Re: [openssl-users] Openssl version in RHEL 8

2018-12-13 Thread Mody, Darshan (Darshan) 
Thanks Rich

Warm Regards
Darshan

From: openssl-users  On Behalf Of Salz, Rich 
via openssl-users
Sent: Thursday, December 13, 2018 6:19 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Openssl version in RHEL 8


  *   [root@puoasvorsr07 ~]# openssl version
  *   OpenSSL 1.1.1 FIPS  11 Sep 2018

Is that a version you built yourself, or from RedHat?  I believe it is RedHat’s 
version, which did their own FIPS work.

The OpenSSL FIPS module is starting development.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl version in RHEL 8

2018-12-13 Thread Mody, Darshan (Darshan) 
Hi

I am checking RHEL 8 feasibility on our systems. I observe that openssl fips 
module

[root@puoasvorsr07 ~]# openssl version
OpenSSL 1.1.1 FIPS  11 Sep 2018
[root@puoasvorsr07 ~]#

My query is openssl 1.1.1 FIPS is also in the beta phase?

Thanks
Darshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] disable session id reuse

2018-05-10 Thread Mody, Darshan (Darshan) 
Hi All

Any suggestion on the problem?

Thanks
Darshan

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Mody, Darshan (Darshan)
Sent: Sunday, May 6, 2018 7:28 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] disable session id reuse

Hi

We do set SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); while initializing Context

Thanks
Darshan

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Devang Kubavat
Sent: Sunday, May 6, 2018 1:42 PM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] disable session id reuse

Hi Darshan,

In Addition, Make sure that you should disable the session ticket based session 
resumption using SSL_OP_NO_TICKET.

By default SSL_OP_NO_TICKET is not disabled.

Thanks
Devang
Sent from my iPhone

On 03-May-2018, at 2:12 PM, Mody, Darshan (Darshan) 
<darshanm...@avaya.com<mailto:darshanm...@avaya.com>> wrote:
Hi,

While doing a openssl s_time command I find that by default it tries for 
Session Id Reuse. “Now timing with session id reuse.”

In case if we don’t want openssl to reuse session id’s how can we configure 
openssl in the application for the same.

The application here is acting as a server.

I have set  SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF

Thanks
Darshan
--
openssl-users mailing list
To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers=DwMFaQ=BFpWQw8bsuKpl1SgiZH64Q=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ=6EwdsImPOhlHS6cQdur-UNtSfmU8P5PrY6_Yr_tCo2U=SJPsG8EXG55k4n7fzDiMayd1OUlyHCWP2JzifuoOKg0=>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] disable session id reuse

2018-05-06 Thread Mody, Darshan (Darshan) 
Hi

We do set SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); while initializing Context

Thanks
Darshan

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Devang Kubavat
Sent: Sunday, May 6, 2018 1:42 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] disable session id reuse

Hi Darshan,

In Addition, Make sure that you should disable the session ticket based session 
resumption using SSL_OP_NO_TICKET.

By default SSL_OP_NO_TICKET is not disabled.

Thanks
Devang
Sent from my iPhone

On 03-May-2018, at 2:12 PM, Mody, Darshan (Darshan) 
<darshanm...@avaya.com<mailto:darshanm...@avaya.com>> wrote:
Hi,

While doing a openssl s_time command I find that by default it tries for 
Session Id Reuse. “Now timing with session id reuse.”

In case if we don’t want openssl to reuse session id’s how can we configure 
openssl in the application for the same.

The application here is acting as a server.

I have set  SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF

Thanks
Darshan
--
openssl-users mailing list
To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers=DwMFaQ=BFpWQw8bsuKpl1SgiZH64Q=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ=6EwdsImPOhlHS6cQdur-UNtSfmU8P5PrY6_Yr_tCo2U=SJPsG8EXG55k4n7fzDiMayd1OUlyHCWP2JzifuoOKg0=>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] disable session id reuse

2018-05-03 Thread Mody, Darshan (Darshan) 
Hi,

While doing a openssl s_time command I find that by default it tries for 
Session Id Reuse. "Now timing with session id reuse."

In case if we don't want openssl to reuse session id's how can we configure 
openssl in the application for the same.

The application here is acting as a server.

I have set  SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF

Thanks
Darshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CRL implementation caching

2017-03-13 Thread Mody, Darshan (Darshan) 
Hi,

We have modified our codebase to have CRL verification on the incoming 
certificates. While doing a negative testing with load of certificates I find 
that the resident memory for the module.

My query is when we have CRL verification enabled does openssl caches incoming 
certificates?

Please note that we have set SSL_CTX_set_session_cache_mode(ctx, 
SSL_SESS_CACHE_OFF);

>From the core file generated I am observing many entries of the far-end 
>certificate serial number.

Thanks in Advance

Regards
Darshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Difference between re-negotiate APIs

2016-07-12 Thread Mody, Darshan (Darshan) 
Hi

I find there are 2 APIs for SSL renegotiation. SSL_renegotiate and 
SSL_renegotiate_abbreviate.

What is the difference between them?

Thanks
Darshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Openssl IPv6 Support

2014-11-05 Thread Mody, Darshan (Darshan) 
Hi,

Does Openssl support IPv6 officially?.

Thanks  Regards
Darshan

SSL_CTX_use_PrivateKey_file

2014-05-25 Thread Mody, Darshan (Darshan) 
Hi,

When I try to  read the EC Private Key file I get an error from the openssl.

Is there another way to use the Elliptic curved Private key. Please note that I 
generate the Public and Private keys via the command lines and use the 
public-private key in my program

Thanks
Darshan

RE: SSL_CTX_use_PrivateKey_file

2014-05-25 Thread Mody, Darshan (Darshan) 
I use below command

openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd 
Party tool SIPp.  Below is the method that sets the SSL CTX

ssl_init_status FI_init_ssl_context (void)
{
sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() );
if ( sip_trp_ssl_ctx == NULL ) {
ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed);
return SSL_INIT_ERROR;
}

sip_trp_ssl_ctx_client = SSL_CTX_new( TLSv1_method() );
if ( sip_trp_ssl_ctx_client == NULL) {
ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed);
return SSL_INIT_ERROR;
}

/*  Load the trusted CA's */
SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL);
SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, NULL);

/*  CRL load from application specified only if specified on the command 
line */
if (strlen(tls_crl_name) != 0) {
if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) {
ERROR(FI_init_ssl_context: Unable to load CRL file (%s), 
tls_crl_name);
return SSL_INIT_ERROR;
}

if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) {
ERROR(FI_init_ssl_context: Unable to load CRL (client) file (%s), 
tls_crl_name);
return SSL_INIT_ERROR;
}
/* The following call forces to process the certificates with the */
/* initialised SSL_CTX*/
SSL_CTX_set_verify(sip_trp_ssl_ctx,
   SSL_VERIFY_PEER |
   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
   sip_tls_verify_callback);

SSL_CTX_set_verify(sip_trp_ssl_ctx_client,
   SSL_VERIFY_PEER |
   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
   sip_tls_verify_callback);
}


/* Selection Cipher suits - load the application specified ciphers */
SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx,
   (void *)CALL_BACK_USER_DATA );
SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client,
   (void *)CALL_BACK_USER_DATA );
SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx,
   passwd_call_back_routine );
SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client,
   passwd_call_back_routine );

if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx,
  tls_cert_name,
  SSL_FILETYPE_PEM ) != 1 ) {
ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file failed);
return SSL_INIT_ERROR;
}

if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx_client,
  tls_cert_name,
  SSL_FILETYPE_PEM ) != 1 ) {
ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file (client) 
failed);
return SSL_INIT_ERROR;
}
if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx,
 tls_key_name,
 SSL_FILETYPE_PEM ) != 1 ) {
ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed);
return SSL_INIT_ERROR;
}

if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client,
 tls_key_name,
 SSL_FILETYPE_PEM ) != 1 ) {
ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) 
failed);
return SSL_INIT_ERROR;
}

return SSL_INIT_NORMAL;
}

Thanks in Advance

Regards
Darshan

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Matt Caswell
Sent: Sunday, May 25, 2014 6:31 PM
To: openssl-users@openssl.org
Subject: Re: SSL_CTX_use_PrivateKey_file



On 25/05/14 13:11, Mody, Darshan (Darshan) wrote:
 Hi,
 
  
 
 When I try to  read the EC Private Key file I get an error from the 
 openssl.
 
  
 
 Is there another way to use the Elliptic curved Private key. Please 
 note that I generate the Public and Private keys via the command lines 
 and use the public-private key in my program
 

I think we need a bit more to go on.

Can you post the commands you used to generate your keys, the error you are 
getting, and the code you are using to read the private key?

Thanks

Matt


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl

RE: SSL_CTX_use_PrivateKey_file

2014-05-25 Thread Mody, Darshan (Darshan) 
Seems to be issue with the ceritificate and the oprivate key

SSL error 0 : error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch.

My bad

Thanks a million

Regards
Darshan

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Jeffrey Walton
Sent: Sunday, May 25, 2014 9:28 PM
To: OpenSSL Users List
Subject: Re: SSL_CTX_use_PrivateKey_file

On Sun, May 25, 2014 at 11:39 AM, Viktor Dukhovni openssl-us...@dukhovni.org 
wrote:
 On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote:

  sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() );
  if ( sip_trp_ssl_ctx == NULL ) {
  ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed);
  return SSL_INIT_ERROR;
  }

 Well, EC support was added to SSL/TLS at TLS 1.2.

 That's not the case.  ECDSA and ECDHE predate TLSv1.2.  Full support 
 for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 
 was added in 1.0.1 IIRC.

Indeed. RFC 4492 (ECC for TLS) from May 2006 states it applies to TLS
1.0 and above.

My bad.

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org