as a byproduct of the fipscanister build.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
is compatible with OpenSSL 1.0.1.
There are no current plans to add Mac OS X to the 2.0 FIPS module (no
sponsors).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
there. We used Xcode to build the test programs
used for the OS X and iOS validation testing.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
with the 2.0 FIPS module). The OpenSSL
library won't perform disallowed cryptography for any application while
in FIPS mode.
Note that can potentially cause interoperability issues, with peers
supporting only ciphersuites that don't intersect those allowed in FIPS
mode.
-Steve M.
--
Steve Marquess
.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
of validation #1747 the vendor
is the OpenSSL Software Foundation.
You are thinking of user affirmation (I.G. G.5):
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
.
Heh ... a darker simile that the Alice in Wonderland comparison I use.
FIPS 140-2 has its own strange logic that grates against every
sensibility of the experienced software developer. I've been immersed in
it for years and I still don't get some of the rationalizations.
-Steve M.
--
Steve
that contains the FIPS module. Just link applications
referencing that shared library the usual way.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu
*and* --with-fipslibdir? At the most you should only need
to specify --openssldir and --with-fipsdir, if you've chosen to install
both the FIPS module and OpenSSL in non-standard locations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s
openssl-fips-2.0.1
BTW we have returned both of the customer supplied iOS systems that were
used for the FIPS validation testing in our lab here, so I unfortunately
can no longer reproduce problems in that environment.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim
:-) I'm more concerned about too much detail in that
document as it's a long slog already.
At some point one needs to study the source code.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
(such as the libcrypto shared library) with the FIPS module is to study
how the fips_algvs test program is generated from
make build_algvs
in the FIPS module workarea.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301
.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
On 09/13/2012 06:08 PM, TJ wrote:
On 7 September 2012 23:54, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 09/07/2012 12:24 AM, TJ wrote:
I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
./Configure no-asm no-hw linux-generic32
make -j1 -C openssl-fips
own validation of OpenSSL is a losing proposition. There's a
reason the FIPS module was a separate software component long before the
introduction of DRBGs.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874
cosmetically correct value with next next revision, 2.0.3, which is
already underway.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
used in that arena isn't, but
that's the formal policy. At other levels actual enabling of FIPS 140-2
may also be required.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
(bugfixes and optimizations) while the FIPS module proper remains frozen
in time. The 2.0 module should also be compatible with the evolving
baseline OpenSSL for longer.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775
in the course of a
validation, but those individual answers are not necessarily consistent
from one validation to another. You'll need to work with your test lab
to develop your own set of internally consistent answers.
If you can get that lab to publish the details, please do :-)
-Steve M.
--
Steve
tried
following the examples of building FIPS capable OpenSSL libraries in
the User Guide?
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
is not compatible with OpenSSL 1.0.1c. You need to
use the OpenSSL FIPS Object Module 2.0 as documented in the User Guide:
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673
or Linux-like system (just do make).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
.
Also note that for the most recent validation (2.0 module, #1747) there
aren't many no-asm platforms, so effectively non-SSE2 capable x86
processors aren't supported on many O/Ses.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877
.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
code changes.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
to be gained, and much to be
lost, by attempting to reference the FIPS module directly.
If its not intended to be used, why is it present?
So that you can build the FIPS capable OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
treating it like a normal open source software
product.
If you don't need the FIPS module as a matter of policy then you don't
want it at all, as it has no technical advantages over plain OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
has a processor comparable to the formally
tested one).
Personally, given the ugliness of that RTOS for this purpose I'd be
looking at a change letter mod or a private label validation. Or
switching to something besides VxWorks :-)
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc
applications.
Omitting openssl-dev as you cross-posted. This was a user list question.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
validation the FIPS capable OpenSSL
is just another application and and so is out of scope of the validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu
and input we're looking at
MediaWiki. Give us a few days to get that stood up and I'll make an
announcement when we think it's more or less ready.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
by retesting each of the 50 plus
platforms. That would cost over a hundred thousand dollars in test lab
fees alone and would require man-months of labor. That is not going to
happen.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775
literally. Software development common
sense does not apply.
Note the formal testing used this enormously complicated and
sophisticated script to set the environment:
http://opensslfoundation.com/testing/validation-2.0/platforms/solaris/setenv-sparc-64.sh
-Steve M.
--
Steve Marquess
OpenSSL Software
between ./config
no-asm and ./config, where no assembler optimizations are present,
but the Security Policy instructions are meant to be taken very
literally. Think of those Build Method commands as a magic incantation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim
circumstance in which
calling that function would make sense.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
.
I think if this function is mandated by FIPS 140-2 it should be possible
to call
it, regardless of platform and if the program is static or dynamically
linked.
Ah, but you can call it :-).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
On 02/21/2013 08:35 AM, The Doctor wrote:
Anyone having problems accessing ftp.openssl.org as of 21 Feb 2013 noon GMT?
We had some issues with that server (bad DNS). They now appear to be
resolved.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
path hasn't been
formally tested at all. Linux on MIPS, for instance. As the number of
formally tested platforms grows those gaps shrink.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
FIPS module
for mainframe Linux (a platform we don't have ready access to) so your
result isn't surprising.
That platform could be formally added to the validation (via a change
letter mod), but that takes time and money.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount
to decide your comfort
level with making that claim.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
it.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project
the #1747 validation to create a FIPS 140-2 validated
module for 64-bit OS X, regardless of how you build it.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
module build...
and is also clearly stated in the Security Policy document
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571
not
the same thing.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
drafted a page in our new wiki:
http://wiki.openssl.org/index.php/FIPS_Build_Guidelines
that will hopefully over time expand into a useful resource for your
class of question. It's a tricky topic.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
upgrading to OpenSSL 1.0.1n.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
, but participation
from the OpenSSL user community is welcomed and encouraged. Just send an
E-mail to wiki-ad...@opensslfoundation.com to request an account with
edit privileges (no account is needed for read-only access, of course).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc
issues. We're sitting that out until we know the final outcome. In the
meantime we're only doing change letter updates to the #1747 validation.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
into a validation effort is
considerable. These open source validations have not been money makers
for us; we're losing less money each time but my enthusiasm at least for
tilting at that windmill is diminishing.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
back-doors or deliberate vulnerabilities (other than those inherent
in the technical standards themselves). We don't implement features in
the baseline code that aren't based on open standards.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
in-line cryptography. Ditto any IPsec product due to
the use of kernelspace crypto.
If your application uses only FIPS 140-2 validated cryptography
exclusively (whether from one or more validated modules) then you can
claim compliance.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829
that surely
no one would be stupid enough to actually use it for any serious real
world applications. I was profoundly wrong about that.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
the newer #1747 validation (the
2.0 module) which is compatible with OpenSSL 1.0.1.
Note the older 1.2 module itself (validation #1051) remains valid for
currently deployed products.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
of files. Some of the OpenSSL email archives
suggests that this is valid and can be used.
...
Correct, that's what we did for the formal testing:
http://opensslfoundation.com/testing/validation-2.0/platforms/hpux/setenv-hpux.sh
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
it with.
An alternative is to use the OpenSSL FIPS Object Module 1.2 (cert #1051)
or preferably the newer 2.0 module (cert #1747). You can use either of
those to create your own RPM.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877
change to Makefile.org.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
On 01/08/2014 12:09 PM, Jakob Bohm wrote:
...
OpenSSL 0.9.8 can be used with the (old) OpenSSL FIPS module 1.0, by (as
one of many steps) compiling OpenSSL 0.9.8 --with-fipsdir=
Minor nit: OpenSSL FIPS Object Module v1.2(.x) goes with OpenSSL 0.9.8(x).
-Steve M.
--
Steve Marquess
OpenSSL
the
ritual algorithm testing many times, with a fatal bug completely
preventing actual use. And so forth ... but thus has it ever been.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
hearing
from many of those vendors. We are also currently impacted as we have
seven new platforms in our test lab ready for testing (and more on the
way); that work is on hold.
I'll post another message when we know how this story turns out.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc
architectures.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
that for sponsors even
when not necessary (as directly confirmed by the CMVP) to satisfy
specific and unreasonable (as in above and beyond CMVP requirements)
customer expectations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1
/msg06990.html
and:
https://t.co/7u2uLYOFVS
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs
apply to Level 1 validations. Level 3
introduces additional challenges.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http
. None of them will be Linux 3.0.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
FIPS Object Module 2.0 to completely remove the
Dual EC DRBG implementation. I am informed that submission is under
review but have no idea if or when approval can be expected, so the
revision 2.0.7 testing is proceeding with the Dual EC DRBG code in place.
-Steve M.
--
Steve Marquess
OpenSSL
is unknown warning is expected. If it makes you actually think
about the authenticity of the server so much the better, it's not like
the pre-load keystores constitute a very exclusive club.
The opensslfoundation.com name should be in the cert. I'll put it on
my list...
-Steve M.
--
Steve Marquess
-fips-2.0.N.tar.gz
distributions. The FIPS module is unaffected by the heartbeat bug.
So yes, can can and should upgrade to a FIPS capable 1.0.1g.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571
these products.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
Steve Marquess wrote:
I've just been informed that we have received the long awaited
official approval of the vulnerability fix for the OpenSSL FIPS
Object Module v1.1.1. The patched version of that product is now
known as v1.1.2 with the new validation certificate number 918 and
can
difficult where FIPS 140-2 validation
is concerned -- just look at how long it took to get the little PRNG
vulnerability patch approved.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL
, but FIPS 140-2
validations will never be fast compared to software product life cycles.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http
in the target environment, and hence is
generally not possible when cross compiling.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http
?!?!
Please see http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf.
Note this document still references v1.1.1 because no changes were
necessary for v1.1.2 which is just the former with a small patch applied.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED
, most recently Steve Henson
submitted a patch that includes FIPS mode enabling
(http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/[EMAIL
PROTECTED]/bugzilla/%3E).
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED
.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
the already validated
product.
I tried this just now on a HP-UX 11.11 (PA-RISC) system, no problem.
Could you also try v1.2
(ftp://ftp.openssl.org/source/openssl-fips-1.1.2.tar.gz)? We won't be
able to fix it their either, but at least we'll know for the next time.
-Steve M.
--
Steve Marquess
try v1.2. Thanks.
Well, you're on an Itanium box and mine was PA-RISC, and gcc not the HP
compiler. That could well make a difference. Unfortunately I only have
access to PA-RISC.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED
and exported.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
(haven't used it in several years and I'm not sure which
system it's installed on, if any).
Are you able to build a stock OpenSSL (say openssl-0.9.7m.tat.gz) using
your build environment?
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED
/openssl-fips-test-1.2.0.tar.gz)? The
canonical build commands for v1.2 are ./config fipscanisterbuild; make.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project
in that appendix to check your specific
environment, though.
All I can say with complete confidence is that gcc 4.2.2 for PA-2.0
builds the FIPS Object Module on my HP-UX 11.11 systems.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED
days or weeks
away, and at which point I'll make a heads-up announcement.
If it makes anyone feel any better, take it from me that there are other
government validation/certification processes that are slower, more
difficult, and more pointless than FIPS 140-2.
-Steve M.
--
Steve Marquess
and that the validation will *probably* be awarded in a
couple of weeks or so. Emphasis on the probably -- I have been wrong
before.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
__
OpenSSL Project
-- but the final FIPS-validated RTM
build cannot be built at this time.
We do not know how long it's going to take for the validation to
occur. When it is complete and fully-validated, Steve Marquess of the
Open Source Software Institute will post the announcement here.
Well put.
Based on my
can't be fixed for the forthcoming
validation, but we can fix them for any future validations. At this
point v1.1.2 is sufficiently dated, and diverges enough from v1.2, that
bug fixes are less likely to be relevant to the current development
baseline that we can change.
-Steve M.
--
Steve
.
It will be soon, though. Hopefully...
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
suspecting we may be looking at a more indeterminate delay. That's
just a guess on my part, of course, sorry I can't be more definite.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project
SSL_library_init() but
before connecting to the remote host?
FIPS_mode_set function must be called before SSL_library_init()?
No, FIPS_mode_set() can be called afterwards. In can even be called
long afterwards, after performing crypto operations in regular
(non-FIPS) mode.
-Steve M.
--
Steve
independent code. The corresponding FIPS capable OpenSSL
distributions (fips option) will automatically include it in the
libcrypto shared library.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED
options for identifying and correcting implementation
vulnerabilities.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
got any comments on whether I've gotten this right?
You did.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support
a single bit of
machine code or data, regardless of the functional result (or lack thereof).
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http
tarball.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Justin A wrote:
Hi Steve Marquess,
What's the equivalent file for fipscanister.o on windows..?
Let's see ... for the OpenSSL FIPS Object Module v1.1.1/1.1.2 it's
fipscanister.o.
For the upcoming v1.2 it will be fipscanister.lib.
-Steve M.
--
Steve Marquess
Open Source Software
the
massive undertaking of putting together a FIPS build for Windows, I
need to know that these are non-issues. The last time I tried to do
a FIPS build, it wasted two weeks of time better spent doing other
things.
I've wasted five years, welcome to the club :-)
-Steve M.
--
Steve Marquess
Open Source
included in the validation testing.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
will be the first official FIPS compatible 0.9.8
distribution as documented in that User Guide. I'm told that the 0.9.8j
release will most probably, though not definitely, be out later this week.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
301-524-9915
1 - 100 of 416 matches
Mail list logo