On Thu, Jul 23, 2009 at 12:27:56PM -0500, Michael Kurecka wrote:
> I have no problem what I have so far. It is a stripped down version with
> openssl FIPS. Where shall I send it?
If you are willing to license the wpa_supplicant/hostapd changes under
the license used in the project, please send a
That seemed to work using
export LD_LIBRARY_PATH=/usr/local/ssl/fips/lib
I'm not getting the assertion failure but I am now getting a
segmentation fault "in memcpy () from /lib/libc.so.6" which I need to
look into. Back to my previous question of -- Is my script wrong or am
I doing something wrong
On Mon, Jul 27, 2009, Michael Kurecka wrote:
> I tried
>
> export LD_LIBRARY_PATH=/usr/local/ssl/fips
> and
> export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
> and
> export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
>
You need to set that to a directory that contains libssl.so.0.9.8 that is FIPS
ca
I tried
export LD_LIBRARY_PATH=/usr/local/ssl/fips
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
and all three failed to avert the assertion failure. How can I be
assured that the FIPS library is being run? Self-tests seem to run and
pass wh
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> I did not see anything which I assume means I am using the standard
> libssl. How do I correct this?
Well it is part of the link process when you build the application. It needs
to link and use the version of libssl in the 0.9.8k distribution and not
I did not see anything which I assume means I am using the standard
libssl. How do I correct this?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> I finally succeeded in adding debug to openssl, but it doesn't seem to
> be working completely. I was able to set the breakpoint at the point
> you mentioned Dr. Henson but I'm not sure how that will tell me what
> is being called. I am not able to br
I finally succeeded in adding debug to openssl, but it doesn't seem to
be working completely. I was able to set the breakpoint at the point
you mentioned Dr. Henson but I'm not sure how that will tell me what
is being called. I am not able to break on ssl3_init_finished_mac,
ssl3_connect or SSL_con
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> Failed again with a different error:
>
Erk, OK. I'd suggest starting with linux-generic32 and deleting
-fomit-frame-pointer and -O3 from Makefile and adding -g
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support
On Fri, Jul 24, 2009, Michael Kurecka wrote:
> Dr. Henson,
> I tried the change for MD5 you mentioned of using the EVP interface,
> but it isn't working as I am getting the forbidden algorithm error. Below
> is the new code. The init is passing but it is failing on the update. I
> noticed t
Dr. Henson,
I tried the change for MD5 you mentioned of using the EVP interface,
but it isn't working as I am getting the forbidden algorithm error. Below
is the new code. The init is passing but it is failing on the update. I
noticed that the flag is cleared after the init so I set the
EVP_
Failed again with a different error:
make[1]: Entering directory `/usr/src/openssl/crypto'
( echo "#ifndef MK1MF_BUILD"; \
echo ' /* auto-generated by crypto/Makefile for
crypto/cversion.c */'; \
echo ' #define CFLAGS "gcc -fPIC -DOPENSSL_PIC
-DOPENSSL_THREADS -D_REENTRANT -DDSO_
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Henson:
>
> I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
> mentioned and that worked OK but I got the following error when I ran make.
>
Argh... don't have a debug configuration for that platform. Try
deleting the
Jouni,
I have no problem what I have so far. It is a stripped down version with
openssl FIPS. Where shall I send it?
Dr. Henson:
I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
mentioned and that worked OK but I got the following error when I ran make.
#make
if [ -n "l
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Just to be clear
>
> my current config is:
> ./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
> make
> ./config fips (in the 0.9.8k directory)
> make
>
> I attempted:
> ./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
>
On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote:
> Yes in FIPS mode non-compliant ciphersuites are disabled and so should never
> be seen. If there is some way to use them which is triggering this in
> unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which
>
Just to be clear
my current config is:
./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config fips (in the 0.9.8k directory)
make
I attempted:
./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config -d fips (in the 0.9.8k directory)
make
but it said th
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Steve:
>
> How do I enable debug? I want to make sure I have it set right as it takes a
> while to rebuild.
I'd recommend using OpenSSL 0.9.8k throughout for that you should be able to
use:
./config -d fipscanisterbuild
BLOODY BIG SODDING E
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Dr Henson wrote:
>
> >No that wont bypass the MD5 check. You can use EVP and set the flag
> >EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
>
> I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
> can't find the EVP_
Dr Henson wrote:
>No that wont bypass the MD5 check. You can use EVP and set the flag
>EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
can't find the EVP_MD_CTX_NON_FIPS_ALLOW flag anywhere. Where is the flag
and h
If you look at the Configure script you will see different debug options
that the developers have setup. Search the Configure file for lines
with 'debug-' in them. You can adjust the Configure script to setup
your own as well, just follow the pattern. There are quite a few
different configs avai
Dr. Steve:
How do I enable debug? I want to make sure I have it set right
as it takes a while to rebuild.
David Schwartz wrote:
>Most likely, you're getting a connection from a non-FIPS endpoint that's
>forcing you to use a protocol that's not FIPS compliant. I'm not sure why
>you're seeing what you're seeing though -- it should just have reported
that
>it was unable to negotiate compatible protocols
On Wed, Jul 22, 2009, David Schwartz wrote:
>
> Michael Kurecka wrote:
>
> > Thank you for your help that is definitely a point in the right
> > direction; however, it leaves me more baffled. I found the only
> > SSL_CTX_new function that is in the code and it is being passed
> > the TLSv1_metho
Michael Kurecka wrote:
> Thank you for your help that is definitely a point in the right
> direction; however, it leaves me more baffled. I found the only
> SSL_CTX_new function that is in the code and it is being passed
> the TLSv1_method not an SSLv*_method which is what it should be
> accordin
On Fri, Jul 17, 2009, Michael Kurecka wrote:
> I am trying to run wpa_supplicant in FIPS mode. The stack trace of the
> failure is below. I'm assuming that an algorithm not supported by FIPS
> is being used but I'm not sure which one since I thought I removed
> them all. I replaced SHA-1 with
>
>
>
> > What determines which SSL version is used? Is it the CTX object,
> > a configuration setting, etc.? I've tried tracing the code on
> > the OpenSSL side but it has me baffled even with a stack trace
> > I'm having trouble understanding its path. I would appreciate
> > any help you can give on
Michael Kurecka wrote:
> Thank you David for your bluntness. Trust me, I'm aware of how
> significant making wpa_supplicant FIPSable is. I've been working
> on it for several months. Over the past few months I've been in
> the process of removing non-compliant code, updating MD5 to SHA-1,
> etc.
On Tue, Jul 21, 2009, carlyo...@keycomm.co.uk wrote:
>
> TLS 1.0 DOES use MD5 and SHA-1 in combination, and - despite MD5 not being
> allowed by the FIPS 140-2 standard - it is allowed in this case because the
> combined 'strength" of the two, when used in unison, is not less than SHA-1
> itself.
I'm not going to comment on David's assertion's or anything about
wpa_supplicants, but lets take a step back:
SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS
140-2 when using FIPS-approved security functions (see the FIPS 140-2
implementation guide).
TLS 1.0 is som
Thank you David for your bluntness. Trust me, I'm aware of how significant
making wpa_supplicant FIPSable is. I've been working on it for several
months. Over the past few months I've been in the process of removing
non-compliant code, updating MD5 to SHA-1, etc. I'm close for the AP side
with host
Michael Kurecka:
> How do I disable SSLv3 so that I can use FIPS?
Sorry to be blunt, but you don't. A FIPS wpa_supplicant is a significant
task, you can't just flip a few switches and make one appear.
DS
__
OpenSSL Project
How do I disable SSLv3 so that I can use FIPS?
On Fri, Jul 17, 2009 at 4:22 PM, David Schwartz wrote:
>
> Michael Kurecka:
>
> > I am trying to run wpa_supplicant in FIPS mode.
>
> Why?
>
> > I don't think the MD5 function is even called
>
> MD5 is part of SSLv3.
>
> #6 0x4003e6b8 in ssl3_connec
Michael Kurecka:
> I am trying to run wpa_supplicant in FIPS mode.
Why?
> I don't think the MD5 function is even called
MD5 is part of SSLv3.
#6 0x4003e6b8 in ssl3_connect () from /usr/lib/libssl.so.0.9.8#7
0x4004ebf4 in SSL_connect () from /usr/lib/libssl.so.0.9.8#8 0x000526c0 in
tls_conne
34 matches
Mail list logo