OPenssl 0.9.8j dev
Need to split the FIPS and non-FIPS compliant technologies: When I do a fips compile namely ./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779 enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib --openssldir=/usr/contrib debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3 with debug-bsdi-x86-elf debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR), I get: Testing cipher SEED-ECB(encrypt) Key 28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7 Plaintext b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7 Ciphertext 9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22 test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test tls1 *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8956:error:0406A08D:rsa routines:RSA_new_method:non fips method:rsa_eng.c:183: 8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221: 8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:402:Type=RSA 8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1 lib:d2i_pu.c:99: 8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:366: 8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: ERROR in SERVER 8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1037: TLSv1, cipher (NONE) (NONE) 1 handshakes of 256 bytes done *** Error code 1 (continuing) Test IGE mode ../util/shlib_wrap.sh ./igetest `tests' not remade because of errors. util/opensslwrap.sh version -a OpenSSL 0.9.8j-fips-dev xx XXX built on: Sat Sep 20 08:02:29 MDT 2008 platform: debug-bsdi-x86-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3 -Wall -mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: /usr/contrib `test' is up to date. using make -k test . Please fix. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! Canada vote anything but Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OPenssl 0.9.8j dev
Fips folk: Should the 'fipsdso' target complain if it gets any other command line arguments in ./Configure? Since specifying it means that you're trying to build the shared object... -Kyle H On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote: Need to split the FIPS and non-FIPS compliant technologies: When I do a fips compile namely ./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779 enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib --openssldir=/usr/contrib debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3 with debug-bsdi-x86-elf debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR), I get: Testing cipher SEED-ECB(encrypt) Key 28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7 Plaintext b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7 Ciphertext 9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22 test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test tls1 *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8956:error:0406A08D:rsa routines:RSA_new_method:non fips method:rsa_eng.c:183: 8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221: 8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:402:Type=RSA 8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1 lib:d2i_pu.c:99: 8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:366: 8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: ERROR in SERVER 8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1037: TLSv1, cipher (NONE) (NONE) 1 handshakes of 256 bytes done *** Error code 1 (continuing) Test IGE mode ../util/shlib_wrap.sh ./igetest `tests' not remade because of errors. util/opensslwrap.sh version -a OpenSSL 0.9.8j-fips-dev xx XXX built on: Sat Sep 20 08:02:29 MDT 2008 platform: debug-bsdi-x86-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3 -Wall -mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: /usr/contrib `test' is up to date. using make -k test . Please fix. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! Canada vote anything but Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
digest verification failing due to unable to load key file
I have converted a Microsoft code signing key obtained from Thawte into a PKCS12 file, and then converted to a pair of PEM files, one with the private key and the other without, like this: openssl pkcs12 -chain -in palisadesys.pfx -out palisadesys.pem openssl pkcs12 -chain -in palisadesys.pfx -nokeys -out palisadesys-publiconly.pem Then I have signed a file like this: openssl dgst -sha1 -sign palisadesys.pem -out file.tar.gz.sha1 file.tar.gz But when I validate the signature: openssl dgst -sha1 -verify palisadesys-publiconly.pem -signature file.tar.gz.sha1 file.tar.gz results in the message unable to load key file. All three files (palisadesys-publiconly.pem, file.tar.gz.sha1, and file.tar.gz) are readable. Thanks for any help, Guy Helmer -- Guy Helmer, Ph.D. Chief System Architect Palisade Systems, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? regards, Gerd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.26 released
Dear Users, Version 4.26, 2008.09.20, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8i. - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted. - A more informative error messages for invalid port number specified in stunnel.conf file. - Support for Microsoft Visual C++ 9.0 Express Edition. * Bugfixes - Killing all libwrap processes at stunnel shutdown fixed. - A minor bug in stunnel.init sample SysV startup file fixed. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.24.tar.gz file: 1c9f5dd6b21f354c356cd9100899a90a83068c68 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OPenssl 0.9.8j dev
On Sat, Sep 20, 2008 at 01:47:55PM -0700, Kyle Hamilton wrote: Fips folk: Should the 'fipsdso' target complain if it gets any other command line arguments in ./Configure? Since specifying it means that you're trying to build the shared object... -Kyle H On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote: Need to split the FIPS and non-FIPS compliant technologies: When I do a fips compile namely ./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779 enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib --openssldir=/usr/contrib debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3 with debug-bsdi-x86-elf debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR), I get: Testing cipher SEED-ECB(encrypt) Key 28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7 Plaintext b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7 Ciphertext 9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22 test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1402: test tls1 *** IN FIPS MODE *** Available compression methods: 1: zlib compression 8956:error:0406A08D:rsa routines:RSA_new_method:non fips method:rsa_eng.c:183: 8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux error:tasn_new.c:221: 8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:402:Type=RSA 8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1 lib:d2i_pu.c:99: 8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:366: 8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402: ERROR in SERVER 8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1037: TLSv1, cipher (NONE) (NONE) 1 handshakes of 256 bytes done *** Error code 1 (continuing) Test IGE mode ../util/shlib_wrap.sh ./igetest `tests' not remade because of errors. util/opensslwrap.sh version -a OpenSSL 0.9.8j-fips-dev xx XXX built on: Sat Sep 20 08:02:29 MDT 2008 platform: debug-bsdi-x86-elf options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3 -Wall -mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9 -march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: /usr/contrib `test' is up to date. using make -k test . Please fix. From the Configure file: elsif (/^fips$/) { $fips=1; } elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. # The check for the option is there so scripts aren't # broken } elsif (/^nofipscanistercheck$/) { $fips = 1; $nofipscanistercheck = 1; } elsif (/^fipscanisterbuild$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=; $fipscanisterinternal=y; } elsif (/^fipsdso$/) { $fips = 1; $nofipscanistercheck = 1; $fipslibdir=; $fipscanisterinternal=y; $fipsdso = 1; } -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! Canada vote anything but Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca . -- This message