[openssl-users] /dev/random in FIPS mode Error: PRNG not seeded

Hello, We have a custom hardware system running Linux Debian OS having openssl 1.0.2l compiled with FIPS module 2.0. We are trying for FIPS 140-2 certification. By default it looks like openssl RAND_poll() uses /dev/urandom for entropy. We are told this may not be acceptable for FIPS 140-2 Level

RE: openssl 1..0.1e -bad sig size 32 32 for DSA 2048 keys

Thanks for the quick reply. Since FIPS-140-3 may limit DSA key limit to be not less than 2048, Is there a chance of 2048 DSA key support in the near future upstream versions of openssl? Thanks. -- View this message in context:

openssl 1..0.1e -bad sig size 32 32 for DSA 2048 keys

Hi, I built and installed openssl 1.0.1e. When i try to connect using ssh with 2048 DSA keys, i get *bad sig size 32 32* error. Is this a bug? Here is how i created the keys. openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 openssl dsaparam -out dsaparam.pem 2048 openssl gendsa -out ssh_dsa_key

FIPS_Mode_set() and Integrity check

Hi All, I have a question about FIPS mode and Integrity check. 1)I built FIPS 2.0.2 module, libcrypto.1.0.0 with FIPS and dynamically linked against *sshd* and installed on target machine, which is working fine. 2)I cleaned up the libraries, build FIPS module and libcrypto.so.1.0.0 again and

compiling mod_ssl as shared forms mod_ssl.a and not mod_ssl.so

Hi, I am trying to compile httpd 2.4.4 with openssl 1.0.1e. I want mod_ssl to be linked dynamically as mod_ssl.so But after compiling using following config option results in mod_ssl.a . ./configure --prefix=/etc/apache2 --with-ssl=/openssl_cc1 *--enable-so --enable-mods-shared=all*

Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?

or the ciphers?/ Sorry, i was under the impression that Selecting TLS version automatically sets the same versioned ciphers. I may be mistaken here. Jakobs mail clears the confusion for me. Thanks! Cipher. -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-possible-to-configure

FIPS with openssl 1.0.1c strange error

I cross compiled openssl 1.0.1c with FIPS with following commands: For FIPS module: ./config make for openssl ./config fips no-asm shared --with-fipsdir=/software/openssl/openssl-fips-2.0.2/ export FIPS_SIG=/software/openssl/openssl-fips-2.0.2/util/incore changed fipsld line 132 to ${FIPS_SIG}

Re: OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode

: Killing privsep child 1519 cipher-ctr.c needs to modified as well? void ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, size_t len) { struct ssh_aes_ctr_ctx *c; if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL) fatal(ssh_aes_ctr_iv: no context); if (doset

Re: OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode

Hi Steve, Thanks for the suggestion. It worked. *ssh_aes_ctr_iv: no context [preauth]* message was coming because i was passing EVP type to that function. Now its fine after passing evp. Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-internal-error

Re: OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode

, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-internal-error-assertion-failed-Low-level-API-call-to-cipher-AES-forbidden-in-FIPS-mode-tp44864p44900.html Sent from the OpenSSL - User mailing list archive at Nabble.com

Is it possible to configure only TLSv1.2 ciphers for FIPS?

to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-possible-to-configure-only-TLSv1-2-ciphers-for-FIPS-tp44905.html Sent from the OpenSSL

Re: FIPS_rand_set_key and FIPS_rand_seed

I found the solution, it has nothing to do with forking. Here is what i did- I was writing IN FIPS MODE message to *stdout*. When sshd forks child process to handle scp, this stdout was being passed over the pipe causing the issue. My issue got resolved after writing the FIPS mode message

OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode

Hi, I complied and installed FIPS capable OPENSSL 1.0.1c and OPENSSH 6.1p1 with FIPS. While debugging i found that SSH fails for *ctr* mode of cipher operation. Here is what i get when i connect using aes256-ctr or aes128-cbc FIPS mode initialized debug1: inetd sockets after dupping: 3, 3

Re: AES key wrap feature unavailable in FIPS mode OpenSSL?

Hi, given the point this was posted in 2011, i hope this is resolved and i can get some help with my problem! I have a similar problem with openssl 1.0.1c compiled with FIPS 2.0.2 and OPENSSH 6.1p1. Here is the debug mode of sshd with aes256-ctr cipher FIPS mode initialized debug1: inetd sockets

Re: FIPS_rand_set_key and FIPS_rand_seed

I have related problem. My *sshd* is compiled with FIPS 2.0.2 incorporated openssl 1.0.1c and runs fine in SBX. But when i try to do scp from a remote system, initial connection is successful but connection get closed immediately. If i am not wrong, scp internally calls ssh which forks a new

ctr-mode is not supported in FIPS mode?

Hi, I complied and installed FIPS capable OPENSSL 1.0.1c and OPENSSH 6.1p1 with FIPS. While debugging i found that SSH fails for *ctr* mode of cipher operation. Is it because of a buggy patch? Here is what i get when i connect using aes256-ctr FIPS mode initialized debug1: inetd sockets after

Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips

Jerry, All, I have built FIPS capable openssl 1.0.1c and formed shared libs(libcrypto.s0.1.0.0 and libssl.so.1.0.0) . Now i am trying to build apache to make it FIPS capable. Do you mind telling me the steps involved in building Apache with newly built openssl? (I am cross compiling, so have not