How to link openssl FIPS 140-2 object module with openssl binary

Hi, I want to use FIPS compliant algorithms and keys. For that I understand, I need to have Openssl FIPS object library along with default openssl. However, I am not understanding how to install them. My questions are : 1. Both are tar.gz. Should I run ./Configure, make and make install for

Re: Ciphers: disabling

Thanx for pointin out for more detailed description. Tried actually with no-camelia flag and had error: #error CAMELLIA is disabled from ./crypto/camellia/camellia.h. I didn't know that i also should manually remove that directory after make depend. On Wed, Jan 9, 2013 at 7:23 PM, Jeremy Farrell

Re: Ciphers: disabling

Tried to turn off everything i can: #!/bin/bash make clean make dclean ./config no-threads no-shared no-zlib \ no-camellia no-bf no-cast no-des no-dh no-dsa no-mac no-md2 no-mdc2 no-rc2 \ no-rc4 no-rc5 no-rsa no-krb5 make depend make # no-sha no-md5 # make make install #

Re: Ciphers: disabling

After turning off all ciphers i implicitly turned off whole TLS1: #ifndef OPENSSL_NO_TLS1 # define OPENSSL_NO_TLS1 #endif #ifndef OPENSSL_NO_TLSEXT # define OPENSSL_NO_TLSEXT #endif - in my opensslconf.h So, which cipher should remain i.e. which of them corresponds to

Re: Compile 0.9.8x for 64bit is missing _SHA* symbols

On 1/9/2013 6:40 PM, Ribhi Kamal wrote: Hi all, I've compiled openssl 0.9.8x on windows 7 using VS2010 pro using the following steps: perl Configure VC-WIN64A --prefix=%LIB_OUT% CALL ms\do_win64a nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak test nmake -f ms\ntdll.mak install Unfortunately the

Re: How to link openssl FIPS 140-2 object module with openssl binary

On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain naynj...@in.ibm.com wrote: Hi, I want to use FIPS compliant algorithms and keys. For that I understand, I need to have Openssl FIPS object library along with default openssl. However, I am not understanding how to install them. My questions are :

RE: RSA_private_decrypt function takes longer time.

-Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, December 21, 2012 8:23 PM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes longer time. On 12/21/2012 1:13 PM,

Re: RSA_private_decrypt function takes longer time.

On Thu, Jan 10, 2013 at 6:13 AM, Tayade, Nilesh nilesh.tay...@netscout.com wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, December 21, 2012 8:23 PM To: openssl-users@openssl.org Subject:

Re: RSA_private_decrypt function takes longer time.

On 1/10/2013 12:13 PM, Tayade, Nilesh wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, December 21, 2012 8:23 PM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes

RE: RSA_private_decrypt function takes longer time.

-Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, January 10, 2013 6:56 PM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes longer time. [...] Coming back to this.

Re: RSA_private_decrypt function takes longer time.

On Thu, Jan 10, 2013 at 9:01 AM, Tayade, Nilesh nilesh.tay...@netscout.com wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Thursday, January 10, 2013 6:56 PM To: openssl-users@openssl.org Subject:

OpenSSL RT instance migration

Hi, in the process of upgrading and migrating our server infrastructure I have just put the updated Request Tracker into operation. The request tracker stays reachable via r...@openssl.org (or the alias openssl-b...@openssl.org). While the migration is still in progress, the web interface is

RE: RSA_private_decrypt function takes longer time.

-Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Thursday, January 10, 2013 7:54 PM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes longer time. [...] So I feel like

RE: RSA_private_decrypt function takes longer time.

True. But HSM claims performance, correctness and security. Jeffrey's point is that you need whole-system security, not just faster crypto. (And your original note didn't say HSM, but implied just an accelerator card.) For example, how do you make sure that only authentic and authorized

Re: How to link openssl FIPS 140-2 object module with openssl binary

Thanks Jeffrey for the quick response. I have one more question. Actually there is also NIST Recommendations document i.e. NIST SP 800-131 A. To satisfy the requirements for NIST SP 800-131 A , 1. Do we need to use FIPS Object library module ? 2. Do we just need to make sure that we use

Re: How to link openssl FIPS 140-2 object module with openssl binary

On Thu, Jan 10, 2013 at 11:04 AM, Nayna Jain naynj...@in.ibm.com wrote: Thanks Jeffrey for the quick response. I have one more question. Actually there is also NIST Recommendations document i.e. NIST SP 800-131 A. To satisfy the requirements for NIST SP 800-131 A , 1. Do we need to use

Re: Compile 0.9.8x for 64bit is missing _SHA* symbols

Thanks Jakob, I'm using MASM (ml and ml64) and it seems to work ok for the 32bit build at least. Should I be using nasm for 64bit instead? The functionality for SHA512 and the rest seems to be implemented because the test for SHA512 (sha512t.exe) is compiled and works correctly. And I think the

Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips

My issue is resolved. I had to add the following before calling httpd configure: export CC=fipsld export FIPSLD_CC=gcc Thanks. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in

RE: How to remove certificate from X509_STORE?

From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 08 January, 2013 08:34 X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function

RE: last parameter of AES_ofb128_encrypt

From: owner-openssl-us...@openssl.org On Behalf Of jeetendra gangele Sent: Wednesday, 09 January, 2013 01:28 when I use AES_ofb128_encrypt for decrpyting 2 bytes of data. Actually I have 18 bytes of data so 16 bytes I am decryting with CBC and 2 bytes with OFB mode. For this 2 bytes I am

Re: Compile 0.9.8x for 64bit is missing _SHA* symbols

On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal rbhka...@gmail.com wrote: Never mind, the application (virtualbox) was incorrectly trying to use the 32bit version of openssl. But I still don't understand why a 32bit version has different symbols that the 64bit one. The message is probably similar

Re: Compile 0.9.8x for 64bit is missing _SHA* symbols

So even though the names differ by a prefixed underscore in ( _SHA1_Update vs SHA1_Update ), the names are actually the same? I wonder what linker logic is behind this Thanks for the help, RK On Thu, Jan 10, 2013 at 6:09 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Jan 10, 2013 at

Re: Compile 0.9.8x for 64bit is missing _SHA* symbols

On Thu, Jan 10, 2013 at 6:33 PM, Ribhi Kamal rbhka...@gmail.com wrote: So even though the names differ by a prefixed underscore in ( _SHA1_Update vs SHA1_Update ), the names are actually the same? I wonder what linker logic is behind this Yes. That's a 'C' decoration. The underscore'd name is

RE: Compile 0.9.8x for 64bit is missing _SHA* symbols

From: owner-openssl-us...@openssl.org On Behalf Of Ribhi Kamal Sent: Thursday, 10 January, 2013 17:51 Never mind, the application (virtualbox) was incorrectly trying to use the 32bit version of openssl. But I still don't understand why a 32bit version has different symbols that the 64bit one.