FIPS 140_2 mode for mod_proxy in apache
Is a patch for FIPS 140-2 support available for apache mod_proxy when running SSL? FIPS 140-2 is supported in apache SSL when in server mode with this patch: https://issues.apache.org/bugzilla/show_bug.cgi?id=46270 https://issues.apache.org/bugzilla/show_bug.cgi?id=46270 However when running apache as a client via mod_proxy and running over SSL, SSL is not running in FIPS mode. This is verified by seeing non FIPS cryptographic items in the crypto suite in the client TLS HELLO message. I have a thread going in the apache forum however am not getting relevent responses so I am putting the same query in here. http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--ts27748496.html http://old.nabble.com/FIPS-140_2-compliant-for-mod_proxy--ts27748496.html Thanks in advance for any replies. -- View this message in context: http://old.nabble.com/FIPS-140_2-mode-for-mod_proxy-in-apache-tp27769357p27769357.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)
This is a problem for us with FIPS module 1.2.0. wolfoftheair wrote: Is this still present in FIPS module 1.2.0? -Kyle H On Mon, Aug 24, 2009 at 11:55 AM, Mike Trentmichael.tr...@xerox.com wrote: Mike Trent wrote: It seems that after setting FIPS mode off one cannot set it back on again in the same executable. I have a test program which does: FIPS_mode_set(1) - works ok indicated by a return true. FIPS_mode_set(0) - to turn off and works ok, at least the FIPS_mode() call returns 0, so it seems to be off. Then followed by again FIPS_mode_set(1) which returns a 0 indicating failure. A FIPS_Mode() call indicates that the test program is still in non FIPS mode. Is it possible to turn off FIPS and turn it back on in an executable? Thanks. Ok... found the answer. One needs to make this call: RAND_set_rand_method(NULL); prior to making a FIPS_mode_set(1) after having turned off FIPS. -- View this message in context: http://www.nabble.com/FIPS_mode_set%281%29---FIPS_mode_set%280%29---FIPS_mode_set%281%29-tp25121412p25121535.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/FIPS_mode_set%281%29---FIPS_mode_set%280%29---FIPS_mode_set%281%29-tp25121412p25530885.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)
It seems that after setting FIPS mode off one cannot set it back on again in the same executable. I have a test program which does: FIPS_mode_set(1) - works ok indicated by a return true. FIPS_mode_set(0) - to turn off and works ok, at least the FIPS_mode() call returns 0, so it seems to be off. Then followed by again FIPS_mode_set(1) which returns a 0 indicating failure. A FIPS_Mode() call indicates that the test program is still in non FIPS mode. Is it possible to turn off FIPS and turn it back on in an executable? Thanks. -- View this message in context: http://www.nabble.com/FIPS_mode_set%281%29---FIPS_mode_set%280%29---FIPS_mode_set%281%29-tp25121412p25121412.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS_mode_set(1) - FIPS_mode_set(0) - FIPS_mode_set(1)
Mike Trent wrote: It seems that after setting FIPS mode off one cannot set it back on again in the same executable. I have a test program which does: FIPS_mode_set(1) - works ok indicated by a return true. FIPS_mode_set(0) - to turn off and works ok, at least the FIPS_mode() call returns 0, so it seems to be off. Then followed by again FIPS_mode_set(1) which returns a 0 indicating failure. A FIPS_Mode() call indicates that the test program is still in non FIPS mode. Is it possible to turn off FIPS and turn it back on in an executable? Thanks. Ok... found the answer. One needs to make this call:RAND_set_rand_method(NULL); prior to making a FIPS_mode_set(1) after having turned off FIPS. -- View this message in context: http://www.nabble.com/FIPS_mode_set%281%29---FIPS_mode_set%280%29---FIPS_mode_set%281%29-tp25121412p25121535.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl decrypting unknown whether DES or AES encrypted
Mike Trent wrote: Moving from DES to AES encryption and all new encryption will be AES. However some existing strings were encrypted in DES. Is there a way to determine if a string is encrypted in DES or AES? Will the decrypt AES fail on a DES encrypted string always or will openssl return a good return but with garbage as the decrypted string? Thanks for the replies. The solution is actually easier than first thought. As I am doing new encryption with AES all I need to do is append a byte at the end of the encrypted string before returning for storage. On later examination of an encrypted string if a MOD 16 on the string length yields a 1 then I know I have the new encrypted string, and just need to drop off the last byte and decrypt via AES. Otherwise I have DES. -- View this message in context: http://www.nabble.com/openssl-decrypting-unknown-whether-DES-or-AES-encrypted-tp24801444p24816313.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org