance

I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. IANA

Re: AES-cipher offload to engine in openssl-fips

On Thu, 28 Feb 2019 14:41:19 +0100, Salz, Rich wrote: > > > There are two options. First, the application does the digest and > > sign as two separate things. > > My memory is a foggy surrounding that scenario, so I might be wrong, > but I think it was argued that this was in

Re: AES-cipher offload to engine in openssl-fips

> There are two options. First, the application does the digest and > sign as two separate things. My memory is a foggy surrounding that scenario, so I might be wrong, but I think it was argued that this was invalid use from a FIPS perspective. Now, we can't actually stop

Re: AES-cipher offload to engine in openssl-fips

>From https://www.openssl.org/docs/fips/UserGuide-2.0.pdf I got these lines "OpenSSL provides mechanisms for interfacing with external cryptographic devices, such as accelerator cards, via “ENGINES.” This mechanism is not disabled in FIPS mode. In general, if a FIPS validated cryptographic de

Re: AES-cipher offload to engine in openssl-fips

On 27/02/2019 22:20, Richard Levitte wrote: >> I believe Richard is wrong here. Or at least his text could be >> misleading. If the EVP API does the digesting with one module and >> then calls another module to do the RSA signing, that is okay. > > Huh? From the design document, section "Exa

Re: AW: AES-cipher offload to engine in openssl-fips

On Thu, 28 Feb 2019 00:51:24 +0100, Dr. Matthias St. Pierre wrote: > > > > Uhm, I'm confused. I thought we were talking about 3.0? > > Well, the original post started at FIPS 2.0: > > > I am using openssl-fips-2.0.16 and openssl-1.0.2e. > https://mta.

Re: AES-cipher offload to engine in openssl-fips

On Thu, 28 Feb 2019 00:17:13 +0100, Salz, Rich wrote: > > >Huh? From the design document, section "Example dynamic views of > algorithm selection", after the second diagram: > > An EVP_DigestSign* operation is more complicated because it > involves two algorithms: a s

AW: AES-cipher offload to engine in openssl-fips

> Uhm, I'm confused. I thought we were talking about 3.0? Well, the original post started at FIPS 2.0: > I am using openssl-fips-2.0.16 and openssl-1.0.2e. https://mta.openssl.org/pipermail/openssl-users/2019-February/009919.html But it seems like the discussion in the thread ha

Re: AES-cipher offload to engine in openssl-fips

>Huh? From the design document, section "Example dynamic views of algorithm selection", after the second diagram: An EVP_DigestSign* operation is more complicated because it involves two algorithms: a signing algorithm, and a digest algorithm. In general those

Re: AES-cipher offload to engine in openssl-fips

storically correct. I don't believe the project >uses >> > the term "FIPS-capable OpenSSL" any more. Instead, the design and >> > such talk about a FIPS module which OpenSSL can use. >> >> Correct. > >I disagree: The term "FIPS Capable OpenS

AW: AES-cipher offload to engine in openssl-fips

hich OpenSSL can use. > > Correct. I disagree: The term "FIPS Capable OpenSSL" is a technical term from the OpenSSL FIPS 2.0 User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) and has a very clear and precise meaning: It refers to an OpenSSL 1.0.2 (or 1.0.1) library

Re: AES-cipher offload to engine in openssl-fips

On Wed, 27 Feb 2019 22:54:41 +0100, Salz, Rich via openssl-users wrote: > > >I always understood "FIPS-capable OpenSSL" to refer specifically to an > OpenSSL compiled with the options to incorporate the FIPS canister > module, not just any OpenSSL build that might be used in FIPS compl

Re: AES-cipher offload to engine in openssl-fips

>I always understood "FIPS-capable OpenSSL" to refer specifically to an OpenSSL compiled with the options to incorporate the FIPS canister module, not just any OpenSSL build that might be used in FIPS compliant applications (as that would be any OpenSSL at all). Yes, that is histor

Re: AES-cipher offload to engine in openssl-fips

validation. I believe the context here is one I also mentioned in my comment on the 3.0 draft spec: - OpenSSL FIPS Module provides FIPS validated software implementations of all/most of the permitted algorithms. - Engine provides FIPS validated (hardware?) implementations of one or more

Re: AES-cipher offload to engine in openssl-fips

t; > > I believe the context here is one I also mentioned in my comment on > the 3.0 draft spec: > > - OpenSSL FIPS Module provides FIPS validated software implementations of > all/most of the permitted algorithms. > - Engine provides FIPS validated (hardware?) implementation

Re: AES-cipher offload to engine in openssl-fips

On 27/02/2019 20:59, Salz, Rich via openssl-users wrote: If you change a single line of code or do not build it EXACTLY as documented, you cannot claim to use the OpenSSL validation. I believe the context here is one I also mentioned in my comment on the 3.0 draft spec: - OpenSSL FIPS

Re: AES-cipher offload to engine in openssl-fips

If you change a single line of code or do not build it EXACTLY as documented, you cannot claim to use the OpenSSL validation.

Re: AES-cipher offload to engine in openssl-fips

No. The OpenSSL FIPS Module is not written that way. It should not be permitting any non-FIPS implementations (see Rich's email regarding a bug). You could write your own engine, get that FIPS certified, and run it with plain, vanilla OpenSSL. There's a design spec out for OpenSSL

Re: AES-cipher offload to engine in openssl-fips

The requirement here is, to offload my "engine supported fips-compliant methods" to engine and other "fips-complaint" functions to openssl dynamically. Here I need to use openssl-fips module I guess. -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: AES-cipher offload to engine in openssl-fips

Thanks for the reply. With non-fips openssl, it is possible to write my own fips-module. I understood. But, is it possible for me to write a fips-compliant/fips validated "dynamic engine" with openssl-fips? Which allows me to offload "fips-compilant" functions to my

Re: AES-cipher offload to engine in openssl-fips

To clarify here, using the OpenSSL FIPS implementation does not allow you to claim “FIPS Validated”, rather this would be “FIPS Compliant”. If you want to claim “FIPS Validated”, you must get your own validation for your implementation regardless of what you are using, OpenSSL FIPS module or

Re: AES-cipher offload to engine in openssl-fips

* Which means in fips mode ciphers never gets offloaded to engine? * All other functions (digest, RSA etc) , it first updates to fips function, and then engine function. Why only ciphers has this different behaviour? That seems like a bug. In FIPS mode you can only use the FIPS-validate

AES-cipher offload to engine in openssl-fips

Hi, I am unable to use AES-cipher offload to my engine even though it was registered with the proper flag (EVP_CIPH_FLAG_FIPS). I was able to use RSA, digests, and ECDSA to the engine with corresponding flags. I am using openssl-fips-2.0.16 and openssl-1.0.2e. OPENSSL_FIPS is set. I come

Re: [openssl-users] OpenSSL FIPS Object Module 2.0 on CD

I'm responding to a previous post about obtaining a CD of the OpenSSL FIPS Object Module from KeyPair Consulting rather than directly from OpenSSL. The question is: > Just curious, but does this satisfy Section 6.6 of the User Guide, > since the CD does not come directly from

Re: [openssl-users] OpenSSL FIPS Object Module 2.0 on CD

From: openssl-users on behalf of Mark Minnoch Sent: Wednesday, June 20, 2018 4:33 PM To: openssl-users@openssl.org Subject: [openssl-users] OpenSSL FIPS Object Module 2.0 on CD If you are looking for a copy of the OpenSSL FIPS Object Module (versions 2.0 to 2.0.16) delivered to you on CD,

[openssl-users] OpenSSL FIPS Object Module 2.0 on CD

If you are looking for a copy of the OpenSSL FIPS Object Module (versions 2.0 to 2.0.16) delivered to you on CD, then please send an email to c...@keypair.us with your shipping address. We will send you a copy of the original OpenSSL FOM CD. For details, see: https://keypair.us/2018/05/cd/ Mark

[openssl-users] Build Openssl + FIPS - recursive fipsld

t FIPSDIR="/usr/local/ssl/fips2.0" export MACHINE=linux-generic32 export CC="/usr/local/ssl/fips2.0/bin/fipsld" export FIPSLD_CC="gcc" export FIPS_SIG="/tmp/openssl-fips-2.0.16/util/incore" # build openssl fips module cd /tmp/ curl -O https://www.openssl.org

Re: [openssl-users] DSA2048 support in openssl-fips-2.0.14.

2nd try, Thx Manju On 17 Oct 2017 3:16 pm, "Manjunath SM" wrote: Hi All, Am using openssl-fips-2.0.14 at server side on top of openssl1.0.2K. Server is operating in FIPS mode(fips mode enabled thru FIPS_mode_set). Created DSA2048 host key at server which is running in FIPS mode,

[openssl-users] DSA2048 support in openssl-fips-2.0.14.

Hi All, Am using openssl-fips-2.0.14 at server side on top of openssl1.0.2K. Server is operating in FIPS mode(fips mode enabled thru FIPS_mode_set). Created DSA2048 host key at server which is running in FIPS mode, With this configuration when am trying to do SSH from ssh client am getting below

Re: [openssl-users] Openssl FIPS 186-4 Patch

Hi, That Redhat/Fedora patch is based on openssl library alone. But I am using the fips canister approach where i use both openssl and openssl-fips-ecp libraries. Though the redhat/fedora patch is OK, it is not straight forward portable to the canister model. Any idea of patches available for

Re: [openssl-users] Openssl FIPS 186-4 Patch

Hi, On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote: > Hi, > > Thanks for the comment. > > I know that openSSL is not 186-4 compliant. That is why I am looking > for anybody have the patch for the same. > > I see there are some works in Fedora: > http://pkgs.fedoraproject.org

Re: [openssl-users] Openssl FIPS 186-4 Patch

Hi, Thanks for the comment. I know that openSSL is not 186-4 compliant. That is why I am looking for anybody have the patch for the same. I see there are some works in Fedora: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch Thanks, Murugesh P. On 10/6/17, Salz

Re: [openssl-users] Openssl FIPS 186-4 Patch

➢ This FIPS186-4 is not just about SHA. It basically about the key generation parameters. Especially I am looking for RSA key generation parameters wrt FIPS 186-4. I do not know how you got the opinion that OpenSSL has 186-4 support. It does not. Perhaps other people have written pat

Re: [openssl-users] Openssl FIPS 186-4 Patch

iah wrote: >> Hi All, >> >> I am looking for the FIPS 186-4 patch. I see it is not yet implemented >> in openssl FIPS 2.0 > I assume FIPS 186-4 is the updated SHA standard that adds the SHA-3 > specification. > > In that case, that would be something that OpenSSL

Re: [openssl-users] Openssl FIPS 186-4 Patch

On 05/10/2017 13:51, murugesh pitchaiah wrote: Hi All, I am looking for the FIPS 186-4 patch. I see it is not yet implemented in openssl FIPS 2.0 I assume FIPS 186-4 is the updated SHA standard that adds the SHA-3 specification. In that case, that would be something that OpenSSL would first

[openssl-users] Openssl FIPS 186-4 Patch

Hi All, I am looking for the FIPS 186-4 patch. I see it is not yet implemented in openssl FIPS 2.0 I see many vendors have implemented their own fix for FIPS 186-4 compliance. I am looking for the patch which i can reuse. Looks like redhat too has its own patch. Kindly share any pointers for

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

@openssl.org Subject: Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS Ø I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? We have no date. Work hasn’t fully started, and isn’t fully funded. Perhaps your company would like to

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

Ø I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? We have no date. Work hasn’t fully started, and isn’t fully funded. Perhaps your company would like to help? :) See our blog for updates (look in the archive for postings with FIPS in the title

[openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

Hi All, We would want to build our openssl 1.1.0f with FIPS but we noticed it is mentioned as “The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others”. I am unable to find the openssl-fips module for 1.1.0f. Do you know when it will be available? Could you

[openssl-users] OpenSSL FIPS CAVP tests throws an error iob_func while linking

Hi All, I am trying to build CAVP test executable for WinCE. Most of the executable are built except 1-2. I am facing iob_func unresolved error. Every thing seems to be proper. Any idea or help is well appreciated. Regards Jaya -- openssl-users mailing list To unsubscribe: https://mta.openssl.o

Re: [openssl-users] regarding openssl and openssl fips

; > Regards, > > Yes, it's fine to stay at 2.0.1 if that's working for you now. With one singular exception, we're not allowed to implement improvements or bug fixes in a validated cryptographic module, so the later revisions of the OpenSSL FIPS module (now up to 2.0.1

[openssl-users] regarding openssl and openssl fips

Hi, I am having a product which is right now using openssl1.0.1s and opensslfips 2.0.1 I am upgrading to openssl1.0.2h, is it OK to still be at openssfips 2.0.1 or do i need to upgrade the opensslfips too to 2.0.12? Regards, -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/

Re: [openssl-users] OpenSSL - FIPS 140 Compliant

Multiple versions of OpenSSL can, with an additional source package (the OpenSSL FIPS module) be built by you to be 140-2 compliant. See http://openssl.com/fips/ for more info. From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Vikram Kamaraj - ERS, HCL Tech Sent

Re: [openssl-users] OpenSSL - FIPS 140 Compliant

t is 1.0.1/1.0.2 with the OpenSSL FIPS Object Module 2.0, and (in a year or two) OpenSSL 1.1 with a new FIPS module still to be developed and validated (but in progress). You may want to take a look at the OpenSSL FIPS module user guide: https://www-origin.openssl.org/docs/fips/UserGuide-2.0.pdf

[openssl-users] OpenSSL - FIPS 140 Compliant

Hello OpenSSL, Which version of OpenSSL is FIPS 140 compliant? Thanks, Vikram K ::DISCLAIMER:: The contents of this e-mail and any attachment(s)

[openssl-users] Need Information on validation for OpenSSL FIPS

Hi Team, I read through the content on "OpenSSL" page regarding the 'hostage', 'ransom' and 'aftermath' details. As I understand it, the currently active 'SE version' or #2398 (2.0.12) has been validated/certified only on 23 new platforms (as per its 'Security Policy' pdf on NIST site) and the

Re: [openssl-users] Looking for the Changelog in openssl-fips-2.0.12

On 05/24/2016 07:56 AM, Philip Bellino wrote: > Hello, > > I am looking for the Changelog that explains the changes between > openssl-fips-2.0.9 and 2.0.12. > > > > The README.FIPS that comes with 2.0.12 points here: > https://www.openssl.org/docs/fips bu

[openssl-users] Looking for the Changelog in openssl-fips-2.0.12

Hello, I am looking for the Changelog that explains the changes between openssl-fips-2.0.9 and 2.0.12. The README.FIPS that comes with 2.0.12 points here: https://www.openssl.org/docs/fips but I cannot find the changes. Any help would be most appreciated. Thanks, Phil [E-Banner]<h

[openssl-users] Openssl-fips object module static library build with /MD option

I have a question on compiling Openssl-fips object module as 64 bit static library in win 8.1. I am using following versions of source and compile instruction. openssl-fips-2.0.12 1. cd openssl-fips-2.0.12 2. SET FIPSDIR=C:\tools\fips\opensslfips 3. ms\do_fips no-asm This turns out the build

Re: [openssl-users] OpenSSL FIPS test failure starting from version 1.0.2g

Thank you very much, Viktor. It works. Regards, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-FIPS-test-failure-starting-from-version-1-0-2g-tp65320p65325.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To

Re: [openssl-users] OpenSSL FIPS test failure starting from version 1.0.2g

> On Mar 28, 2016, at 10:24 PM, Aaron wrote: > > It is very stratforward to repro the issue. Take platform linux_x86-64 as an > example, the repro steps are as follows. > > cd openssl-1.0.2g > make clean > ./Configure no-idea no-mdc2 no-rc5 no-ec2m fips -m64 no-asm linux-x86_64 > make depen

[openssl-users] OpenSSL FIPS test failure starting from version 1.0.2g

ror 1 make[1]: Leaving directory `/tzedek_ocsdev/qun/crs/797167/openssl_diff/openssl-1.0.2g.test/test' make: *** [tests] Error 2 Anyone knows how to fix the issue please? Thanks in advance, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-FIPS-test-fai

Re: [openssl-users] Validation status of openssl-fips-2.0.11?

On 02/13/2016 04:58 AM, Kyle Hamilton wrote: > > On 2/12/2016 2:03 PM, Steve Marquess wrote: >> On 02/12/2016 04:26 PM, Kyle Hamilton wrote: >>> I'm not seeing anything about openssl-fips-2.0.11 in >>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-

Re: [openssl-users] Validation status of openssl-fips-2.0.11?

On 2/12/2016 2:03 PM, Steve Marquess wrote: > On 02/12/2016 04:26 PM, Kyle Hamilton wrote: >> I'm not seeing anything about openssl-fips-2.0.11 in >> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 >> , so I'm not quite certain what its v

Re: [openssl-users] Validation status of openssl-fips-2.0.11?

On 02/12/2016 04:26 PM, Kyle Hamilton wrote: > I'm not seeing anything about openssl-fips-2.0.11 in > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 > , so I'm not quite certain what its validation/certificate status is? Ok, this is complex, insanel

[openssl-users] Validation status of openssl-fips-2.0.11?

I'm not seeing anything about openssl-fips-2.0.11 in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 , so I'm not quite certain what its validation/certificate status is? Also, is a new Security Policy in the works integrating the new HMAC digests for the new v

Re: [openssl-users] OpenSSL FIPS: OPENSSL_config() and self-tests

On Tue, Feb 02, 2016, security veteran wrote: > Hi All: > > Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the > OpenSSL FIPS modules run a the necessary self-tests. > > I was wondering does the OPENSSL_config() API also run the self-tests? > Short

Re: [openssl-users] OpenSSL FIPS: OPENSSL_config() and self-tests

Hi All: Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the OpenSSL FIPS modules run a the necessary self-tests. I was wondering does the OPENSSL_config() API also run the self-tests? Your suggestions are greatly appreciated. Thanks. On Mon, Feb 1, 2016 at 1:37 PM, security

[openssl-users] OpenSSL FIPS: OPENSSL_config() and self-tests

Hi All: Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the OpenSSL FIPS modules run a the necessary self-tests. I was wondering does the OPENSSL_config() API also run the self-tests? Thanks. ___ openssl-users mailing list To

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? No. For example, only the EVP interface to crypto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

On 01/27/2016 05:33 PM, cloud force wrote: > Hi everyone, > > Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? > i.e. If we use the OpenSSL FIPS modules, we don't need to make any API > invocation changes on our applications side (in addition to invoking the >

[openssl-users] OpenSSL FIPS modules and APIs compatibility

Hi everyone, Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? i.e. If we use the OpenSSL FIPS modules, we don't need to make any API invocation changes on our applications side (in addition to invoking the FIPS_mode_set API). Is that correct? Thanks,

Re: [openssl-users] OpenSSL FIPS modules license

On 01/22/2016 04:28 PM, security veteran wrote: > Hi All, > > What type of license does OpenSSL FIPS modules have? Is it the same as > the OpenSSL license, or is it a different license? > > Thanks. Same license. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829

[openssl-users] OpenSSL FIPS modules license

Hi All, What type of license does OpenSSL FIPS modules have? Is it the same as the OpenSSL license, or is it a different license? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Apache (2.x) server and OpenSSL FIPS modules

-users] Apache (2.x) server and OpenSSL FIPS modules Hi, We will be using OpenSSL FIPS modules on our Linux server and was wondering if we need to do any work on the Apache server in order to make it working seamlessly with OpenSSL when the FIPS mode is enabled. My questions are: 1) How to make

Re: [openssl-users] OpenSSL FIPS Object Module v2.0

On 01/20/2016 05:07 PM, Imran Ali wrote: > Hi Steve, > > > > Is there any update on the submissions for the OpenSSL FIPS Object > Module v2.0, validation(s) #1747/#2398/#2474 > Still waiting on the CMVP. The paperwork for all three validations was submitted on December 2

[openssl-users] OpenSSL FIPS Object Module v2.0

Hi Steve, Is there any update on the submissions for the OpenSSL FIPS Object Module v2.0, validation(s) #1747/#2398/#2474 Regards, Imran ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Questions regarding the openssl FIPS self-tests

this application need to run the > power-on self-tests? > > Also if the openssl fips modules are installed on a Linux server, what > is the best way to run the power-on self-tests (e.g. run within init.d > script or upstart scripts or run by a daemon)? The POST is run automagica

[openssl-users] Questions regarding the openssl FIPS self-tests

Hi everyone, >From the openssl tips doc it said the power-on self-tests need to be run when the system comes up. If I have multiple applications which uses the openssl crypto functions (under fips mode), does each of this application need to run the power-on self-tests? Also if the openssl f

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

On Tue, Jan 19, 2016, security veteran wrote: > > When the environment variable OPENSSL_FIPS is set, does it enable FIPS mode > globally, so that any applications which use OpenSSL also enter FIPS mode? > No it only applies to the "openssl" application. Steve. -- Dr Stephen N. Henson. OpenSSL

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

On 01/19/2016 01:41 PM, security veteran wrote: > Thanks Steve. > > So basically the idea is to allow companies build the OpenSSL with FIPS > modules in their product and ship only this version of OpenSSL to all > their customers. For the customers who don't need FIPS, then just simply > keep the

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

Thanks Steve. When the environment variable OPENSSL_FIPS is set, does it enable FIPS mode globally, so that any applications which use OpenSSL also enter FIPS mode? On Tue, Jan 19, 2016 at 10:52 AM, Dr. Stephen Henson wrote: > On Tue, Jan 19, 2016, security veteran wrote: > > > > > openssl dgst

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

On Tue, Jan 19, 2016, security veteran wrote: > > openssl dgst -md5 FILE_NAME > > To me it looks like the openssl commands are always run with FIPS enabled > in this case. Is that the expected behavior? > Ihe openssl command enters FIPS mode if the environmant variable OPENSSL_FIPS is set. St

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

AM, Steve Marquess wrote: > On 01/19/2016 04:33 AM, security veteran wrote: > > Hi, > > > > I am trying to build a system with both the non-FIPS OpenSSL and the > > OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules > > actually only affect

Re: [openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

On 01/19/2016 04:33 AM, security veteran wrote: > Hi, > > I am trying to build a system with both the non-FIPS OpenSSL and the > OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules > actually only affect libcrypto.so? Yes and no. The "FIPS enabled" Op

[openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

Hi, I am trying to build a system with both the non-FIPS OpenSSL and the OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules actually only affect libcrypto.so? Thanks. ___ openssl-users mailing list To unsubscribe: https

[openssl-users] Integrating OpenSSL FIPS modules with languages like Python and PHP

Hi All: We will be using OpenSSL FIPS modules on our Linux appliances and we have some Python and PHP applications which need to invoke crypto related functionalities provided by OpenSSL. I was wondering has anyone integrated Python and PHP with OpenSSL FIPS modules? Since for each application

  1   2   3   4   5   6   7   >