OPenssl 0.9.8j dev
Need to split the FIPS and non-FIPS compliant technologies:
When I do a fips compile namely
./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm
enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779 enable-gmp
enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib
--openssldir=/usr/contrib
debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3
with debug-bsdi-x86-elf
debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer
-O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG
RC4_CHUNK BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
I get:
Testing cipher SEED-ECB(encrypt)
Key
28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7
Plaintext
b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7
Ciphertext
9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test ssl2 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test tls1
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8956:error:0406A08D:rsa routines:RSA_new_method:non fips method:rsa_eng.c:183:
8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux
error:tasn_new.c:221:
8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:402:Type=RSA
8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1 lib:d2i_pu.c:99:
8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1
lib:x_pubkey.c:366:
8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:
ERROR in SERVER
8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1037:
TLSv1, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
*** Error code 1 (continuing)
Test IGE mode
../util/shlib_wrap.sh ./igetest
`tests' not remade because of errors.
util/opensslwrap.sh version -a
OpenSSL 0.9.8j-fips-dev xx XXX
built on: Sat Sep 20 08:02:29 MDT 2008
platform: debug-bsdi-x86-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3 -Wall
-mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9
-march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: /usr/contrib
`test' is up to date.
using make -k test .
Please fix.
--
Member - Liberal International
This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED]
God, Queen and country! Beware Anti-Christ rising! Canada vote anything but
Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca .
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: OPenssl 0.9.8j dev
Fips folk: Should the 'fipsdso' target complain if it gets any other
command line arguments in ./Configure? Since specifying it means that
you're trying to build the shared object...
-Kyle H
On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote:
Need to split the FIPS and non-FIPS compliant technologies:
When I do a fips compile namely
./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm
enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779
enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib
--openssldir=/usr/contrib
debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3
with debug-bsdi-x86-elf
debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS
-fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm
-lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
I get:
Testing cipher SEED-ECB(encrypt)
Key
28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7
Plaintext
b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7
Ciphertext
9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test ssl2 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test tls1
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8956:error:0406A08D:rsa routines:RSA_new_method:non fips method:rsa_eng.c:183:
8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux
error:tasn_new.c:221:
8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:402:Type=RSA
8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1 lib:d2i_pu.c:99:
8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1
lib:x_pubkey.c:366:
8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:
ERROR in SERVER
8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1037:
TLSv1, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
*** Error code 1 (continuing)
Test IGE mode
../util/shlib_wrap.sh ./igetest
`tests' not remade because of errors.
util/opensslwrap.sh version -a
OpenSSL 0.9.8j-fips-dev xx XXX
built on: Sat Sep 20 08:02:29 MDT 2008
platform: debug-bsdi-x86-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3 -Wall
-mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9
-march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: /usr/contrib
`test' is up to date.
using make -k test .
Please fix.
--
Member - Liberal International
This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED]
God, Queen and country! Beware Anti-Christ rising! Canada vote anything but
Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca .
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
digest verification failing due to unable to load key file
I have converted a Microsoft code signing key obtained from Thawte into a PKCS12 file, and then converted to a pair of PEM files, one with the private key and the other without, like this: openssl pkcs12 -chain -in palisadesys.pfx -out palisadesys.pem openssl pkcs12 -chain -in palisadesys.pfx -nokeys -out palisadesys-publiconly.pem Then I have signed a file like this: openssl dgst -sha1 -sign palisadesys.pem -out file.tar.gz.sha1 file.tar.gz But when I validate the signature: openssl dgst -sha1 -verify palisadesys-publiconly.pem -signature file.tar.gz.sha1 file.tar.gz results in the message unable to load key file. All three files (palisadesys-publiconly.pem, file.tar.gz.sha1, and file.tar.gz) are readable. Thanks for any help, Guy Helmer -- Guy Helmer, Ph.D. Chief System Architect Palisade Systems, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? regards, Gerd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.26 released
Dear Users, Version 4.26, 2008.09.20, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8i. - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted. - A more informative error messages for invalid port number specified in stunnel.conf file. - Support for Microsoft Visual C++ 9.0 Express Edition. * Bugfixes - Killing all libwrap processes at stunnel shutdown fixed. - A minor bug in stunnel.init sample SysV startup file fixed. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.24.tar.gz file: 1c9f5dd6b21f354c356cd9100899a90a83068c68 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OPenssl 0.9.8j dev
On Sat, Sep 20, 2008 at 01:47:55PM -0700, Kyle Hamilton wrote:
Fips folk: Should the 'fipsdso' target complain if it gets any other
command line arguments in ./Configure? Since specifying it means that
you're trying to build the shared object...
-Kyle H
On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote:
Need to split the FIPS and non-FIPS compliant technologies:
When I do a fips compile namely
./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm
enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779
enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix=/usr/contrib
--openssldir=/usr/contrib
debug-bsdi-x86-elf -g -O3 -Wall -mcpu=pentium3
with debug-bsdi-x86-elf
debug-bsdi-x86-elf, gcc:-DPERL5 -DL_ENDIAN -DTERMIOS
-fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm
-lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
I get:
Testing cipher SEED-ECB(encrypt)
Key
28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7
Plaintext
b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7
Ciphertext
9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test ssl2 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1402:
test tls1
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
8956:error:0406A08D:rsa routines:RSA_new_method:non fips
method:rsa_eng.c:183:
8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux
error:tasn_new.c:221:
8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:402:Type=RSA
8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1
lib:d2i_pu.c:99:
8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1
lib:x_pubkey.c:366:
8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:
ERROR in SERVER
8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1037:
TLSv1, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
*** Error code 1 (continuing)
Test IGE mode
../util/shlib_wrap.sh ./igetest
`tests' not remade because of errors.
util/opensslwrap.sh version -a
OpenSSL 0.9.8j-fips-dev xx XXX
built on: Sat Sep 20 08:02:29 MDT 2008
platform: debug-bsdi-x86-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3
-Wall -mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9
-march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: /usr/contrib
`test' is up to date.
using make -k test .
Please fix.
From the Configure file:
elsif (/^fips$/)
{
$fips=1;
}
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
# The check for the option is there so scripts aren't
# broken
}
elsif (/^nofipscanistercheck$/)
{
$fips = 1;
$nofipscanistercheck = 1;
}
elsif (/^fipscanisterbuild$/)
{
$fips = 1;
$nofipscanistercheck = 1;
$fipslibdir=;
$fipscanisterinternal=y;
}
elsif (/^fipsdso$/)
{
$fips = 1;
$nofipscanistercheck = 1;
$fipslibdir=;
$fipscanisterinternal=y;
$fipsdso = 1;
}
--
Member - Liberal International
This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED]
God, Queen and country! Beware Anti-Christ rising! Canada vote anything but
Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca .
--
This message
