Hi All,
We upgraded our device to use OpenSSL 1.1.1k from OpenSSL 1.0.2h. Device is
on an ARM processor. Embedded web server comes to ready state with compiler
optimization set to -O0.
With value -O1 we are seeing issues in d2i_RSAPrivateKey.
I wrote a sample test program as below. The test
Hi All,
We are trying to integrate OpenSSL 1.1.1i on our device that runs on the
ARM platform. Device boots to ready
state with OpenSSL 1.1.1i. However when we try to access the device EWS, we
are getting below error
error:0B080074:x509 certificate routines:X509_check_private_key:key values
Hi All,
We are trying to compile OpenSSL 1.1.1i on our system. It is a hybrid
system. Compiler is arm -gcc for WinCE 6.0 and the module that compiles
openssl is on Vxworks 5.0 abstraction.
I am getting the below error. Does anyone have inputs. Any help would be
appreciated.
Hi All,
We are writing a RSA engine for OpenSSL library to handle certificates up
to 4096 bytes strength. We do support certificates up to 8k.
How to we make engine to handle certificates only up to 4K and others
handled by OpenSSL itself.
Any help, inputs are appreciated.
Thanks and Regards,
Hi All,
We currently use OpenSSL 1.0.2h, we are in the process of upgrading to
OpenSSL 1.1.1. To address some legacy functionalities we are planning to
write engines for OpenSSL 1.0.2h offload crypto operation to external
components.
We have few queries regarding the same
1. Can we offload
FIPS_signature
Regards
Jayalakshmi
On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com
> wrote:
> Hi All,
>
> I am building FIPS supported OpenSSL in yocto for ARM architecture. I
> tried using openssl-fips-2.0.13 and openssl-fips-2.0.4
>
>
> I
Hi All,
I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried
using openssl-fips-2.0.13 and openssl-fips-2.0.4
I am building FIPS externally with the below environmental settings
Hello All,
We have 2 RSA OpenSSL engines in our product. Both the engines performs
same RSA encyrpt/decrypt operations. For easy explaination I am naming
engines as
1. RSA smart card engine
2. RSA TPM engine
Engine usage is application specific.There are couple of applications
dependent on RSA
Hi All,
We are using DRBG using AES-CTR-256 in FIPS mode. I could find test
suite/file that takes CAVP test request and generating the response for
DRBG using AES-CTR-256.
However I am not finding any test suite/file that validates AES-CTR
128/192/256 bits. Please can any one let me know while
Hi All,
Thanks for the inputs, This gives me a good understanding on these ciphers
usage.
Thanks and Regards
Jayalakshmi
On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohm wrote:
> On 07/12/2017 15:05, Michael Wojcik wrote:
>
>> From: openssl-users
Hi Rich,
Thanks for the reply. We are planning to use DHE_RSA based ciphers.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
> You can re-use the keys, but then you get no forward secrecy, and sessions
> generated with one
Hi Michael,
Thanks for very detailed answers. This will surely help me to investigate
further.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich via
to:openssl-users-boun...@openssl.org] On
> Behalf Of Jayalakshmi bhat
> > Sent: Wednesday, December 06, 2017 01:07
>
> > Does it mean to use ECC ciphers from OpenSSL does the end user needs to
> get the license from Citricom?
>
> Consult a lawyer. Opinions on this topic
2/2017 07:02, Jayalakshmi bhat wrote:
>
>> Hi,
>>
>> We are planning to use DHE_RSA TLS ciphers into our product. I have few
>> questions on using DH parameter. We would like to use DH-2048.
>>
>> our product includes both TLS client and server applications. Th
Hi,
I have a question on ECC ciphers implementaion in OpenSSL. I do see
README.ECC file in FIPS certfied OpenSSL crypto library. That says The
OpenSSL Software Foundation has executed a sublicense agreement
entitled "Elliptic Curve Cryptography Patent License Agreement" with the
National
Hi,
We are planning to use DHE_RSA TLS ciphers into our product. I have few
questions on using DH parameter. We would like to use DH-2048.
our product includes both TLS client and server applications. Thus any time
there will be considerable number of active connectioons.
I believe we can use
hardware
like aep, chill, cswift etc from compilation.
Regards
Jayalakshmi
On Thu, Nov 2, 2017 at 4:38 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com
> wrote:
> Hi Matt,
>
> Thanks for the reply. We dont want to turn off the engine fully. We have
> TPM chip, that is part of Op
-sureware no-hw-ubsec no-hw-zencod.
However as of now using the above values with ./Configure is not turning
off the compilation of the other hardware components.
Regards
Jaya
On Thu, Nov 2, 2017 at 3:56 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 02/11/17 07:07, Jayalak
-cswift
no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padlock no-hw-sureware
no-hw-ubsec no-hw-zencod) does not seems to work. Is there any way to do it?
Regards
Jayalakshmi
On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 25/10/17 18:02, Jayalakshmi bha
Hi All,
Our device uses TPM to protect certificate private keys. We have written
engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets
loaded as an engine instance.
Also we have mapped RSA operations to TPM APIS as like
encryption/decryption etc.
Now we are into few
org> wrote:
>
>
> On 24/10/17 07:06, Jayalakshmi bhat wrote:
> > Hi All,
> >
> > I am looking for details on options used to disable or remove unwanted
> > ciphers, components while openssl building. This is for OpenSSL 1.0.2h.
> > I am seeing many thin
Hi All,
I am looking for details on options used to disable or remove unwanted
ciphers, components while openssl building. This is for OpenSSL 1.0.2h. I
am seeing many things on internet. But most of them have minimum
explanation, please can you tell me is there any link that I can refer.
Hi All,
I am trying to build openssl. As part of that I want to remove some ciphers
like md4, rc5 etc.
I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the
case MD4 and RC5 directories are still getting compiled.
Please can you let me know what could be going wrong.
Hi All,
I am trying to build CAVP test executable for WinCE. Most of the executable
are built except 1-2. I am facing iob_func unresolved error.
Every thing seems to be proper. Any idea or help is well appreciated.
Regards
Jaya
--
openssl-users mailing list
To unsubscribe:
Hi All,
I am using OpenSSL-FIPS-2.0.4 library on ARM7 + WinCE 6.0 with "user
affirm" the validation for Y per I.G. G.5.
We want to run latest CAVP test suites. We have built the *build_algvs and
other executable* for the above product/build environment.
However when we are trying to execute the
Hi Matt,
I do understand. Thanks a lot for the reply.
Regards
Jayalakshmi
On Thu, May 18, 2017 at 2:47 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 18/05/17 06:32, Jayalakshmi bhat wrote:
> > Please can any one let me know the release date or time line for OpenSSL
&
Hi All,
Please can any one let me know the release date or time line for OpenSSL
1.1.1?
Regards
Jayalakshmi
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi All,
OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have
question associated with this.
1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation
function*
2. Where as the document
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
Hi All,
I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am
generating these CSR on our device. We have windows 2008 R2 servers and I
am signing these CSR using certificate authority on windows server. I am
setting only client and server authentication bits in the CSR
. Thanks every one for the valuable time and
fruitful discussion.
Regards
Jaya
On Sun, Dec 13, 2015 at 11:13 AM, Jayalakshmi bhat <
bhat.jayalaks...@gmail.com> wrote:
> Hi All,
>
>
>
> Thanks for all the responses. As mentioned by Matt in the discussion
> thread,co
Hi All,
Thanks for all the responses. As mentioned by Matt in the discussion
thread,constant_time_msb performs the copy the msb of the input to all of
the other bits so the return value should either be one of 0x or
0x.
I found another interesting thing,constant_time_msb
nssl.org> wrote:
>
>
> On 09/12/15 23:13, Benjamin Kaduk wrote:
> > On 12/09/2015 05:04 PM, Matt Caswell wrote:
> >>
> >> On 09/12/15 11:44, Jayalakshmi bhat wrote:
> >>> Hi Matt,
> >>>
> >>> I could build and execute the constant_tim
ble (named according to CPU) with no arguments.
>
> I ask because your proposed fix may be affected by compiler and/or CPU
> quirks.
>
> On 04/12/2015 12:31, Jayalakshmi bhat wrote:
>
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or
Hi All,
Is there inputs or suggestions.
Thanks and Regards
Jaya
On Fri, Dec 4, 2015 at 11:37 AM, Jayalakshmi bhat <
bhat.jayalaks...@gmail.com> wrote:
> Hi Matt,
>
> s3_cbc.c uses the function constant_time_eq_8. I pulled only this
> function definition from OpenSSL 1.0.1e i
there is something specific about your environment that is causing the
> issue. Comments inserted below.
>
> On 04/12/15 06:53, Jayalakshmi bhat wrote:
> > Hi All,
> >
> >
> >
> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except
> &
Hi Matt,
I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation
available in OpenSSL 1.0.1e. Things worked fine.
Regards
Jaya
On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 04/12/15 11:31, Jayalakshmi bhat wrote:
> > Hi
n (unsigned char)(constant_time_eq(a, b));
}
Regards
Jaya
On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 04/12/15 11:31, Jayalakshmi bhat wrote:
> > Hi Matt,
> >
> > Thanks a lot for the response.
> >
> > Is your appl
d by compiler and/or CPU
> quirks.
>
> On 04/12/2015 12:31, Jayalakshmi bhat wrote:
>
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using OpenSSL 1.0.2d?
> If not, what is the other end using?
> >>Our
Hi All,
Recently we have ported OpenSSL 1.0.2d. Everything works perfect except the
below explained issue.
When we enable only TLS 1.0 protocol and select CBC ciphers, TLS handshake
fails with the error "bad record mac".
Error is in function static int ssl3_get_record(SSL *s). Error
if I do not install
intermediate CA-2 things works fine.
Any help is well appreciated.
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 16/11/15 06:52, Jayalakshmi bhat wrote:
> > Hi Victor,
> >
> > Tha
Hi All,
In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a
check * if (params->trust >0)* before invoking check_trust function.
This has been removed in OpenSSL 1.0.2d. Does it mean applications are
expected to set the X509_VERIFY_PARAM properly?
Our application works
gt; wrote:
> On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote:
>
> > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert
> had a
> > check * if (params->trust >0)* before invoking check_trust function.
>
> The OpenSSL source
or the applications to
set X509_VERIFY_PARAM in X509_STORE_CTX
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 11:40 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
>
> > On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat <
> bhat.jayalaks...@gmail.com> wrote:
> >
tream versions) is not working the way you expect.
>
> On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:
>
> > Our device acts as TLS/SSL client. The device receives chain of
> > certificates as part of SSL handshake, when it is trying to get connected
> &g
Hi All,
I have ported OpenSSL 1.0.2d on our product. After that CBC mode is not
working. Handshakes are failing with bad mac alert failure. When I checked
the code mac retrieved from ssl3_cbc_copy_mac does not match with the
calculated mac.
Any help on this is appreciated.
Thanks and Regards
Hi All,
I have ported OpenSSL 1.0.2d on out device. When I am using any cipher
(AES,3DES) in CBC mode I am ending with the
result SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC in SSL_F_SSL3_GET_RECORD
function.
TLS 1.2 with working fine with AES_GCM ciphers.
Has any one faced this issue?. Any help
Hello all,
I have a question on FIPS. We have OpenSSL FIPS module integrated with our
product. We have an option to enable/disable FIPS at run time. We are
executing the following openSSL API's every time when FIPS status changes.
{
We have mapped OpenSSL crypto locks to mutex intenally. Hence
Hi Tom,
Thanks a lot for clarifying the doubt.
Regards
Jayalakshmi
On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis...@pobox.com>
wrote:
>
> > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <
> bhat.jayalaks...@gmail.com> wrote:
> >
> > Hello al
Hi All,
Does *a**lternative chains certificate forgery** issue* affects the
OpenSSL stacks earlier than 1.0.1n releases Why I am asking this
question is affected code seems to be available in earlier versions as
well.
Thanks and Regards
Jayalakshmi
. API's changed are EVP_MD_flags from evp_lib.c
and pkey_fips_check_ctx from rsa_pmeth.c
Regards
Jayalakshmi
On Fri, Jul 17, 2015 at 4:20 AM, Dr. Stephen Henson st...@openssl.org
wrote:
On Thu, Jul 16, 2015, Jayalakshmi bhat wrote:
Hi All,
I am using OpenSSL library for a SSL client
Hi All,
I am using OpenSSL library for a SSL client performing mutual
authentication. RSA certificate used is signed with SHA512 digest. When I
switch to FIPS mode and perform re-authentication, I am hitting an
error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA.
Can any one
Hi All,
We are using OpenSSL on a multihome device. Device has 4 interfaces. Each
network interface creates one SSL context (SSL_CTX) and supports 16
connections. As per OpenSSL implementation Each SSL context can maintain a
free buffer list of 32. And this retained till SSL context (SSL_CTX) is
wrote:
On Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat
bhat.jayalaks...@gmail.com wrote:
Hello All,
I am working on a project where there is need to encrypt and decrypt
certain
data using certificate public/private key pair. So far we were using RSA
based certificates. OpenSSL
Hello All,
I am working on a project where there is need to encrypt and decrypt
certain data using certificate public/private key pair. So far we were
using RSA based certificates. OpenSSL provides good number of API's for RSA
based encryption/decryption operation.
Now we are planning to support
Hi Kyle,
Thanks a lot for detailed explaination, it helped me lots.
Regards
Jayalakshmi
On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote:
On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
Thanks a lot for the explanation. We have range of products that
provides network
Hi Jakob,
Thank you very much for detailed and helpful explanation.
Regards
Jayalakshmi
On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote:
On 7/6/2014 10:44 AM, Kyle Hamilton wrote:
On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
Thanks a lot for the explanation. We
Hi All,
We want to support a hardware accelerator on our device. We are using
OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
engine support in OpenSSL FIPS Object module.
I welcome all valuable inputs.
Regards
Jayalakshmi.
st...@openssl.org
wrote:
On Sat, Jul 05, 2014, Jayalakshmi bhat wrote:
Hi All,
We want to support a hardware accelerator on our device. We are using
OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
engine support in OpenSSL FIPS Object module.
If you
Hi All,
We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our
product. Recently we have added TPM support. TPM chip is not FIPS
compliant. Hence in FIPS mode none of the SSL applications are working.
I wanted inputs on the following questions. I would be grateful to receive
:36 PM, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote:
On Fri, Jul 04, 2014, Jayalakshmi bhat wrote:
Hi All,
We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our
product. Recently we have added TPM support
. Stephen Henson st...@openssl.org
wrote:
On Fri, Jul 04, 2014, Jayalakshmi bhat wrote:
Hi All,
We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our
product. Recently we have added TPM support. TPM chip is not FIPS
compliant. Hence in FIPS mode none of the SSL
Thanks a lot Steve for the quick response.
On Fri, Jul 4, 2014 at 10:21 PM, Steve Marquess
marqu...@opensslfoundation.com wrote:
On 07/04/2014 12:06 PM, Jayalakshmi bhat wrote:
Hi Steve,
Thank you very much for the response. I have one more question. In order
use a FIPS 140-2
Hi All,
We have a product that has 2 network interfaces i.e. wired and wireless.
Both interfaces uses separate OpenSSL library. However FIPS validated
OpenSSL crypto module is common for both interfaces as shown below.
FIPS validated openSSL
63 matches
Mail list logo