On Mon, 2009-01-19 at 11:22 +, Young, Alistair wrote:
* is it possible to define our own curves (rather than using
one of the predefined curves)?
if you want to play with your EC, check crypto/ec/ectest.c
if you want to add a new curve to openssl, have a look at
crypto/ec/ec_curve.c,
Thank you, Emanuele.
We really need to use the FIPS version of OpenSSL, so updating the code
isn't a possiblity.
However, looking into the source it looks as though all of the functions
that we need are there, so hopefully we can get the functionality we
require by writing a bit of code
... though I notice that the Security Policy document does not
explicitly mention ECDSA in the table of FIPS approved algorithms.
It does mention DSA with 1024-bit keys (but has a confusing footnote
which states that DSA supports a key size of less than 1024 bits except
when not in FIPS mode - is
Dear All,
I have one doubt how to check the signature. And I saw server is sending the
server certificate, can we check this certificate or what is use of
this(certificate come from server side) certificate.
In peer verification, at client side checking the system time, which is
lying in the
I'm not sure what you're trying to ask/say here, but have you looked
into the OPENSSL verify callbacks?
( http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html )
On Fri, Jan 23, 2009 at 12:11 PM, Ajeet kumar.S
ajeetkuma...@jasmin-infotech.com wrote:
Dear All,
I have one doubt how to check
On Fri, Jan 23, 2009, rajan chittil wrote:
Hi ,
I have gone through security policy (
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user guide.(
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf).
I have changed the configuration option to
1. opensslfips1.2
./config
Dear All,
Thank you Ger Hobbelt for your help.
I want to validate only the signature of the server certificate.
For example in peer verification, ssl will check time of client
system(6:28PM 23 Jan 2009) to Ca root certificate validity time after
client hello process.
Validity
I have done as you told but still no success
In the openssl fips 1.2 ,
# ./config -t
Operating system: 00C3E1AD4C00-ibm-aix
Configuring for aix64-cc
/usr/bin/perl ./Configure aix64-cc
same option i have given in openssl 9.8j
./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
On Fri, 2009-01-23 at 10:13 +, Young, Alistair wrote:
We really need to use the FIPS version of OpenSSL, so updating the code
isn't a possiblity.
ah ok, so maybe you can just skip EVP.
bye!
--
Emanuele Cesena emanuele.ces...@gmail.com
http://ecesena.dyndns.org
Il corpo non ha ideali
On Fri, Jan 23, 2009, Young, Alistair wrote:
... though I notice that the Security Policy document does not
explicitly mention ECDSA in the table of FIPS approved algorithms.
It does mention DSA with 1024-bit keys (but has a confusing footnote
which states that DSA supports a key size of
Steve Marquess marqu...@oss-institute.org wrote:
Stunnel has official FIPS mode support.
I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2.
Unfortunately it looks like fipsld is no longer installed during the
openssl-fips installation process. Can you confirm it? Is
Okay, so if I get this right, you're saying you want to verify the
server certificate BUT you do NOT want to check it's activation date /
expiry date (i.e. the time range over which the certificate is valid)?
I'll forego the very bad security implications of such a wish (those
time ranges are
All,
I am trying to build OpenSSL-fips-1.2 on a Solaris 10 machine
with Sun Studio 8 and force it to build 32-bit objects. Is there
a way I can do that without changing the makefile and thus
violating the fips validation?
I'm not specifically familiar with 64-bit Solaris, but I know
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: 23 January 2009 13:07
To: openssl-users@openssl.org
Subject: Re: ECDSA signature verification
On Fri, Jan 23, 2009, Young, Alistair wrote:
...
I have doubt regarding fips .
If i have an application which enter into the fips mode , will that make
crypto lib into the fips mode and rest of the application will also be in
fips mode . in other word whether fips mode is at system level or
application level.
Thanks
Joshi
On Fri, Jan 23, 2009
On Thu, 22 Jan 2009 06:10:36 +0100, Robin Seggelmann
seggelm...@fh-muenster.de said:
RS As a workaround you can use connected UDP sockets. Just use accept()
RS and connect() as you would with TCP connections and create new BIO and
RS SSL objects for every connection. I have tested that and it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi list !
I run debian lenny/sid and postfix is my MTA .
My relayhost uses a selfsigned CA certificate which i have imported as
/etc/ssl/certs/myisp.crt and linked as
/usr/share/ca-certificate/myisp.pem and in postfix as
/etc/postfix/CA/myisp.pem
In
Hello,
I develop an application with TLS client functionality. I use
SSL_set_connect_state() to put openssl to client mode.
Is there any possibility how to reject re-negotiation request from server.
Now SSL_read() handles re-negotiation transparently and accept that. I'd like
to have more
Hello,
I'm receiving the following error when compiling on AIX with XLC using the
openssl-SNAP-20090123. I receive the same error when compiling 64bit.
cc -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_THREADS -qt
hreaded -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN
On Fri, Jan 23, 2009 at 08:26:12AM +0100, gabrix wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi list !
I run debian lenny/sid and postfix is my MTA .
My relayhost uses a selfsigned CA certificate which i have imported as
/etc/ssl/certs/myisp.crt and linked as
Dr. Stephen Henson st...@openssl.org wrote:
On Fri, Jan 23, 2009, rajan chittil wrote:
Hi ,
I have gone through security policy (
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user guide.(
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf).
I have changed the
Hello David,
I wonder if you could give out a reference on how to establish a VPN using
DTLS or to tell how to do so.
Kind regards,
GLG
On Thu, Jan 22, 2009 at 7:47 AM, David Woodhouse dw...@infradead.org
wrote:
On Thu, 2009-01-22 at 06:10 +0100, Robin Seggelmann wrote:
To avoid getting
Thanks everyone for the help, I think I am getting closer. All of the SSL
has been removed from the listener (makes much more sense to me now), and
the Init routine has had CRYPTO_malloc_init() and
ENGINE_load_builtin_engines() added (it already had the other basic
routines).
When I use my client
From: Miguel [mailto:m...@moviquity.com]
Sent: Friday, 23 January, 2009 02:40
To: dave.thomp...@princetonpayments.com
Subject: RE: generating private and public key with alias
It's better to reply on the list so that others can check me; added back.
so to generate the CA private Key, can I
I have used aix64-cc compiler to build openssl fips 1.2 But since we have
GPFS problem , we have to use xlc_r compiler to build openssl 9.8J .Since
i am using xlc_r compiler it is not created validated module. Can you please
tell me what all changes i need to do to build the openssl 9.8J by
25 matches
Mail list logo