Re: openssl 3.0 fips provider and low level APIs

All the providers can use the low-level APIs internally to implement crypto algorithms. The FIPS provider however includes all the low level implementations as a separately built and statically linked code. That means you cannot use the low-level calls in an application and still be FIPS compliant

Re: OpenSSL 3.0 different behaviour on smaller DH groups?

Simon Chopin wrote: > This test suite fails several times with a failed call to > EVP_PKEY_derive_set_peer, without much more details: > https://github.com/net-ssh/net-ssh/blob/master/test/transport/kex/test_diffie_hellman_group14_sha1.rb > However, the *exact same* test suite w

Re: OpenSSL 3.0 LTS

On Fri, Mar 04, 2022 at 02:31:01PM +, Short, Todd wrote: > Apple uses LibreSSL, not OpenSSL, in their recent OSes: > > ~$ openssl version -a > LibreSSL 2.8.3 > built on: date not available > platform: information not available > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(id

Re: OpenSSL 3.0 LTS

Apple uses LibreSSL, not OpenSSL, in their recent OSes: ~$ openssl version -a LibreSSL 2.8.3 built on: date not available platform: information not available options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: information not available OPENSSLDIR: "/private/etc/ssl" ~$ un

Re: OpenSSL 3.0 LTS

On Fri, Mar 04, 2022 at 11:04:00AM +, Matt Caswell wrote: > OpenSSL 3.0 has recently been designated as a Long Term Support (LTS) > release. This means that it will now be supported until 7th September > 2026 (5 years after its initial release). > > Our previous LTS release (1.1.1) will cont

Re: OpenSSL 3.0 FIPS module configuration file

On Tue, 15 Feb 2022 at 09:53, Tomas Mraz wrote: > Please note that there are two checksums in the configuration file. One > of them is the FIPS module checksum and the other is the checksum of > the configuration. You can copy the file across machines if it is > without the configuration checksum

Re: OpenSSL 3.0 FIPS module configuration file

Please note that there are two checksums in the configuration file. One of them is the FIPS module checksum and the other is the checksum of the configuration. You can copy the file across machines if it is without the configuration checksum - that means the selftest will be always run when the FIP

Re: OpenSSL 3.0 FIPS module configuration file

There is nothing stopping cheating. If you are going to cheat, why bother with FIPS at all?  Just claim you're FIPS. Pauli On 15/2/22 10:49, Ma Ar wrote: Maybe a dumb question too, considering that i am admittedly just getting into this field, but I though maybe if I ask I might learn so

Re: OpenSSL 3.0 FIPS module configuration file

Tom, thanks for looking this up.  I believe that this particular piece of guidance was removed in 140-3. Pauli On 15/2/22 10:57, Thomas Dwyer III wrote: I believe the relevant standard is described in the Implementation Guidance for FIPS 140-2: https://csrc.nist.gov/csrc/media/projects/crypt

Re: OpenSSL 3.0 FIPS module configuration file

I believe the relevant standard is described in the Implementation Guidance for FIPS 140-2: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf (see IG 9.11 beginning on page 179). I searched briefly for similar text in FIPS 140-3 IG

Re: OpenSSL 3.0 FIPS module configuration file

Maybe a dumb question too, considering that i am admittedly just getting into this field, but I though maybe if I ask I might learn something...is there any method of assurance that the test were then run on the machine they are installed on? If whatever those tests are attesting to to certify

Re: OpenSSL 3.0 FIPS module configuration file

Yes, this has to do with the FIPS standards.  I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file.  If the self tests fail, the module doesn't install.  Copyin

Re: Openssl 3.0 support

Yeah, you need to add the @SECLEVEL=0 in the cipher string to set the security level to 0. That is needed to allow SHA1 in signatures which is required for these TLS versions. Tomas Mraz On Thu, 2022-02-03 at 17:36 +1100, pa...@openssl.org wrote: >  It does support both.  I think a configuration

Re: Openssl 3.0 support

It does support both.  I think a configuration time option might be required and neither is supported by the FIPS provider. Paul Dale On 3/2/22 4:32 pm, Srinivas, Saketh (c) wrote: Hi, Does openssl 3.0 still support TLSv 1.0 and TLSv1.1. or they are deprecated, because there were some depre

Re: OpenSSL 3.0 password prompt errors

Tested on a separate machine (Ubuntu Jammy Jellyfish) that comes with OpenSSL 3.x installed and things worked as expected. Probably something was screwed with my own build or the machine that has several OpenSSL versions. Thanks for the help, and sorry for the inconvenience. Cheers, Jose On Tue

Re: OpenSSL 3.0 password prompt errors

On 30/11/2021 13:16, pepone.onrez wrote: Getting some problems with OpenSSL 3.0, I have passwordError function, to check if the last error was due to an invalid password and allow the user to retry. bool passwordError() {     unsigned long error = ERR_peek_error();     unsigned long lib

RE: Openssl 3.0 fipsinstall fails in yocto linux environment

- Message: 2 Date: Tue, 9 Nov 2021 14:32:19 -0800 From: Kory Hamzeh To: openssl-users@openssl.org Subject: Re: Openssl 3.0 fipsinstall fails in yocto linux environment Message-ID: Content-Type: text/plain; charset="utf-8" Hi Susan, How did you run Configure? Are you cross comp

Re: Openssl 3.0 fipsinstall fails in yocto linux environment

Hi Susan, How did you run Configure? Are you cross compiling? Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there or use a Configure option if you want to install it somewhere else. Kory > On Nov 9, 2021, at 2:21 PM, Susan Tremel wrote: > > I’ve successfully built an

Re: OpenSSL 3.0 FIPS questions

ys 365 I kept this on the same "FIPS OpenSSL 3.0" thread because I'm not 100% sure it's unrelated. What am I missing here? Thanks, Jason From: Matt Caswell Sent: Thursday, October 28, 2021 6:03 PM To: Jason Schultz ; Dr Paul Dale ; openss

Re: OpenSSL 3.0 FIPS questions

so.3 Thanks, Jason *From:* Matt Caswell *Sent:* Thursday, October 28, 2021 2:00 PM *To:* Jason Schultz ; Dr Paul Dale ; openssl-users@openssl.org *Subject:* Re: OpenSSL 3.0 FIPS questions On 28/10/2021 14:49, Jason Schultz wrote: A call to OSSL_PROVIDER_

Re: OpenSSL 3.0 FIPS questions

/libcrypto.so.3 Thanks, Jason From: Matt Caswell Sent: Thursday, October 28, 2021 2:00 PM To: Jason Schultz ; Dr Paul Dale ; openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions On 28/10/2021 14:49, Jason Schultz wrote: > A call to OSSL_PROVIDER_av

Re: OpenSSL 3.0 FIPS questions

nks to everyone for their help with this, things are starting to make more sense now. *From:* Matt Caswell *Sent:* Thursday, October 28, 2021 7:39 AM *To:* Jason Schultz ; Dr Paul Dale ; openssl-users@openssl.org *Subject:

Re: OpenSSL 3.0 FIPS questions

_________ From: Matt Caswell Sent: Thursday, October 28, 2021 7:39 AM To: Jason Schultz ; Dr Paul Dale ; openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions On 27/10/2021 17:28, Jason Schultz wrote: > With these config files and the code above, the > OSSL_PROVID

Re: OpenSSL 3.0 FIPS questions

On 27/10/2021 17:28, Jason Schultz wrote: With these config files and the code above, the OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the messages from the ERR_print_errors_fp() call: 2097C692B57F:error:1C8000D5:Provider routines:(unknown function):missing config data:

Re: OpenSSL 3.0 FIPS questions

. I'm wondering if that's needed since I don't have any environment variables set up? I'm not sure what the default search path is. Jason From: Matt Caswell Sent: Wednesday, October 27, 2021 10:34 AM To: Jason Schultz ; Dr Paul Dale ; opens

Re: OpenSSL 3.0 FIPS questions

On 26/10/2021 20:17, Jason Schultz wrote: Thanks for all of the help so far. Unfortunately, I'm still struggling with this. There could be a number of issues, starting with the installation of OpenSSL. I basically followed the documentation and did the following: ./Configure enable-fips m

Re: OpenSSL 3.0 FIPS questions

Ah, OK. Yes, I am running on the same machine. Thanks for clarifying. From: Kory Hamzeh Sent: Tuesday, October 26, 2021 9:15 PM To: Jason Schultz Cc: Dr Paul Dale ; openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions Actually, if you are

Re: OpenSSL 3.0 FIPS questions

ith the > non_fips_libctx is successful, but later calling X509_get_pubkey() returns > NULL, implying maybe something is wrong with the non_fips_libctx as well. > > I've tried other combinations, but at this point I'm just guessing. Is there > anything obvious I could be m

Re: OpenSSL 3.0 FIPS questions

ules/. Are you saying I still needed to do "openssl fipsinstall" after the 4 steps I already did? Thanks, Jason From: Kory Hamzeh Sent: Tuesday, October 26, 2021 8:13 PM To: Jason Schultz Cc: Dr Paul Dale ; openssl-users@openssl.org Subject: Re: Op

Re: OpenSSL 3.0 FIPS questions

> NULL, implying maybe something is wrong with the non_fips_libctx as well. > > I've tried other combinations, but at this point I'm just guessing. Is there > anything obvious I could be missing and I should be checking? > > Thanks, > > Jason > > > Fr

Re: OpenSSL 3.0 FIPS questions

sing and I should be checking? Thanks, Jason From: Dr Paul Dale Sent: Monday, October 25, 2021 9:37 PM To: Jason Schultz ; openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions It was meant for the second method only. The first method is using di

Re: OpenSSL 3.0 FIPS questions

hould be doing it if I use the first method as well. Regards, Jason *From:* openssl-users on behalf of Dr Paul Dale *Sent:* Sunday, October 24, 2021 11:12 PM *To:* openssl-users@openssl.org *Subject:* Re: OpenSSL 3.

Re: OpenSSL 3.0 FIPS questions

ems like I should be doing it if I use the first method as well. Regards, Jason From: openssl-users on behalf of Dr Paul Dale Sent: Sunday, October 24, 2021 11:12 PM To: openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions The configuration

Re: OpenSSL 3.0 FIPS questions

ds, Jason *From:* openssl-users on behalf of Dr Paul Dale *Sent:* Sunday, October 24, 2021 12:28 AM *To:* openssl-users@openssl.org *Subject:* Re: OpenSSL 3.0 FIPS questions Oops, the second time this occurs "defp = OSSL_PROVIDER_load(non_fips_l

Re: OpenSSL 3.0 FIPS questions

fips, base, default, etc? Regards, Jason From: openssl-users on behalf of Dr Paul Dale Sent: Sunday, October 24, 2021 12:28 AM To: openssl-users@openssl.org Subject: Re: OpenSSL 3.0 FIPS questions Oops, the second time this occurs "defp = OSSL_PROVIDER

Re: OpenSSL 3.0 FIPS questions

Oops, the second time this occurs "defp = OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp = OSSL_PROVIDER_load(NULL, "default");" Pauli On 24/10/21 10:06 am, Dr Paul Dale wrote: defp = OSSL_PROVIDER_load(non_fips_libctx, "default");

Re: OpenSSL 3.0 FIPS questions

There are several approaches you could take.  With two library contexts: fips_libctx = OSSL_LIB_CTX_new(); non_fips_libctx = OSSL_LIB_CTX_new(); fipsp = OSSL_PROVIDER_load(fips_libctx, "fips"); basep = OSSL_PROVIDER_load(fips_libctx,"base");  /* can't load keys without this */

Re: OpenSSL 3.0 FIPS questions

One way to do what you want is with two config file, and and in the first line of your main() function, add: putenv(“OPENSSL_CONF=/path/to/your/conf”) depending on whether you want to run in FIPS mode or not. Of course, this only works if FIPS is needed application wide, not on a per connection

Re: openssl 3.0 - id2_x509() now fails

On Mon, 2021-08-09 at 09:48 -0400, Ken Goldman wrote: > On 8/9/2021 3:50 AM, Tomas Mraz wrote: > > On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote: > > > On 8/6/2021 1:11 PM, Ken Goldman wrote: > > > > I have an application where I have to create a partial x509 > > > > certificate.  It gets se

Re: openssl 3.0 - id2_x509() now fails

On 8/9/2021 3:50 AM, Tomas Mraz wrote: On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote: On 8/6/2021 1:11 PM, Ken Goldman wrote: I have an application where I have to create a partial x509 certificate.  It gets sent to an HSM, which fills in the public key and signs it. I was calling    

Re: openssl 3.0 - id2_x509() now fails

On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote: > On 8/6/2021 1:11 PM, Ken Goldman wrote: > > I have an application where I have to create a partial x509 > > certificate.  It gets sent to an HSM, which fills in the public key > > and signs it. > > > > I was calling > > > >  X509_new > >

Re: openssl 3.0 - id2_x509() now fails

On 8/6/2021 1:11 PM, Ken Goldman wrote: I have an application where I have to create a partial x509 certificate.  It gets sent to an HSM, which fills in the public key and signs it. I was calling X509_new X509_set_version X509_set_issuer_name X509_get_notBefore X509_ge

Re: openssl 3.0 genpkey

Ken, I've created issue #16238 for these.  Any chance you could add version information or other useful tidbits? Thanks, Pauli On 6/8/21 7:59 am, Ken Goldman wrote: Should these be posted here or as github issues?  (May be user error) 1 o

Re: openssl 3.0 genpkey

GitHub issues would be better.  They are harder to missing accidentally. Pauli On 6/8/21 7:59 am, Ken Goldman wrote: Should these be posted here or as github issues?  (May be user error) 1 openssl genpkey -algorithm rsa -outform der -out key.der -quiet returns: genpkey: Option -quiet need

Re: openssl 3.0 beta versus actual

On 25/06/2021 08:01, Sandeep Umesh wrote: Hello While the beta version has been released now, please let us know if there is any timeline to release the actual 3.0 version ? What changes are expected to be 3.0 version compared to its beta ? it is restricted to bug-fixes only ? We are expec

Re: OpenSSL 3.0 - providing entropy to EVP_RAND ?

Thank you for all the help, got this working. Thanks Bala On Thursday, 15 April, 2021, 04:02:10 am IST, Dr Paul Dale wrote: Comments inline. Pauli On 15/4/21 12:09 am, Bala Duvvuri wrote: HI Paul, Thanks a lot for your response, thank you for pointing to /providers/im

Re: OpenSSL 3.0 - providing entropy to EVP_RAND ?

Comments inline. Pauli On 15/4/21 12:09 am, Bala Duvvuri wrote: HI Paul, Thanks a lot for your response, thank you for pointing to /providers/implementations/rands/test_rng.c and the code to run NIST test. Still finding it a bit difficult to wrap around these new APIs In the old implementa

Re: OpenSSL 3.0 - providing entropy to EVP_RAND ?

For setting up a parent for a DRBG, look at /providers/implementations/rands/test_rng.c which produces seed material (test_rng_generate) and nonces (test_rng_nonce).  The built in DRBG's don't need the nonce, they will act as per SP800-90Ar1 section 9.1 with a nonce available from their parent.

Re: OpenSSL 3.0 - providing entropy to EVP_RAND ?

1> >>The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG. See, for example, test/testutil/fakerandom.c for how to do this. The key is to set up the seed source before the RNG subsystem is first used. In our case we

Re: OpenSSL 3.0 - providing entropy to EVP_RAND ?

RAND_add() forces a reseed to the DRBGs and uses the passed material (not as entropy but as additional input). EVP_RAND_reseed() is a more direct interface but remember that the built in DRBGs are free to ignore what the user claims is /entropy/. History has shown us time and again that /entro

Re: OpenSSL 3.0 daily snapshot

On Mon, Feb 15, 2021 at 02:06:17PM +0100, Richard Levitte wrote: > Hmmm, I have never seen that (apart from in one of my own development > branches, but that never reached the main source). > > If you want anyone to look into it, it would be a good idea to show us what > your configuration is. T

Re: OpenSSL 3.0 daily snapshot

Hmmm, I have never seen that (apart from in one of my own development branches, but that never reached the main source). If you want anyone to look into it, it would be a good idea to show us what your configuration is. The output from this command is recommended: perl configdata.pm -d Che

Re: OPenssl 3.0 issues

That should be fixed, I merged a fixup commit yesterday. Cheers, Richard On Mon, 25 Jan 2021 15:56:28 +0100, The Doctor wrote: > > Anyone using BSD running into basename issues? > > -- > Member - Liberal International This is doctor@@nl2k.ab.ca Ici > doctor@@nl2k.ab.ca > Yahweh, Queen & count

Re: OPenssl 3.0 issues

On 1/25/21 6:56 AM, The Doctor wrote: Anyone using BSD running into basename issues? I have not, but my use of 3.0 has been limited to KTLS testing with nginx. Are you referring to whether or not the string returned by basename(3) is part of the input string or whether it is a copy stored in

Re: OPenssl 3.0 issues

On 1/25/21, 10:13, "openssl-users on behalf of The Doctor" wrote: Anyone using BSD running into basename issues? Basename issues on MacOS. Presumably the same as you're having on BSD. smime.p7s Description: S/MIME cryptographic signature

Re: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider

view, use, disclosure or distribution is > prohibited. If you are not the intended recipient, please immediately > contact the sender by reply e-mail and delete the original message and > destroy all copies thereof. > > <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen> >

Re: OpenSSL 3.0 hangs at exit with FIPS provider

On 15/07/2020 18:20, Thomas Dwyer III wrote: > Platform: Linux x86_64 > > I understand this is still alpha but how complete is the FIPS provider > right now? Fairly complete. Please could you raise this as a github issue so that it can be properly investigated and tracked? > When I run this

RE: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider

n Behalf Of Thomas Dwyer III Sent: Friday, July 17, 2020 6:57 PM To: openssl-users Subject: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of

[SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider

It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of the documentation at https://wiki.openssl.org/index.php/OpenSSL_3.0 for enabling FIPS support. I added these lines to the very top of the file: openssl_conf = ope

Re: OpenSSL 3.0

ers > *Sent:* Thursday, February 27, 2020 1:31 PM > *To:* Matt Caswell ; openssl-users@openssl.org > > *Subject:* Re: OpenSSL 3.0 >   > >>    It would probably be a good idea for us to pull together a "Getting >     Started" guide on the Wiki with some basic inf

Re: OpenSSL 3.0

he person managing the list at >openssl-users-ow...@openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. Re: OpenSSL 3.0 (Salz, Rich) >

Re: OpenSSL 3.0

That's fair. So the only option is to use another module? Extended 1.0.2 support does not resolve this either, correct? From: Salz, Rich Sent: Thursday, February 27, 2020 8:49 PM To: Jason Schultz ; openssl-users@openssl.org Subject: Re: OpenSS

Re: OpenSSL 3.0

None of those choices address what happens in the 1.0.2 module goes to historic on Sept 1. See https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules for details.

Re: OpenSSL 3.0

For option 2, we have a support contract in place. But does this actually help us as far as the FIPS Object Module? From: openssl-users on behalf of Neptune Sent: Thursday, February 27, 2020 8:56 PM To: openssl-users@openssl.org Subject: Re: OpenSSL 3.0 You

Re: OpenSSL 3.0

* That's fair. So the only option is to use another module? Extended 1.0.2 support does not resolve this either, correct? I do not think that is the only option. For example, you might be able to use 3.0 and say it’s “in evaluation.” There might be other options, that was all I could think

Re: OpenSSL 3.0

You essentially have three choices: 1. Stay on the 1.0.2 branch to continue FIPS compliance, but go the entire year without support or security patches. 2. Pay OpenSSL for a premium support contract ($50,000 per year) to continue to receive patches on 1.0.2 for the remainder of the year. 3. Pay Saf

Re: OpenSSL 3.0

* The OpenSSL FIPS Object Module will be moved to the CMVP historical list as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS Module will be after that sometime, where does this leave 1.0.2 users who need a FIPS validated object module past that date? Without their free

Re: OpenSSL 3.0

Caswell ; openssl-users@openssl.org Subject: Re: OpenSSL 3.0 >It would probably be a good idea for us to pull together a "Getting Started" guide on the Wiki with some basic information on how to get things going, with some links to the various man pages etc where more

Re: OpenSSL 3.0

>It would probably be a good idea for us to pull together a "Getting Started" guide on the Wiki with some basic information on how to get things going, with some links to the various man pages etc where more detailed information is required. This needs to be real user documentat

Re: OpenSSL 3.0

On 26/02/2020 21:06, Dr Paul Dale wrote: > You should be able to set the environment variable OPENSSL_CONF to > test/fips.cnf which will then load a FIPS only configuration. > > Teething problems are expected.  Not everything has been activated in > the FIPS module but enough has to do some TLS

Re: OpenSSL 3.0

You should be able to set the environment variable OPENSSL_CONF to test/fips.cnf which will then load a FIPS only configuration. Teething problems are expected. Not everything has been activated in the FIPS module but enough has to do some TLS. Pauli -- Dr Paul Dale | Distinguished Architect

Re: OpenSSL 3.0

> That's 5 weeks from now, I'd thought the basic structure might be present > now. It is. You probably have to look at the tests to see how to use things.

Re: OpenSSL 3.0

On Wed, Feb 26, 2020 at 11:44 AM Salz, Rich wrote: > > The 3.0 release is a work in progress and is not done yet. > > FIPS 3.0 === OpenSSL 3.0, using a FIPS-validated crypto provider which will > be part of OpenSSL 3.0. > > The architecture documents are at https://www.openssl.org/docs Rich, I'v

Re: OpenSSL 3.0

The 3.0 release is a work in progress and is not done yet. FIPS 3.0 === OpenSSL 3.0, using a FIPS-validated crypto provider which will be part of OpenSSL 3.0. The architecture documents are at https://www.openssl.org/docs On 2/26/20, 2:40 PM, "Sam Roberts" wrote: On Wed, Feb 26, 2020 at

Re: OpenSSL 3.0

On Wed, Feb 26, 2020 at 8:36 AM Salz, Rich wrote: > > >I'd like to give this a spin, to get an idea what's going to be > involved in porting from FIPS2.0 to 3.0, any pointers on where to > start? > > Per the blog post, "most applications should just need to be recompiled." :) > > Get t

Re: OpenSSL 3.0

>I'd like to give this a spin, to get an idea what's going to be involved in porting from FIPS2.0 to 3.0, any pointers on where to start? Per the blog post, "most applications should just need to be recompiled." :) Get the source via instructions here: https://www.openssl.org/source

Re: OpenSSL 3.0

On Tue, Feb 25, 2020 at 8:00 PM Matt Caswell wrote: > alpha1, 2020-03-31: Basic functionality plus basic FIPS module I'd like to give this a spin, to get an idea what's going to be involved in porting from FIPS2.0 to 3.0, any pointers on where to start? Sam

Re: OpenSSL 3.0

On 25/02/2020 19:07, Jason Schultz wrote: > Greetings. It has been several months since this blog post on OpenSSL 3.0: > > https://www.openssl.org/blog/blog/2019/11/07/3.0-update/ > > “We are now not expecting code completion to occur until the end of Q2 > 2020 with a final release in early Q4

Re: Openssl 3.0 fips usage

* If both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and try to use default provider to sign with sha1, is this allowed? The application will have to explicitly “export” the key from the FIPS provider and “import” it into the

Re: OpenSSL 3.0 (or 4.0) API goals

On 04/03/2019 12:57, Hubert Kario wrote: > On Monday, 4 March 2019 12:59:26 CET Matt Caswell wrote: >> On 01/03/2019 22:26, Paul Smith wrote: >>> Hi all. >>> >>> I'm reading with interest the details coming out with respect to the >>> next release of OpenSSL. >>> >>> I'm curious if there's any c

Re: OpenSSL 3.0 (or 4.0) API goals

On Monday, 4 March 2019 12:59:26 CET Matt Caswell wrote: > On 01/03/2019 22:26, Paul Smith wrote: > > Hi all. > > > > I'm reading with interest the details coming out with respect to the > > next release of OpenSSL. > > > > I'm curious if there's any consideration being given to updating the > >

Re: OpenSSL 3.0 (or 4.0) API goals

Matt Caswell skrev: (4 mars 2019 12:59:26 CET) > > >On 01/03/2019 22:26, Paul Smith wrote: >> Hi all. >> >> I'm reading with interest the details coming out with respect to the >> next release of OpenSSL. >> >> I'm curious if there's any consideration being given to updating the >> API for ex

Re: OpenSSL 3.0 (or 4.0) API goals

On 01/03/2019 22:26, Paul Smith wrote: > Hi all. > > I'm reading with interest the details coming out with respect to the > next release of OpenSSL. > > I'm curious if there's any consideration being given to updating the > API for existing interfaces, and/or checking the APIs of any new > int

Re: OpenSSL 3.0 (or 4.0) API goals

> I'm curious if there's any consideration being given to updating > the API for existing interfaces, and/or checking the APIs of any new > interfaces for issues that are seen in the current API. Also replacing all C macros such as those for SSL_CTX_ctrl with proper external functions. This will

Re: OpenSSL 3.0 vs. SSL 3.0

On Wed 2019-02-27 16:02:32 +0100, Christian Heimes wrote: > In my humble opinion, it's problematic and confusing to use "OpenSSL > 3.0" for the next major version of OpenSSL and first release of > OpenSSL with SSL 3.0 support. Sigh. You're right, but i wish you weren't. :) Part of the problem of

Re: OpenSSL 3.0 vs. SSL 3.0

On 27/02/2019 19.53, Michael Richardson wrote: > > Christian Heimes wrote: > > I'm concerned about the version number of the upcoming major release of > > OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0". > > It took us more than a decade to teach people that SS

Re: OpenSSL 3.0 vs. SSL 3.0

Christian Heimes wrote: > I'm concerned about the version number of the upcoming major release of > OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0". > It took us more than a decade to teach people that SSL 3.0 is bad and > should be avoided in favor of TLS.