[openssl-users] Questions regarding the openssl FIPS self-tests

Hi everyone, >From the openssl tips doc it said the power-on self-tests need to be run when the system comes up. If I have multiple applications which uses the openssl crypto functions (under fips mode), does each of this application need to run the power-on self-tests? Also if the openssl fips

[openssl-users] OpenSSL FIPS modules and APIs compatibility

Hi everyone, Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? i.e. If we use the OpenSSL FIPS modules, we don't need to make any API invocation changes on our applications side (in addition to invoking the FIPS_mode_set API). Is that correct? Thanks, Rich __

[openssl-users] SSL keys and certificates for FIPS and non-FIPS mode

Hi everyone, If I have a HTTPS client and server both using OpenSSL with FIPS modules, and supporting both FIPS and non-FIPS mode, will the SSL server and client keys and certificates need to be changed between operating on FIPS and non-FIPS mode? Thanks, Rich __

[openssl-users] FIPS Object Module v2.0 and openssl security patches

Hello everyone, Would the FIPS Object Module v2.0 supposed to only work with the vanilla openssl library? If I apply the security patches to the openssl library, should the FIPS Object Module v2.0 still work without problems? Thanks, Rich -- openssl-users mailing list To unsubscribe: https://mta

[openssl-users] How do I verify the FIPS mode

Hi everyone, I built and installed the FIPS capable OpenSSL lib on my system, and I was wondering what's the easiest way to find out whether my OpenSSL is really FIPS capable or not. e.g. is there any way to run some openssl commands to find out, such as "openssl ciphers -v", and what cipher suit

[openssl-users] Configure and config in openssl source folder

Hi Everyone, I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package. >From the OpenSSL doc it mentioned we need to do ./config fips in order to build openssl under tips mode. I tried that and it worked well. Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the pack

Re: [openssl-users] How do I verify the FIPS mode

Thanks Lesley and Steve for the answers. Rich On Wed, Feb 10, 2016 at 12:02 PM, Steve Marquess wrote: > On 02/10/2016 02:56 PM, Lesley Kimmel wrote: > > Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may > > have no affect against a non-FIPS enabled OpenSSL. According to s

Re: [openssl-users] Configure and config in openssl source folder

comes time to link). > > (I apologize if my knowledge is out of date, I haven't been following the > FIPS development for a couple of years.) > > -Kyle H > > > On 2/10/2016 12:23 PM, cloud force wrote: > > Hi Everyone, > > I am trying to build FIPS capabl

Re: [openssl-users] Configure and config in openssl source folder

can do as you want. > > So, to do this, figure out from ./config what parameters it passes to > Configure in the presence of the 'fips' argument, then modify the command > line the packaging script invokes accordingly. > > -Kyle H > > > On 2/10/2016 12:47 PM,

[openssl-users] no version information available error

Hi Everyone, I installed the FIPS capable openssl library (which was built by myself) on my Ubuntu linux box. For some reason, I keep running into the following errors whenever I run ssh related command: ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information available (required by

[openssl-users] OpenSSL lib build errors

Hi All: I tried to build a FIPS capable OpenSSL Ubuntu package (using the Ubuntu 12.04 debian meta file). The Ubuntu package uses Configure for configuring the source tree with the following parameters: *ARCH_CONFARGS := enable-ec_nistp_64_gcc_128CONFARGS = --prefix=/usr --openssldir=/usr/lib

Re: [openssl-users] OpenSSL lib build errors

I checked the libcrypto.so which was built right before this, and was able to find these symbols. Still not sure why these errors showed up. Any suggestions and possible solutions are greatly appreciated. On Wed, Feb 10, 2016 at 5:34 PM, cloud force wrote: > Hi All: > > I tried to bui

Re: [openssl-users] OpenSSL lib build errors

Anyone saw these errors before? On Wed, Feb 10, 2016 at 5:34 PM, cloud force wrote: > Hi All: > > I tried to build a FIPS capable OpenSSL Ubuntu package (using the Ubuntu > 12.04 debian meta file). > > The Ubuntu package uses Configure for configuring the source tree wi

[openssl-users] FIPS mode errors

Hi, I built the FIPS capable OpenSSL library on Ubuntu 12.04. When I run the command "OPENSSL_FIPS=1 openssl ciphers", I saw the following error: 140073969415840:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232: I tried few other openssl commands u

Re: [openssl-users] FIPS mode errors

Hi Jakob, This is the most severe FIPS error code, it means one of > 3 things: > > 1. (official reason for this error code): Someone illegally > modified the FIPS validated crypto code after it was > compiled, do not use this computer until the cause has > been thoroughly investigated and co

Re: [openssl-users] no version information available error

Thanks Jakob for the detailed info. On Thu, Feb 11, 2016 at 7:50 AM, Jakob Bohm wrote: > On 10/02/2016 22:46, cloud force wrote: > >> Hi Everyone, >> >> I installed the FIPS capable openssl library (which was built by myself) >> on my Ubuntu linux box. >> >

[openssl-users] openssl.ld and global symbols

Hi Everyone, I tried to build a FIPS capable OpenSSL Ubuntu package (using the Ubuntu 12.04 debian build scripts). The Ubuntu package uses Configure for configuring the source tree with the following parameters: *ARCH_CONFARGS := enable-ec_nistp_64_gcc_128CONFARGS = --prefix=/usr --openssldir

Re: [openssl-users] FIPS mode errors

PM, cloud force wrote: > Hi Jakob, > > This is the most severe FIPS error code, it means one of >> 3 things: >> >> 1. (official reason for this error code): Someone illegally >> modified the FIPS validated crypto code after it was >> compiled, do no

[openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

Hi All: I built the FIPS modules on Ubuntu platform and was trying to build the FIPS capable OpenSSL library. The build went fine but when I ran the following test, the fingerprint error showed up: *OPENSSL_FIPS=1 openssl md5* *139728296724128:error:2D06B06F:FIPS routines:FIPS_check_incore_fi

Re: [openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

different (and hence causes the "fingerprint does not match" error)? Thanks and any suggestions are truly appreciated. On Tue, Feb 23, 2016 at 5:01 PM, Dr. Stephen Henson wrote: > On Tue, Feb 23, 2016, cloud force wrote: > > > Hi All: > > > > I built th

Re: [openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

, Feb 24, 2016 at 5:59 PM, cloud force wrote: > I built the FIPS capable OpenSSL in the standard way (i.e. ./config fips; > make; > make install) and it worked. > > After some tracing on the source code of fips.c I found that the mismatch > error was due to the fact that the

Re: [openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

signature in the command line? In addition to the fipsld command, is there any other possible reasons which would cause the signature not set correctly? Thanks and I truly appreciate the helps and suggestions. On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson wrote: > On Wed, Feb 24,

Re: [openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

)? Where do these two symbols come from and what could cause them not being added to the libcrypto.so? Thanks for any suggestions and helps. On Thu, Feb 25, 2016 at 11:03 AM, cloud force wrote: > Thanks for the information. > > I checked the Makefile and build logs of both cases (i.e. b