FIPS mode and ECDSA explicit curves

(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "Explicit curves are not allowed in fips mode"); return 0; } Thank you! cheers, -Felipe Gasper

RSA_METHOD.rsa_sign not called in FIPS mode

as it should until FIPS mode is enabled. Under FIPS mode, the "non-implemented" rsa_priv_enc() is called and an error is returned. The simplified backtrace is: #0 rsa_priv_enc // non-implemented engine function #1 FIPS_rsa_sign_digest // FIPS canister #2 pkey_rsa_sign #3 EVP_SignFinal

Re: OpenSSL shared library in FIPS mode

0, Shirisha Dasari via openssl-users > wrote: > > Hi All, > > > > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS > > compliance. Post integration, we have been able to run in FIPS mode, with > > all self-tests passing as well. However,

Re: OpenSSL shared library in FIPS mode

asari via openssl-users < > openssl-users@openssl.org> wrote: > > Hi All, > > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS > compliance. Post integration, we have been able to run in FIPS mode, with > all self-tests passing as well. However,

Re: OpenSSL shared library in FIPS mode

Hi, Yes. You have to use openssl provided build files. Thanks, Murugesh P. On 7/7/20, Shirisha Dasari via openssl-users wrote: > Hi All, > > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS > compliance. Post integration, we have been able to run

Re: OpenSSL shared library in FIPS mode

tegrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS > compliance. Post integration, we have been able to run in FIPS mode, with all > self-tests passing as well. However, we seem to be encountering issues in > creation and parsing of ECDSA keys. > > A little background on how we b

OpenSSL shared library in FIPS mode

Hi All, We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS compliance. Post integration, we have been able to run in FIPS mode, with all self-tests passing as well. However, we seem to be encountering issues in creation and parsing of ECDSA keys. A little background on how

Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

* >FIPS ciphers are a subset of the ciphers that OpenSSL supports. * Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS version. (I suppose yes). But still your confirmation will be helpful. Yes it is true for both. * Also, current version is considered outdated,

RE: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

Thanks for your answer, it clears up a path for me.Basically, when I build my code against OpenSSL library running with version 2.0 FIPS enabled, my code would work fine on systems running with same OpenSSL library version but non-fips mode.   $> openssl version OpenSSL 1.0.2k-fips  26 Jan 2

Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

Are you asking about the current (outdated) 2.0 module or the 3.0 module that is still being developed? In 2.0, once you enter FIPS mode you cannot leave it. In 3.0 you can switch among FIPS and non-FIPS as you need to. See https://www.openssl.org/docs/OpenSSL300Design.html for a description

Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?

Reposting the email, as it was not delivered unless we are subscribed to the list.   Thanks, Prashant     - Original message -From: Prashant Sharma31/India/IBMTo: openssl-users@openssl.org, Mei-Mei Fu/Santa Teresa/IBM@IBMUSCc:Subject: OpenSSL in FIPS mode, does FIPS mode provide any extra

Re: Using EVP api in fips mode (openssl3.0)

On 25/02/2020 11:12, Manish Patidar wrote: > Thanks for reply. It really help to use fips lib. > > I have another doubts regarding the hmac stored in fipsinstall.conf. If > some one modify the fips library after installation and modify the hmac > in fipsinstall.conf accordingly, is openssl3.0

Re: Using EVP api in fips mode (openssl3.0)

Thanks for reply. It really help to use fips lib. I have another doubts regarding the hmac stored in fipsinstall.conf. If some one modify the fips library after installation and modify the hmac in fipsinstall.conf accordingly, is openssl3.0 is able to identify this and fail the fips library

Re: Using EVP api in fips mode (openssl3.0)

On 14/01/2020 04:51, Manish Patidar wrote: > Hi > > Can any guide me how to use fips api in openssl? > > I try to use like below but it always returns null.  > > ctx = EVP_CIPHER_CTX_new() ; > ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ; > > I am doubting fips provider is not

Using EVP api in fips mode (openssl3.0)

Hi Can any guide me how to use fips api in openssl? I try to use like below but it always returns null. ctx = EVP_CIPHER_CTX_new() ; ciph = EVP_CIPHER_fetch(NULL, "aes-128-cbc", "fips=yes") ; I am doubting fips provider is not loaded. Regards Manish

OpenSSL FIPS mode for libcurl

Hi, I am able to run an application using libcurl which in turn uses OpenSSL in FIPS mode with following configuration Help requested Need opinion from seniors who know OpenSSL and libcurl codebase if following is good from conceptual perspective with respect to OpenSSL, libcurl. a) Built

SHA1_Init () is called through SSL_shutdown () in FIPS mode

Hi all, Need help in resolving an error or understanding the flow. Openssl library we are using is FIPS capabled. Openssl version is 1.0.2n with fips-2.0.16 Platform: Linux version 3.10.38-ltsi-WR6.0.0.11_standard (gcc version 4.8.1) We have an application which uses libssl and libcrypto for its

Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users < openssl-users@openssl.org> wrote: > Re: openssl-1.0.2r > > Re: openssl-fips-2.0.16 > > OS: Linux Mint 19.1 (Ubuntu) > > > > I have added a shared library initializer function to cryptlib.c to force

Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

Jordan via openssl-users < openssl-users@openssl.org> wrote: > Re: openssl-1.0.2r > > Re: openssl-fips-2.0.16 > > OS: Linux Mint 19.1 (Ubuntu) > > > > I have added a shared library initializer function to cryptlib.c to force > OpenSSL into FIPS mode,

Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

Re: openssl-1.0.2r Re: openssl-fips-2.0.16 OS: Linux Mint 19.1 (Ubuntu) I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)). void __attribute__((constructor

[openssl-users] FIPS mode on Windows

On Mon Sep 10 11:26:25 UTC 2018, Hubert Kario wrote: > On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote: >> I'm running Windows 10. >> I downloaded the FIPS module sources >> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the >> OpenSSL sources from

Re: [openssl-users] /dev/random in FIPS mode Error: PRNG not seeded

In FIPS mode, the default entropy gathering is not performed. You, the user, must supply all entropy to the module. See section 6.1.1 of the OpenSSL FIPS User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf). Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security

[openssl-users] /dev/random in FIPS mode Error: PRNG not seeded

andom" Now we see that openssl is using /dev/random, but the problem is openssl operations randomly fail when run multiple times with "PRNG not seeded" error. This is in-spite of having rngd installed to boost entropy. [root@debian ~]# OPENSSL_FIPS=1 openssl version FIPS mode ON. Open

Re: [openssl-users] FIPS mode on Windows

On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote: > I'm running Windows 10. > I downloaded the FIPS module sources > from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the > OpenSSL sources from https://www.openssl.org/source/openssl-1.0.2p.tar.gz . > I built

Re: [openssl-users] FIPS mode on Windows

The application c > an test to see if FIPS mode has been successfully performed." Therefore, > for OpenSSL to switch to FIPS mode, it is required that the application > call FIPS_mode_set(1). Can you please confirm that my understanding is now > correct? If you are using that spe

Re: [openssl-users] FIPS mode on Windows

On Thursday, 6 September 2018 04:18:38 CEST Alessandro Gherardi via openssl- users wrote: > I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS > mode (FIPS_mode_set(1)) if the FIPS registry > entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Fips

[openssl-users] FIPS mode on Windows

I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS mode (FIPS_mode_set(1)) if the FIPS registry entry  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to 1? This is to emulate the Linux behavior - if I understand correctly

Re: [openssl-users] Openssl 1.0.2o issue with FIPS mode set.

"strconv" >> "github.com/spacemonkeygo/openssl" >> ) >> >> func init_fips() { >> err := openssl.FIPSModeSet(true) >> if err != nil { >> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to se

Re: [openssl-users] Openssl 1.0.2o issue with FIPS mode set.

; "io" > "strconv" > "github.com/spacemonkeygo/openssl" > ) > > func init_fips() { > err := openssl.FIPSModeSet(true) > if err != nil { > panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set &g

Re: [openssl-users] Openssl 1.0.2o issue with FIPS mode set.

t(true) if err != nil { panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err)) } log.Print("OpenSSL FIPS mode is set to: True\n") } func main() { init_fips() laddr := "0.0.0.0:443" var

Re: [openssl-users] Openssl 1.0.2o issue with FIPS mode set.

sl server with FIPS mode set. I am using Openssl > library build with fips module 2.0. > With Openssl 1.0.1u version, everything was running fine. > Recently I upgraded to version 1.0.2o. With this version, under high > traffic condition (more than 4k requests per minute), read request fails &

[openssl-users] Openssl 1.0.2o issue with FIPS mode set.

Hello, I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0. With Openssl 1.0.1u version, everything was running fine. Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute

Re: [openssl-users] Enable the FIPS mode in the library level

Am 05.03.2018 um 20:39 schrieb Alan Dean: > Thanks Matthias for your response. > > I have a different question: > > Per your suggestion in the previous email, FIPS_mode_set() can be > moved inside of OPENSSL_init(), in order to force the FIPS mode > enabled in the libra

Re: [openssl-users] Enable the FIPS mode in the library level

Thanks Matthias for your response. I have a different question: Per your suggestion in the previous email, FIPS_mode_set() can be moved inside of OPENSSL_init(), in order to force the FIPS mode enabled in the library level. However currently OPENSSL_init() is actually invoked from within

Re: [openssl-users] Enable the FIPS mode in the library level

Am 05.03.2018 um 19:55 schrieb Alan Dean: > Thanks a lot Matthias for the suggestion. > > I have few follow-up questions below: > Please see my other replies. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Enable the FIPS mode in the library level

Am 05.03.2018 um 20:07 schrieb Salz, Rich via openssl-users: > > * Did you mean if an application uses the low level crypto algorithm > functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then > they won't work under FIPS mode (and hence may cause unpredictable

Re: [openssl-users] Enable the FIPS mode in the library level

* Did you mean if an application uses the low level crypto algorithm functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't work under FIPS mode (and hence may cause unpredictable issues)? Yes. It’s not unpredictable issues, but rather that your application cannot claim

Re: [openssl-users] Enable the FIPS mode in the library level

tions which have their own configuration > > and enable/disable FIPS mode explicitely, call FIPS_mode_set(0) > > afterwards. > > > > > > HTH, > > Matthias > > > > One more obstacle: In FIPS mode it is not allowed to use low level > crypto algorit

Re: [openssl-users] Enable the FIPS mode in the library level

Thanks a lot Matthias for the suggestion. I have few follow-up questions below: On Mon, Mar 5, 2018 at 2:57 AM, Dr. Matthias St. Pierre < matthias.st.pie...@ncp-e.com> wrote: > > > On 05.03.2018 10:46, Alan Dean wrote: > > Question 1: Is it even feasible to make the FIP

Re: [openssl-users] Enable the FIPS mode in the library level

Dr. Matthias St. Pierre <matthias.st.pie...@ncp-e.com> wrote: > On 05.03.2018 10:46, Alan Dean wrote: >> Question 1: Is it even feasible to make the FIPS mode always enabled >> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so &

Re: [openssl-users] Enable the FIPS mode in the library level

sure that the FIPS initialization succeeded. However, > an application which is not FIPS-aware won't check the result. > * It can happen that applications which have their own configuration > and enable/disable FIPS mode explicitely, call FIPS_mode_set(0) > afterwards. > > > HTH, > M

Re: [openssl-users] Enable the FIPS mode in the library level

On 05.03.2018 10:46, Alan Dean wrote: > Question 1: Is it even feasible to make the FIPS mode always enabled > for the whole OpenSSL library (i.e. for both libcrypto and libssl), so > that most the applications which dynamically linked to libcrypto and > libssl will be automatically

[openssl-users] Enable the FIPS mode in the library level

OpenSSL library, and based on the OpenSSL FIPS Library User Guide, it seems like the only way to make all these third party applications capable of running on FIPS mode will require modifying all these software to inject the FIPS_mode_set() API into the appropriate spots, so that FIPS mode can

[openssl-users] Enable FIPS mode using OPENSSL_config()

Hi All: My understand is by using OPENSSL_config(), we will be able to enable the FIPS mode globally on the system, is that correct? My question is, if we enable FIPS mode through configuration and using OPENSSL_config(), does it means for all the applications which link to OpenSSL library

Re: [openssl-users] OpenSSL DRBG in FIPS mode confusion.

On 15.03.2017 10:50, Jayalakshmi bhat wrote: > Hi All, > > OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have > question associated with this. > > 1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation > function* > 2. Where

[openssl-users] OpenSSL DRBG in FIPS mode confusion.

Hi All, OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have question associated with this. 1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation function* 2. Where as the document http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf

Re: [openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?

On Tue, Aug 02, 2016, jonetsu wrote: > FIPS: Need to use FIPS versions of (EVP) methods ? > > In FIPS mode, is there a need to use the FIPS_* methods instead of the > regular ones once FIPS_mode_set(1) was successfully executed ? For > instance, is there a need to use FIPS_evp

[openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?

FIPS: Need to use FIPS versions of (EVP) methods ? In FIPS mode, is there a need to use the FIPS_* methods instead of the regular ones once FIPS_mode_set(1) was successfully executed ? For instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1() ? Wouldn't the FIPS version

Re: [openssl-users] Custom Random number generation while in Fips mode

> On Jul 28, 2016, at 11:00 AM, pratyush parimal > wrote: > > Hi Thomas, > > Thanks for your response! It clears up matters a lot :) > > There's one thing that I thought of though -- even though I'm generating the > salt via non-OpenSSL means, the actual function

Re: [openssl-users] Custom Random number generation while in Fips mode

Hi Thomas, Thanks for your response! It clears up matters a lot :) There's one thing that I thought of though -- even though I'm generating the salt via non-OpenSSL means, the actual function that I'm using for hashing is "SHA512" from FIPS OpenSSL. Does the mere usage of salt that was generated

Re: [openssl-users] Custom Random number generation while in Fips mode

> On Jul 27, 2016, at 8:18 PM, pratyush parimal > wrote: > > Hi all, > > I work on a consumer application which is striving to be fips-140-2 compliant. > > I'm using OpenSSL as recommended in the fips guide by invoking > fips_mode_set(). However, in certain parts

[openssl-users] Custom Random number generation while in Fips mode

Hi all, I work on a consumer application which is striving to be fips-140-2 compliant. I'm using OpenSSL as recommended in the fips guide by invoking fips_mode_set(). However, in certain parts of the same application, I'm using my own non-OpenSSL random number generator to generate salts for

Re: [openssl-users] While ssl handshake happens, getting error Operation not allowed in fips mode

On 04/05/2016 08:15, mani kanta wrote: Hello, While the SSL handshake is happening,I am getting the error as below SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips mode. ssl handshake went well up to client sending key exchange to server and failing

[openssl-users] While ssl handshake happens, getting error Operation not allowed in fips mode

Hello, While the SSL handshake is happening,I am getting the error as below SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips mode. ssl handshake went well up to client sending key exchange to server and failing in the process of send client verify. Why

[openssl-users] TLS 1.0 in FIPS mode ?

Hello, Does OpenSSL allows TLS 1.0 when running in FIPS mode ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

; I'll check on that. Certainly no engines > > I can check back in the dump and see where we are in the code in each method > call > What would be useful is tracing what happens in EVP_DigestInit_ex() during the X509_digest() call. For example does it detect FIPS mode properly and if

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

No, nothing unusual. Is there anything from the build process that would be useful in demonstrating this yes or no? I'm not the person responsible for the build process but I'm pretty sure it was followed to the letter - however I'll check on that. Certainly no engines I can check back in the

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

On Thu, Mar 24, 2016, Glen Matthews wrote: > Hi > > Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when > the dialog box was displayed, and that's how I got the call stack. > > if (x->ex_flags & EXFLAG_SET) > return; > #ifndef OPENSSL_NO_SHA >

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

() - calculating another digest at that point - and the test for FIPS_mode() worked, so I think we are in FIPS mode all through that call stack. glen -Original Message- From: Glen Matthews Sent: Thursday, March 24, 2016 1:55 PM To: 'openssl-users@openssl.org' Subject: RE: [openssl-users] [openssl

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

, March 24, 2016 1:36 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code On Wed, Mar 23, 2016, Glen Matthews wrote: > Hi > > Right, sorry about the wrong posting - and thanks. > &g

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

ve been reading, the code should not be calling with EVP_sha1(). > Is this a standard OpenSSL build or has it been modified in some way? At what point do you enter FIPS mode? The above call should be routed through to the SHA1 implementation in the validated module. It's not clear why not at this point. Steve. --

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

rrell Sent: Wednesday, March 23, 2016 3:48 PM To: openssl-users@openssl.org Cc: openssl-...@openssl.org Subject: Re: [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code This is a question about using the OpenSSL libraries; should be in openssl-use

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode! I notice the assertion message mentions a header from what looks like a 1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no idea if this is relevant to the problem

Re: [openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048

BUILTIN_KEYGEN:key size too small) > > As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I > printed out the key size just before calling the above function: > > KEYSIZE = 2048. > > What else could cause this function to report a key size to

[openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048

or greater in FIPS mode, so I printed out the key size just before calling the above function: KEYSIZE = 2048. What else could cause this function to report a key size too small if it is 2048 bits? Is 2048 still FIPS-compliant? BTW: this works if FIPS mode is off. Thanks! -- View

Re: [openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

using the PKCS7_decrypt( ) > function. The error string is: > > OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error > > This only happens in FIPS mode so we suspect a weak cipher, but I'm unable > to glean any specified error that would verify this suspicion. I was hoping

[openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

:PKCS7 routines:PKCS7_decrypt:decrypt error This only happens in FIPS mode so we suspect a weak cipher, but I'm unable to glean any specified error that would verify this suspicion. I was hoping someone would be nice enough to inspect this file and verify if there is any non-FIPS-iness. I don'

Re: [openssl-users] FIPS mode errors

print does not match:fips.c:232: I tried few other openssl commands under the FIPS mode and got all the same error messages. The non-FIPS mode was working fine. What is the above error mean and what could have caused this error? This is the most severe FIPS error code, it means one of 3 things: 1. (offic

Re: [openssl-users] FIPS mode errors

Hi Jakob, This is the most severe FIPS error code, it means one of > 3 things: > > 1. (official reason for this error code): Someone illegally > modified the FIPS validated crypto code after it was > compiled, do not use this computer until the cause has > been thoroughly investigated and

[openssl-users] FIPS mode errors

l commands under the FIPS mode and got all the same error messages. The non-FIPS mode was working fine. What is the above error mean and what could have caused this error? -- Thanks, Rich -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I verify the FIPS mode

talled the FIPS capable OpenSSL lib on my system, and I was > wondering what's the easiest way to find out whether my OpenSSL is really > FIPS capable or not. > > e.g. is there any way to run some openssl commands to find out, such as > "openssl ciphers -v", and what cipher suite

[openssl-users] How do I verify the FIPS mode

hat cipher suite should definitely not show up in FIPS mode. Thanks, Rich -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I verify the FIPS mode

t an enabled cipher in FIPS mode. It depends on the version. Recent versions of OpenSSL will give a "FIPS mode not supported" error for env OPENSSL_FIPS=1 openssl md5 ... Whereas that command for a properly built FIPS-enabled OpenSSL will give a "not permitted in FIPS mode" error

Re: [openssl-users] How do I verify the FIPS mode

st a non-FIPS enabled OpenSSL. According to some > > posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an > > error as md5 is not an enabled cipher in FIPS mode. > > It depends on the version. Recent versions of OpenSSL will give a "FIPS > mode not supported&

Re: [openssl-users] How do I verify the FIPS mode

Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may have no affect against a non-FIPS enabled OpenSSL. According to some posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an error as md5 is not an enabled cipher in FIPS mode. On Wed, Feb 10, 2016 at 1:49 PM

Re: [openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

Thanks Steve. I think the way to use OPENSSL_config() and openssl.conf to enable FIPS mode basically still requires each application to explicitly invoke OPENSSL_config() API in order to truly enable the FIPS mode, is that correct? If that's the case, then basically there's no way to really

Re: [openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

Thanks Steve. I think the way to use OPENSSL_config() and openssl.conf basically still requires each application to explicitly invoke OPENSSL_config() API in order to truly enable the FIPS mode, is that correct? If that's the case, then basically there's no way to really globally enable the FIPS

Re: [openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

On 01/28/2016 07:11 PM, security veteran wrote: > Hi All: > > Is there a way to enable FIPS mode globally, instead of having to > explicitly invoke the FIPS_mode_set() API from each application, for > enabling the FIPS mode? > > ... Kinda-sorta, via OPENSSL_config()

[openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

Hi All: Is there a way to enable FIPS mode globally, instead of having to explicitly invoke the FIPS_mode_set() API from each application, for enabling the FIPS mode? The reason I ask is, it will be much easier to enable FIPS mode if there're many applications which rely on OpenSSL for crypto

[openssl-users] SSL keys and certificates for FIPS and non-FIPS mode

Hi everyone, If I have a HTTPS client and server both using OpenSSL with FIPS modules, and supporting both FIPS and non-FIPS mode, will the SSL server and client keys and certificates need to be changed between operating on FIPS and non-FIPS mode? Thanks, Rich

[openssl-users] Digest MD5 forbidden in FIPS mode

Hello, I wrote a C code which enter in FIPS mode with fips_mod_set(1). But, when I call MD5 functions after setting FIPS mode, I get this error: md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode! Aborted. Does anybody know what

Re: [openssl-users] Digest MD5 forbidden in FIPS mode

MD5 is not considered a safe function to use hence it is forbidden in FIPS mode. Can you use a different hash function ( such as SHA-something ) for your use case? On Mon, Jan 18, 2016 at 4:43 PM, Marcos Bontempo <marcosbonte...@hotmail.com > wrote: > Hello, > > I wrote a C c

Re: [openssl-users] Digest MD5 forbidden in FIPS mode

> I wrote a C code which enter in FIPS mode with fips_mod_set(1). > > But, when I call MD5 functions after setting FIPS mode, I get this error: > > md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call > to digest MD5 forbidden in FIPS mode! Aborted. >

Re: [openssl-users] Digest MD5 forbidden in FIPS mode

On Mon, Jan 18, 2016, Marcos Bontempo wrote: > Hello, > I wrote a C code which enter in FIPS mode with fips_mod_set(1). > But, when I call MD5 functions after setting FIPS mode, I get this error: > md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call >

[openssl-users] PKEY signing failing in fips mode

r:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips mode." It would be much appreciated if anyone can let me know why I'm hitting this, and if there is any way of getting around it. Thanks, Mahoda ___ openssl-users mailing list To unsubscribe: http

Re: [openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)

On Wed, Nov 11, 2015, jonetsu wrote: > Hello, > > > There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL > 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to > handle a certificate using a non-FIPS component.  I think

[openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)

Hello, There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to handle a certificate using a non-FIPS component.  I think I found the commit that fixes this, although it is part of a quite huge

[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e

In 1.0.1e the following is observed when using OpenSSL in FIPS mode:  % OPENSSL_FIPS=1 openssl pkcs12 -export -in  /tmp/ipsec.d/certs/192.168.11.1 -inkey  /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out  /tmp/ipsec.d/192.168.11.1.p12 -password pass:""  3067167952:erro

[openssl-users] Enable FIPS mode of OpenSSL by changing the configuration file, will it work for Python as well?

Hi All: I tried to enable the FIPS mode by making the following changes in my openssl.cfg config file. After making the changes, I verified that I can no longer run the non FIPS approval algorithm such as MD5 by running openssl command, which is expected: openssl md5 123.txt However, I can

[openssl-users] How to enable the FIPS mode of the OpenSSL FIPS modules by calling OPENSSL_Config() API?

>From the User Guide of OpenSSL FIPS Object Module v2.0, page 54, it mentioned the FIPS mode can be initialized indirectly by indirect call vial OPENSSL_config() API. My question is, from where should we call this API? If we use Apache and Python as examples, does that mean both of them n

[openssl-users] How to enable FIPS mode by default of the OpenSSL FIPS modules

Thanks Steve. If we use Apache and Python as examples, does that mean both of them need to invoke OPENSSL_Config() in order to enable the FIPS mode? And if that's the case, how do we make them invoke OPENSSL_Config() API? Also regarding the openssl.cfg changes mentioned in the User Guide, what

Re: [openssl-users] How to enable FIPS mode by default of the OpenSSL FIPS modules

modules, and I was > testing the new lib files by replacing the original library files such > as libcrypto.so with the new ones. > > From the FIPS user guide I understand that any applications which need > to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set > to enabl

[openssl-users] How to enable FIPS mode by default of the OpenSSL FIPS modules

files such as libcrypto.so with the new ones. >From the FIPS user guide I understand that any applications which need to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set to enable the FIPS mode. This sounds like a big issue to me: there are may other libraries/ services wh

Re: [openssl-users] RSA key generation in FIPS mode

to the RSA_X931_generate_key_ex() function, and/or the struct creation function should explicitly set the rsa_keygen method. Correct? Well you don't have to modify the FIPS module at all. The FIPS capable OpenSSL can be modified to call FIPS_rsa_x931_generate_key_ex in FIPS mode. Steve. -- Dr Stephen N. Henson

[openssl-users] RSA key generation in FIPS mode

(and therefor is not acceptable under 186-2). In testing, it appears when running in FIPS mode and calling the wrapper function, the non-approved builtin function is the one that is called. The default RSA struct creation function, defined in fips/fips_rsa_lib.c:FIPS_rsa_new() sets a mechanism

[openssl-users] FIPS mode entropy callback for rsa key

.nabble.com/FIPS-mode-entropy-callback-for-rsa-key-tp59114.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Not getting RSA keyword for a key in fips mode

I generate the new key in BEGIN RSA PRIVATE KEY format. You can't because the format isn't allowed in FIPS mode because it uses MD5 for key derivation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org

[openssl-users] Not getting RSA keyword for a key in fips mode

Hi All, I am trying to create a pem format key for my existing key by using the below command. openssl rsa -in my_rsa_key -outform PEM -out my_res_newkey_pem The new key format is -BEGIN PRIVATE KEY-. But I am expecting -BEGIN RSA PRIVATE KEY- In nonFIPS mode i am getting

Re: [openssl-users] Not getting RSA keyword for a key in fips mode

-BEGIN RSA PRIVATE KEY- In nonFIPS mode i am getting -BEGIN RSA PRIVATE KEY- as expected. My openssl version is OpenSSL 0.9.8zf-fips. Please let me know how can I generate the new key in BEGIN RSA PRIVATE KEY format. You can't because the format isn't allowed in FIPS mode

[openssl-users] FIPS mode and AES_set_encrypt_key/AES_set_decrypt_key

Can anyone shed light on why these APIs are disabled in FIPS mode? They involve operations that must be implemented within the boundary of the FIPS crypto module? It seems like disabling them is intended to prevent mistakes from developers trying to write their own AES mode implementations

  1   2   3   4   >