[openssl-users] Need Information on validation for OpenSSL FIPS

2016-06-15 Thread Kamal, Murali 
Hi Team,

I read through the content on "OpenSSL" page regarding the 'hostage', 'ransom' 
and 'aftermath' details.

As I understand it,
the currently active 'SE version' or #2398 (2.0.12) has been 
validated/certified only on 23 new platforms (as per its 'Security Policy' pdf 
on NIST site)
and the other 100+ platforms of cert-number #1747 & #2743 (TAR ball 2.0.10) 
will be considered as "vendor-affirmed" or "user-affirmed" (as per section 'G5' 
of NIST Implementation Guide pdf) for this "SE or 2.0.12" version;
because this 2.0.12 version "functionally supports all previous platforms" (but 
not listed/stated explicitly by NIST for 2.0.12 or 2.0.13 or 2.0.N version of 
the module).

Is my understanding correct?

If No, request you to provide inputs to correct my understanding.

If Yes, then considering, we get a "Premium Level" support contract with 
OpenSSL Software services (commercial consulting entity);
can we again raise a NEW 'Validation/certification request' against an old 
platform that is already part of #1747 or #2743?

The purpose of my above question is that, we don't want to build 2 versions of 
our product, one that is built with 2.0.10 and another with 2.0.12 or higher 
for the same OS with different version (say FreeBSD 9.x and 10.x) to claim 
FIPS-validated status.
This way, we may be able to pay for re-asserting/revalidating by a CMVP for a 
dozen old platforms that are already part of #1747 or #2743 again in #2398 
(2.0.12) or 2.0.N;
thereby we can build our product using #2398 or some NEW certificate number 
# and claim "FIPS-validated" status with just one TAR ball (say 2.0.12 or 
some 2.0.N).
So that my product documentation would be clear with just ONE certificate 
number (either #2398 or #2473 or a #Brand_new_num) for all platforms of my 
interest.
Because, there will be some skeptical customers who would go to the NIST site 
for the certificate number we quote (#) and look for a list of 
"NIST-CMVP-Validated" platforms against a given # as they may not agree to 
"user-affirmed" or "vendor-affirmed" platforms as "FIPS-Validated".

Regards,
Murali Kamal
Senior Software Engineer
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] created OpenSSL TSL1.2 server (TCP server) and trying to connect thru JAVA client

2016-06-15 Thread sarat 
Hi I am new to OpenSSL  or SSL for that matter.I created OpenSSL TSL1.2
server (TCP server)   and trying to connect thru JAVA client ( JAVA8 TCP
client ).I am not able to make handshake properly. I am messing up with
certificates. What the certificates I need to create server side which is
running on Linux  to connect from java client which is running on
windows?Which certificate I need to start the client with and how?Do I need
to have CA certificate, Can I use self-signed certificate.Do I need to
create cert, key and p12 files?Which one to use where? I am confused. Can
someone help me please?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/created-OpenSSL-TSL1-2-server-TCP-server-and-trying-to-connect-thru-JAVA-client-tp66773.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users