> How do I make the FIPS module point to the FIPS capable version that has been
> built?
Look for the --with-fipslibdir option referenced in UserGuide 2.0. There is
also a --with-fipsdir that I don't believe is talked about in the document.
You might want to run ldd on your app executable to che
On Sat, Jul 28, 2012, Jeffrey Walton wrote:
> Hi All,
>
> According to the FIPS 2.0 User Guide ("Default DRBG," page 64): "A
> special DRBG instance called the "default DRBG" is used to map the
> DRBG to the RAND
> interface." Unfortunately, the documentation (both the Security Policy
> and User
On Mon, Jul 9, 2012 at 10:01 AM, Mike Hoy wrote:
> I've googled around for that and for a layman like myself I didn't find
> anything that 'held my hand' through the process. If you know how to do
> this could you elaborate on how to disable Diffie-Hellman key exchanges?
>
>
http://old.nabble.com
On 07/09/2012 04:12 PM, Alex Chen wrote:
> When FIPS mode is turned on, I assume OpenSSL will only use FIPS 140-2
> approved encryption algorithms for network traffic encryptions as well,
> correct?
Yes, for the "FIPS capable" OpenSSL (OpenSSL 1.0.1 built using the
"fips" build-time config option
I've googled around for that and for a layman like myself I didn't find
anything that 'held my hand' through the process. If you know how to do
this could you elaborate on how to disable Diffie-Hellman key exchanges?
Thanks,
Mike Hoy
On Sun, Jul 8, 2012 at 3:33 PM, wrote:
> Use the 3rd option
Use the 3rd option suggested by McAfee, it is better than their first
two options.
The 3rd option is to "configure the ciphersuite used by the server to
not include any Diffie-Hellman key exchanges" until your choice of
distribution includes OpenSSL 1.0.1 with the new FIPS module.
On 08-07-2
Thank you very much. Recoded my test app for the EVP_Verify routines,
things are working as expected now.
Now back to making sense of all the key format (DER,PEM,BER) options.
This is new stuff for me.
JH
On 2/16/12, Dr. Stephen Henson wrote:
> On Thu, Feb 16, 2012, john hagen wrote:
>
>> Can
On Thu, Feb 16, 2012, john hagen wrote:
> Can someone shed some light on the following?
>
> I'm able to 'verify' via the command line like this:
> "# env OPENSSL_FIPS=1 ./openssl dgst -sha512 -verify pub.pem
> -signature format.sign format.c
> Verified OK"
>
> Programmatically I get the followin
October 08, 2010 4:09 PM
To: openssl-users@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote:
> Thank you Steve,
>
> I had problem in creating certificate and key in FIPS mode. With your
> suggestion now I am able to
On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote:
> Thank you Steve,
>
> I had problem in creating certificate and key in FIPS mode. With your
> suggestion now I am able to create FIPS supported certificate
>
> When I create it with a passphrase the key looks as below
>
> -BEGIN ENCRYP
penssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 9:48 PM
To: openssl-users@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:
> Thanks again
>
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:
> Thanks again
>
> I do have the env Variable OPENSSL_FIPS set to 1. And the key generated
> is as below
>
> -BEGIN RSA PRIVATE KEY-
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5
>
> bmtRXSn8WHfHAUBX6m7RLs/yVctQ
al Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 6:02 PM
To: openssl-users@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:
On 10/6/2010 5:01 AM, john.mattapi...@wipro.com wrote:
Thanks Steve,
I used the following commands to create the certificate using the
openssl built with FIPS support
openssl genrsa -des3 -out wv-key.pem 1024
openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
Do I miss any optio
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:
> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024
> openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
>
> Do
Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 4:36 PM
To: openssl-users@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote:
> Hello there
>
> I am trying to use the OpenSSL-fips version 1.2 for our application (
> Webserver ) in Vxworks. I was able to integrate the library and
> executing FIPS_mode_set is successful. After initializing the
> SSL_library_init, The
On Fri, Jul 22, 2005, Naomaru Itoi wrote:
> Thank you for the information, Steve.
>
> Could you please further clarify the state of FIPS support, especially
> ANSI X9.31 PRNG, in OpenSSL 0.9.8? Does the fact that "fips"
> directory disappeared from 0.9.8 mean it was scratched? If it was, is
>
Thank you for the information, Steve.
Could you please further clarify the state of FIPS support, especially
ANSI X9.31 PRNG, in OpenSSL 0.9.8? Does the fact that "fips"
directory disappeared from 0.9.8 mean it was scratched? If it was, is
there any plan on putting it back? Or must we keep usi
On Fri, Jul 22, 2005, Thomas J. Hruska wrote:
> Naomaru Itoi wrote:
> >Hello,
> >
> >Please excuse me for the cross post between the ML and the news group.
> >
> >I am interested in using FIPS recommended functionality in OpenSSL,
> >e.g., ANSI X9.31 pseudo random number generator. In OpenSSL 0
Naomaru Itoi wrote:
Hello,
Please excuse me for the cross post between the ML and the news group.
I am interested in using FIPS recommended functionality in OpenSSL,
e.g., ANSI X9.31 pseudo random number generator. In OpenSSL 0.9.7g, I
can see a directory "fips" at the top of the source tre
Steven Reddie wrote:
Hi Steve,
I take it that dynamically linking the FIPS OpenSSL into an executable
means that the FIPS certification is void for that application. So as
you have stated, static linking is required. However, if I'm producing
a security library that uses OpenSSL and I stati
D] On
Behalf Of Marquess, Steve Mr JMLFDCSent: Thursday, 25 March
2004 7:47 AMTo: '[EMAIL PROTECTED]'Subject: RE:
FIPS mode
Graeme Perrow wrote:
>1. In the OpenSSL FIPS FAQ (<http://oss-institute.org/fips-faq.html>), it
>says "Note that it is not compliant wit
Title: RE: FIPS mode
Graeme Perrow wrote:
>1. In the OpenSSL FIPS FAQ (<http://oss-institute.org/fips-faq.html>), it
>says "Note that it is not compliant with the security policy of FIPS
>validated OpenSSL to use shared libraries." What exactly does this mean?
&g
Mathias Brossard wrote:
It's a little disappointing that RSA is not part of the process (it is
much more common than DSA). Looking at the list of validated modules
http://csrc.nist.gov/cryptval/140-1/1401val.htm I see in the field
"FIPS-approved algorithms" the value "RSA (PKCS #1, vendor
Mathias Brossard wrote:
> On Fri, 2003-09-05 at 19:59, Ben Laurie wrote:
>
>>Mathias Brossard wrote:
>>
>>>- Asymmetric: DSA, RSA, ECDSA
>>
>>Not my understanding. Anyway, DSS only. RSA can't be, and ECDSA we
>>aren't doing.
>
>
> It's a little disappointing that RSA is not part of the pr
On Fri, 2003-09-05 at 19:59, Ben Laurie wrote:
> Mathias Brossard wrote:
> > - Asymmetric: DSA, RSA, ECDSA
>
> Not my understanding. Anyway, DSS only. RSA can't be, and ECDSA we
> aren't doing.
It's a little disappointing that RSA is not part of the process (it is
much more common than DS
Chris Brook wrote:
> If I read your reply right, responsibility for DAC and Known Answer Test
> checking is the responsibility of the app developer, though you will provide
> the DAC checksum for the crypto module. Have you also included the KATs,
> since they essentially exist the OpenSSL test m
Mathias Brossard wrote:
> On Fri, 2003-09-05 at 11:55, Ben Laurie wrote:
>
>>>- What version of OpenSSL does it correspond to? 0.9.7b?
>>
>>"Yes, and the FIPS specific routines will be carried forward in future
>>OpenSSL releases. Only the "cryptographic module" containing the
>>relevant cryptog
It is unfortunate that the process could not
have been more open, but I considered the goal worth that sacrifice,
Not a problem for me. :)
This is great -- one of the most exciting things I've seen in a long time!
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology
On Fri, 2003-09-05 at 11:55, Ben Laurie wrote:
> > - What version of OpenSSL does it correspond to? 0.9.7b?
>
> "Yes, and the FIPS specific routines will be carried forward in future
> OpenSSL releases. Only the "cryptographic module" containing the
> relevant cryptographic module implementations
31 matches
Mail list logo
