Re: [openssl-users] SHA256() to EVP_* ?
Thanks for the comments. If you are implementing HMAC, perhaps for PBKDF2 (which does that prehash-if-too-long), I hope you mean the code does... Yes it does. The man page (the one online from OpenSSL project - SHA256.html) gives a description using SHA1() which computes a message digest. Being generally new to OpenSSL at that level, what is then the difference between using, say, SHA1() vs. using SHA1_Init, SHA1_Update and SHA1_Final ? Is it only that the latter allows for continuously add data until _Final is called ? -- View this message in context: http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57791.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, and then again for TLS1.0, and again for TLS1.1 etc - its just defined once and is reused across multiple protocol versions. Yes, this is what I basically understood. What was lacking then in my undestanding, is that : % OPENSSL_FIPS=1 openssl ciphers -v Will not output strictly according to FIPS. Maybe there's no easy way to do that when the definition of a cipher states otherwise. Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57764.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphers show up ? If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57762.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SHA256() to EVP_* ?
Hello,
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD which is, if not mistaken, a env_md_st
structure.
The code I'm adapting to EVP has a first pass of shortening the
key if too long:
/* Change key if longer than 64 bytes */
if (klen HMAC_INT_LEN) {
SHA256(key, klen, nkey);
key = nkey;
klen = SHA256_DIGEST_LENGTH;
}
Before proceeding with the usual SHA256_Init(),
SHA256_Update() (twice), and SHA256_Final. All of which I have
tested with the corresponding EVP_* methods. For the use of
SHA256() above, though, I'm puzzled regarding its EVP_*
counterpart.
Suggestions, comments appreciated.
Regards.
--
View this message in context:
http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hi, ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 In this case, would it be possible to simply compile OpenSSL without support for SSL 3.0, while having FIPS mode taking care of the rest ? I do not remeber the exact option now, although I'm almost sure there's a compile option to exclude SSL 3.0. Am I right and would that work ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[gnutls-help] GnuTLS and RNG
Hello, Does GnuTLS implements its own random number generator ? If so, are there any documents describing it ? Regards. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3 [snipped] All of the others are TLSv1.2. Why is SSLv3.0 seen in FIPS mode on this install ? TLS 1.0 is currently permitted though. As far as OpenSSL is concerned, will any action to remove TLSv.10 only be taken when put into a FIPS frame, eg. the recent NDCPPv1.0 is not enough ground to make a change ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57707.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
What is the security risk? Management ? :) -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57670.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
It can be indeed easy to find out about companies in Hartford, CT but, I still do not see any threat to any existing product. 'Having problems with OpenSSL' is not good enough. In any case, when concerned, do like many people and use a pseudo from another mailing system. Employees will not gain promotion points anyways by having their real names in mailing lists. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57673.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [Swan] FIPS mode
From: Lennart Sorensen lsore...@csclub.uwaterloo.ca Date: 04/14/15 09:01 But certainly libreswan does the actual packet encryption either with xfrm or with klips, both in the kernel, which is where it belongs. Len, I see from the source that indeed all crypto is through XFRM. And we already mentioned that. But, the concern is about the FIPS validation. Making a parallel, it was termed recently that re-implementing glibc2's crytpto() for passwords using OpenSSL EVP methods would be a far cry better than submitting the glibc2 crypto source code for FIPS validation. Following the same approach for the crypto done in the kernel - eg. submitting the kernel's crypto code for FIPS validation would also be something costly in both time and money - I looked around and saw that Strongswan uses a plug-in architecture that allows replacing the kernel crypto by OpenSSL, specifically for the goal of FIPS validation. We all know that doing this crypto in user space has a (significant) performance penalty. OTOH, what if most if not all FIPS-certified systems are known to be slow ? What if no-one (apart perhaps for Red Hat) has put the kernel code through FIPS validation ? Do we want to go that way if there's a way to save a significant amount of time and money if possible ? ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [openssl-users] FIPS mode restrictions and DES
From: Steve Marquess marqu...@openssl.com Date: 04/14/15 09:31 and note that of the 101 platforms (OEs) appearing there, most of those operating systems are neither CC certified nor have any other FIPS 140-2 validated crypto. Keep in mind that at Level 1 the validation applies to the cryptographic module, not the calling application that uses that module nor the operating system that runs it. I came across a Red Hat Security Policy document that clearly puts the XFRM out of the Security Policy domain. See section 1.1.2, page 8, in: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf This blurs the concept of FIPS validation. Looks more and more that the validation will only care about what is being declared as going for validation. In this case (policy might have changed since 2010) they simply say that no, we do not declare the crypto done via XFRM as part of the Security Policy. And the FIPS lab says, OK, fine. Hmmm Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [Swan] FIPS mode
From: Paul Wouters p...@nohats.ca Date: 04/14/15 10:18 Just to clarify, XFRM is only used for the IPsec packet encryption, not the IKE packet encryption. Yes. IKE is encrypted using the NSS library (which has been FIPS certified in itself on some distributions such as RHEL) NSS has 'native' FIPS mode that can be switched on using the modutil utility. No need for an extra package (as in the case with OpenSSL). For RHEL7, Libreswan is currently going through FIPS and Common Criteria certification. (Sorry I haven't looked yet) Is there any FIPS-related code update available such as restriction of crypto used in FIPS mode ? How can your system be FIPS certified when your kernel is not FIPS certified? In many cases the OS is not part of the FIPS validation. Running FIPS ceritified applications on a rogue kernel will not get your system FIPS certification :P So far I can say that putting the kernel through FIPS validation is not something that was ever mentioned with the consultants. Considering that it would certainly be a huge effort from the testing lab, they would have mentioned it early on. And, not all of the kernel would be certified. Red Hat 5.0 clearly excludes XFRM of their Security Policy. Section 1.1.2 page 8: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf They went for Level 1 certification. As Steve Marquess of OpenSSL replied to me this morning, at FIPS Level 1 the underlying OS is not part of the validation domain. Actually, one thing I do like of strongswan is their support for AF_KEY, outsourcing all IKE crypto to the (FIPS) kernel,... As you say, there are not that many IKE packets anyways. I'm still wondering why Strongswan would say that using the OpenSSL crypto plug-ins is the easiest way to get FIPS certification. Page 12 (yes, it dates from 2008, things might have changed) : https://www.strongswan.org/docs/LinuxTag2008-strongSwan.pdf Regards. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [openssl-users] FIPS mode restrictions and DES
Salz, Rich wrote As the old joke goes, if you have to ask, you can't afford it. Well, exploration can be free. I noticed that Strongswan uses a plug-in architecture for crypto that seemingly allows the use of OpenSSL instead of the kernel for crypto operations, for use under FIPS. Does anyone have an idea of the order of magnitude in performance loss this could be for IPSec, to use crypto from OpenSSL instead of the kernel ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
Thanks for all the comments, they're much appreciated. It is a Debian system, so there is no Red Hat FIPS validation (or SuSE which also has one I think) or validated components that can be used. If I may, I'd like to ask about including the Linux kernel in the validation. Now, including glibc2 was a pretty bad idea, it cannot get better with the kernel. In this case, IPSec (libreswan) is using the kernel's crypto functions. So it seems there would be no way out of this one. Any insight on this matter ? - thanks. Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57533.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
Thanks for the comments - much appreciated. The following question might be on the naive side of things, but then I'm all new to this. Since crypt() in glibc2 supports SHA-256 and SHA-512 for password, and assuming that these two are FIPS compatible, what would be the (financial) overhead of having the crypto part of glibc2 go through validation ? It sounds very odd, not to mention very expensive, but I'm asking nevertheless, in case there is a possibility. In other words, is the only practical and viable option regarding this to re-implement crypt() using EVP methods ? - thanks. Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57527.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
FIPS: error notifications to the OS, and some questions
Hello, I am new to NSS. The goal is to use NSS in FIPS mode and to provide the OS (Linux) some kind of notification when a FIPS error happens. I presume that FIPS POST tests are run when NSS is put into FIPS mode using modutils. I also assume that 'continuous, pair-wise tests as well as DRBG tests are done when running. Are these assumptions true ? Where would a good location be to add code in order to notify the OS of any FIPS error ? That would at least be logging the error using the system's logger and woudl also include some basic notification such as creating a file somewhere under inotify observation by a daemon application. Is any provision for notifyinh the OS already included ? Where can I find the latest Security Policy and, is there a User Guide for NSS in FIPS mode ? I browsed the web pages although seemingly I could not find links to these documents. Many thanks, regards. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
[Shorewall-users] TC: connection mark value
Hello, While it is possible to set the connection mark for a packet, what does the RESTORE command do in terms of numerical value ? Eg. it will put into the packet the connection mark, but what is the connection mark in the first place and how can this unknown value relate to any mark defined in classes ? I am surely missing something. Thanks. -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[openssl-users] FIPS errors: finding causes for failure
Hello, As part of development, still using the fips_hmac test code, this time on a target unit using 1.0.1e, the following errors are shown at the console: 3069614096:error:2D088086:FIPS routines:FIPS_selftest_x931:selftest failed:fips_rand_selftest.c:171: 3069614096:error:2D082086:FIPS routines:FIPS_selftest_cmac:selftest failed:fips_cmac_selftest.c:178: 3069614096:error:2D080086:FIPS routines:FIPS_selftest_aes:selftest failed:fips_aes_selftest.c:97: 3069614096:error:2D090086:FIPS routines:FIPS_selftest_aes_xts:selftest failed:fips_aes_selftest.c:383: 3069614096:error:2D083086:FIPS routines:FIPS_selftest_des:selftest failed:fips_des_selftest.c:102: What is the troubleshooting path from here ? Is it only by going to the appropriate code line ? In the first case, the FIPS_selftest_x931() is concerned, with the 171 line being: FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED). Which basically means that the actual test code has to be examined. There is documentation in the User Guide, section 6.3.1, although it does not seem to be practical to find out the cause of the failure. There are seemingly no log messages generated. Information that would give hints as to why a specific test could fail would be useful. In this case, there's mention of the V seed value being corrupted but only for simulation mode. In short, how to find what could be the cause(s) of FIPS test(s) failure(s) ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[rsyslog] rsyslog and GnuTLS
Hello, What would be the earliest rsyslog release to support secure remote syslogging using GnuTLS ? I have a 'old' version here, 5.8.11 that has a rsyslog-gnutls component, although I wonder: 1) If this could be a 'Debian thing', if the same approach of having this rsyslog-gnutls component still in effect today ? If there is a new design, or any other significant change, which earliest version could be used to upgrade, while having GnuTLS secure connections ? Regards. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [openssl-users] FIPS: Any setup required for using a default DRBG ?
From: jonetsu jone...@teksavvy.com Date: 03/26/15 11:11 Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Yes. It does. When using post_cb() from fips_test_suite.c in for instance the fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 and DRBG HMAC-SHA256, amongst others. After FIPS_mode_set(1) is executed along with the POST tests, a call to RAND_pseudo_bytes() will not run the tests again. In this context, when do occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security Policy ? Is there a need to actually call FIPS_selftest() ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Any setup required for using a default DRBG ?
Hello, Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Would a subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG ( 256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in the User Guide, and one that is called FIPS_get_default_drbg(). Does this have to be actually called ? I'm asking since I added in crypto/o_fips.c a FIPS_post_set_callback() in FIPS_set_mode() with a case switch on FIPS_TEST_DRBG (amongst others). SHA256, HMAC-SHA256, AES-128-CBC, AES-256-CTR amongst others are reported to be tested, although there's no sign of the FIPS_TEST_DRBG. Nor FIPS_TEST_CONTINUOUS for that matter. Wouldn't the DRBG be tested in a 'continuous' way before each use ? - thanks. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Which DRBG is default ?
Hello, When an application does not define OPENSSL_DRBG_DEFAULT_TYPE nor OPENSSL_DRBG_DEFAULT_FLAGS nor any compilation options (if applicable), is the default DRBG the 256 bit CTR AES (+ deviation function) in FIPS mode ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS Linux kernel documentation ?
Hello, This is not about OpenSSL, although from experience, maybe some know the answer. Does anyone know if actual documentation exists for the Linux kernel FIPS mode apart from the source itself ? There is nothing in Documentation/ as per 3.18.2. - thanks. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Which DRBG ?
From: Steve Marquess marqu...@openssl.com Date: 03/24/15 12:38 No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early 2014) for use as-is in doing copycat validations. Some non-trivial code hacks will be necessary. We'll do a new open source based validation to succeed the 2.0 FIPS module (#1747 validation) at the first opportunity, but that opportunity has not yet presented itself. I still do not know that much about the validation in practical terms. If our units go through validation, can this benefit OpenSSL ? Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs, do you know how would the OpenSSL SP 800-90 validation fare in a FIPS testing lab since the Dual EC was removed and the other three were not touched ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Which DRBG ?
From: Steve Marquess marqu...@openssl.com Date: 03/24/15 09:22 At the time that validation was obtained the four (at the time) DRBGs were specified by SP800-90. That document was subsequently reissued in several pieces; the current SP800-90A now contains the specifications for the three surviving DRBGs (the fatally tainted Dual EC DRBG having been removed from the formal standards and also from the OpenSSL FIPS Object Module). If it concerns only the removal of the Dual EC, then it should be OK, technically. Not on paper. Now the code for the OpenSSL FIPS module can no longer be used as-is for new private label or copycat validations, but that's for different reasons and not because of the DRBGs. I've read the User Guide bit on private label validations. In the case of a product that consists of a dedicated unit, what would be the best approach ? So far I have considered using the OpenSSL FIPS module as is, in the hope that its FIPS validation would save costs at the testing lab. Is this still feasible ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Which DRBG ?
Hello, Following on the 'SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?' topic, the OpenSSL source code does not seem to mention SP 800-90A. Only SP 800-90. So the certifications were made for SP 800-90, is that right ? Also, does it depend on the application to choose which DRBG and moreover, for regular FIPS uses, does it matter which DRBG is used since they are all approved ? One more question: is there a way for us to actually know/test which one id used by an application ? I currently am using a FIPS_post_set_callback() placed in FIPS_mode_set() - can this be useful to identify which DRBG is used ? Maybe FIPS_drbg_set_callbacks() could be more useful ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Runtime list of FIPS ciphers
From: Dr. Stephen Henson st...@openssl.org Date: 03/20/15 12:48 OPENSSL_FIPS=1 openssl ciphers -v openssl ciphers -v FIPS Thanks, this works great, on the workstation where I have installed at default development location /usr/loca/ssl/, using OpenSSL 1.0.1.k. However, we have built Debian packages for the target unit, using 1.0.1e. While the example fips_hmac runs fine, we have a problem with openssl itself, which seems to be that the openssl shared object is somehow not FIPS enabled, or, is 1.0.1e lacking in any respect to FIPS mode ? : % ./fips_hmac -v gcrypt_pkglist FIPS mode enabled ret: 1 51dedc633485ccb55f4624763e9d118d6df15b3c % OPENSSL_FIPS=1 openssl ciphers -v 3069818064:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1729: % ldd fips_hmac libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6dbc000) % ldd /usr/bin/openssl libssl.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6f5e000) libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6e03000) % openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Runtime list of FIPS ciphers
Hello, I have the impression that the 'ciphers -v' option to openssl, when OpenSSL is compiled in FIPS mode, lists more than FIPS-only. There are RC5 and RC4 in there, for instance. Is there a specific openssl command that will list only the ones that are FIPS-allowed ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [rsyslog] FIPS mode ?
From: Rainer Gerhards rgerha...@hq.adiscon.com Date: 03/19/15 06:33 Thx - could you open an issue tracker at github? OK, done. FIPS mode #274. Thanks. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mechanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Problem building 1.0.1e: 'T' vs. 't'
From: Dr. Stephen Henson st...@openssl.org Date: 03/17/15 12:28 What are the two platforms? That is what does: First of all, I'm very, very sorry to have posted duplicates of the question. The web-access email client is, was, a bit on the fuzzy side, stalling and reporting errors. It turns out, at the end of much puzzling and searching, that the difference is in the Debian packaging. The Debian folks have added some per-method version mechanism to be assured that the APIs are still compatible between OpenSSL number versions. That mechanism does not recognize the FIPS renaming of some methods hence tags them as local. We fixed that and it could be that the fix can be given to Debian as it should be transparent to non-FIPS OpenSSL Debian builds. Again, sorry for the multiple posts ! Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Problem building 1.0.1e : 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Converting AES_ctr128_encrypt() to EVP_ methods
Hello, An application that needs converting to FIPS is currently using AES_ctr128_encrypt(). That function calls in turn CRYPTO_ctr128_encrypt() which then does some internal computations. They are not documented in the 'full list of crypto APIs'. What would be the FIPS-compatible EVP equivalent(s) ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: ECC licensing
Hello, The licenses, patents for ECC was noticed. In short, if we do not care about this in the sense of not willing to be in any patent infringement situation down the road, the -ecb archive should be used, is that right ? Also, there is a mention of a NSA-PLA.pdf agreemnet statement. The file is not found. Is this still valid in some ways ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
From: Dr. Stephen Henson st...@openssl.org Date: 03/10/15 20:04 I mean you could add a callback to FIPS_mode_set using FIPS_post_set_callback: see the fips_test_suite.c application for an example. The supplied callback is called during each POST, continuous RNG and pairwise consistency checks. The op value is set to FIPS_POST_FAIL if any test fails. This is basically what was also suggested by Henrik in a related thread recently, which I understood being implemented in an application. The variation here would be that the callback is part of the library, located in FIPS_mode_set() in o_fips.c, with the callback itself being defined elsewhere in the same file. A potentially useful case for some applications that do not need to be further modified would be for the library to automatically know that it has to run in FIPS mode. Eg. to automatically call FIPS_mode_set() at load time, based on a env. var. or some other external sign. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [gnutls-help] FIPS ciphers list is wrong
From: Nikos Mavrogiannopoulos n...@gnutls.org Date: 03/12/15 02:19 That's correct, but I don't think that SP800-52 is a requirement in FIPS140-2. Do you have such a reference? Yes, that's right. Everything points to not having TLS1.0 in the (near) future btu at the moment it is allowed in 140-2. Regards. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
Re: [gnutls-help] FIPS ciphers list is wrong
From: Nikos Mavrogiannopoulos n...@gnutls.org Date: 03/11/15 11:27 GNUTLS_FORCE_FIPS_MODE=1 ./gnutls-cli -l --priority NORMAL ./gnutls-cli -l --priority NORMAL Thanks. In the resulting list many TLS1.0 are found: (abridged list) TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 TLS1.0 TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 TLS1.0 TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 TLS1.0 TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 TLS1.0 TLS_ECDHE_RSA_AES_128_CBC_SHA256 TLS1.0 [...] However, NIST Special Publication 800-52 Revision 1 specifies that no TLS1.0 should be used. Please see '3.1 Protocol Version Support' in: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf Regards. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
[gnutls-help] Listing all usable algos.
Hello, Is there a way to list at runtime all algorithms and ciphers that GnuTLS can be using ? The gnutls-cli help does not seem to show such functionality. Is there ? Regards. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
[openssl-users] FIPS: Common method executed in case of error
Hello, Is there a method that is always in the path of execution when a crypto error occurs ? The reason for asking is that I would like to very slightly modify the OpenSSL FIPS version so that it will write a file in tmpfs when an error occurs. That place will be observed by another app using inotify. Granted, modifying OpenSSL FIPS will void its FIPS certification. But then, the whole unit will be validated. Having a single place to modify would be quite an extraordinary thing. I have asked recently about a related topic and got some replies regarding the modification of applications, although modifying the library would provide a single package to modify. Steve has replied that indeed the validation will be lost - I wonder if that would have any impact on the total validation costs for a whole unit, OS and apps ? Would a non-modified FIPS OpenSSL library reduce the validation costs ? Any comments and suggestions welcomed, regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
From: Steve Marquess marqu...@openssl.com Date: 03/10/15 08:56 Hello, Thanks for your reply. You're talking about a Level 2 validation (or higher)? You most definitely do *not* want to include the OS or applications in the cryptographic module boundary for Level 1. It's a level 2. The behaviour of the unit as a whole is validated. As an example amongst many, there will be no Linux console prompt available in FIPS mode. I think you're going to be shocked at the cost (in time and money) to validate a hacked OpenSSL FIPS module, compared to using it as-is or a change letter update. That brings a question. I'm currently using 1.0.1k with the 2.0 FIPS module for development purposes. This may seem a bit blunt, but, is it possible at all to use 1.0.1k to benefit from the FIPS validation ? Based on recent comments I would think not. Going back to a pre-heartbleed version ? Is there any way to benefit from the gained OpenSSL FIPS validation at all ? That's because the CMVP has introduced a number of new requirements since the current FIPS module was validated (in 2012), and any new validation will now need to satisfy those. Again, is there any benefit to be gained from using a once validated OpenSSL FIPS ? What would be the bugs fixed/ security updates trade-off ? That means not only non-trivial code hacks unrelated to yours, but also a new paper shuffle for the arm waving (DTR) components of the validation process. The cost of the latter dwarfs the former; which is why we have not attempted a new validation ourselves. Hmmm... If this goes through, would it be possible for OpenSSL to benefit from any validation our unit can get ? But, that cost could be dwarfed in turn by that of a Level 2 or 3 validation of a turnkey system including OS and apps. Thanks again for your comments, much appreciated. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
Is there a method that is always in the path of execution when a crypto error occurs ? It looks like fips_set_selftest_fail() would be a likely candidate where to create an empty file on a tmpfs in order to let the OS know about the error. Comments and suggestions welcomed. Based on your experience with FIPS validation process, and many customers/sponsors, do you think that having a ever so slightly modified OpenSSL FIPS code would increase validation costs for a whole unit (OS and apps) ? Recently Steve, I think, has mentioned that the cost for an initial OpenSSL FIPS validation was well into the 6 numbers. Would this type of figure be added to a project if OpenSSL FIPS is modified ? I think the labs could go with a diff and see how simple the modification is. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[gnutls-help] FIPS ciphers list is wrong
Hello, The list of ciphers provided by 'gnutls-cli -l' is the same in FIPS mode or not. The test: /usr/local/bin/gnutls-cli -v gnutls-cli 3.3.13 1) /usr/local/bin/gnutls-cli --fips140-mode library is NOT in FIPS140-2 mode /usr/local/bin/gnutls-cli -l (nonfips list generated) 2) export GNUTLS_FORCE_FIPS_MODE=1 /usr/local/bin/gnutls-cli --fips140-mode library is in FIPS140-2 mode /usr/local/bin/gnutls-cli -l (fips list generated) Many ciphers listed in FIPS mode should not be there. Regards. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help
Re: [openssl-users] FIPS: Common method executed in case of error
From: Dr. Stephen Henson st...@openssl.org Date: 03/10/15 10:21 Although you cannot modify the FIPS module itself without voiding the validation you *can* change the FIPS capable OpenSSL. You might (for example) change FIPS_mode_set() to always add a callback which logs any errors. I see. So this would actually enable benefiting (saving validation costs) from an intact recent OpenSSL 1.0.1k with all security fixes. FIPS_mode_set() is very straightforward to patch although it would only catch startup errors. Not the eventual errors from tests that are executed before each crypto use. And not the continuous RNG tests. Within the scope of OpenSSL itself, there is a fips_cipher_abort() that is called for each algo. That macro could perhaps be a good place. Although it would still not catch continuous RNG test failures. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Swan] FIPS mode - general
Hello, I|m looking at using libreswan. NSS can be put into FIPS mode by a proper modutil command. I understand so far that libreswan uses NSS only. Is that the case ? Once in FIPS mode, will libreswan restrict the calls to approved algorithms ? Thanks. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[openssl-users] Testing FIPS mode using 0 randomness
Hello, I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0. The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero. I would have expected that no source of randomness would make the tests ran at the call of FIPS_mode_set(1) fail. ex.: cd dev rm random mknod -m 666 /dev/random c 1 5 Verify presence of zeroes all over: cat /dev/random | xxd ./fips_hmac fips_hmac.o If added a ret value to catch the return code from FIPS_mode_set(1). Random or no random, it always returns 1. Shouldn't randomness be an important part of the power-up tests ? I understand there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' (eg. continuous). Wouldn't these tests be part of the power-up sequence as called by FIPS_mode_set(1) also ? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS methods and symlinks
Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Thanks, regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:
I'm not sure it will be called on every conceivable error in
the FIPS module, but what I do in similar situations is
something like this:
static int post_cb(int op, int id, int subid, void *ex)
{
if (op == FIPS_POST_FAIL)
system(/bin/fipserror);
return 1;
}
And there somewhere:
FIPS_post_set_callback(post_cb)
This is very interesting, thanks. Following this hint, in the same vein the
FIPS code also has:
FIPS_drbg_set_callbacks(args)
Although this one looks more like an entropy callback than
anythong that could be used to know about status.
The FIPS User Guide mentions both, although the information on
FIPS_post_set_callback() is not much at all. Is there another
source than the User Guide 2.0, for detailed descriptions of
these FIPS-related methods ? For isnatnce, the 'op' variable of
FIPS_post_set_callback() is not described at all. Any manual or
info pages ? Could be other potentially interesting methods in there.
--
View this message in context:
http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-FIPS-mode-system-integration-tp56563p56586.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org Date: 02/19/15 11:34 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting The low level cipher and digest APIs cannot be used in FIPS mode: you have to use EVP. That's quite an important point. It brings a question: how are the 'continuous' FIPS tests performed ? Are they automatically called at the beginning of an EVP_* method ? Do they run periodically in the background ? Both ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
-Original Message-
From: Salz, Rich rs...@akamai.com
To: openssl-users@openssl.org
Date: 02/19/15 07:43
Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting
For that matter and in a general sense, so far I've seen that many
encryption
methods do not return any error code. How does error reporting generally
works ?
Really? Which ones?
For instance, any of the void DES_*_encrypt(). This cursory observation is
also supported by a vendor application code such as:
static void des_encrypt(char key1[8], char key2[8], char key3[8], char ivec[8],
char *input, char *output, int len,
int encrypt)
{
[snip]
DES_set_key(des_key1, schedule1);
DES_set_key(des_key2, schedule2);
DES_set_key(des_key3, schedule3);
DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output, len,
schedule1, schedule2, schedule3, des_ivec,
encrypt);
}
This is basically why I'm wondering about how errors propagate in the OpenSSL
library.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
-Original Message- From: Marcus Meissner meiss...@suse.de To: openssl-users@openssl.org Date: 02/19/15 08:07 Subject: Re: [openssl-users] OpenSSL FIPS mode system integration Well, the writing is that the crypto module must stop operating on error. We solved this by calling abort(); in the openssl library on FIPS related error conditions. H... What I have written from a consultancy compliance report is that all crypto operations must stop and, all data output of the designed Data Output interface(s) must also stop. Hence my concern for the OS knowing about FIPS crypto test results. Thanks for your comment. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Using FIPS mode and modifying apps
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated. Tom Francis nailed the answer to this one. We did design the FIPS module + FIPS capable OpenSSL combination to make it possible to have a system wide FIPS mode capability, but that presumes that the system maintainer (i.e. OS distribution maintainer) has done the review and modification of each application that uses cryptography to make sure it is compatible with the many restrictions of FIPS mode. Yes, I understand the concern. Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ? I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()). Might have to do with your comment below. That is indeed the assumption: that commercial versions of RH and SuSE have modified all impacted OSS applications to operate in FIPS mode. If they haven't they are deceiving their customers and the U.S. government. I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though. Please read the first two sentences on that web page, right at the top. OK! Regarding the second sentence :) ... what is the current status ? Is OpenSSL transparently executing FIPS checks when in FIPS mode ? And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: Adding fonts
Le Dimanche, 09 Sep 2012 18:32:57 +0200, François Patte francois.pa...@mi.parisdescartes.fr a écrit : If you want to have any chances to make the difference between what comes from the distribution and what you have added, you should create your local font directories in /usr/local/share/fonts and be shure that you have a file /etc/fonts/conf.d/09-local.conf with these lines ?xml version=1.0? !DOCTYPE fontconfig SYSTEM fonts.dtd fontconfig dir/opt/share/fonts/dir /fontconfig If you don't have it, create it (don't forget to give the correct permissions then run fc-cache -fsv to chech, run fc-list -v | grep name of font (without the ) Thanks for the hint on localisation. Indeed, this can be quite practical when it comes to saving the fonts that were added to the system. But there's more to it and I'll start another thread. What I found with the Japanese fonts that I've used is that some are directly mapped to the keyboard keys, which does not make sense at all (at least for romaji input which is very common - have no dedicated Japanese keyboard) and some simply renders any character as a square. But the method above works nicely to install localized fonts. Just make sure that the path where the fonts are and the path referred-to in the config file are the same ! ;-) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Japanese fonts for romaji input
Hello, There are many nice fonts for rendering kanji characters. Unfortunately the ones that I got so far does not work with the standard ibus anthy romaji input. Many render the resulting kanji as a square, no matter what. They are mapped directly to the keyboard keys and so are useless. Also, I have noticed that Gimp text input does not seem to work with ibus/anthy - is this a configuration issue ? What are the nice stylistic Japanese fonts out there that can be used with romaji input ? What is the method ? Are the words typed as usual using the basic Fedora Japanese support and ibus/anthy, and then selected and changed to other style of fonts ? I would like to use libreoffice primarily, but if it works with Gimp that would be also nice. ありがとうございます! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Adding fonts
Hello, I'd like to know now to add fonts so that LibreOffice and Gimp can use them. For instance, I have downloaded a HGRSKP.TTF file which is a Japanese font. What is the procedure to make available that font in the system ? Also, some fonts are .exe files. Are these also installable in Fedora ? Thanks ! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
Le Lundi, 30 Avril 2012 22:37:36 +0900, nomnex nom...@gmail.com a écrit : Glad you got it working. Ctrl+Space switch i-bus on/off Alt+Shift switch the input language (I use French/Japanese on a en_US OS) I've tried the Anthy German keyboard that I use to write French although it's not at all like the regular Linux German keyboard. Even though it shows 'German' when pressing Alt+Shift, it is still a qwerty keyboard, not a qwertz. And no shift keys in sight to produce accentuated letters. Seems English as usual. I did a quick search on Anthy layouts but most if not all topics are related to Japanese. It'd be useful to have a description of all the layouts available. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Japanese keyboard: Fedora 15 KDE
Hello all, I've seen a few softwares around to have some kind of keyboard able to either input romanji based (hiragana based ?) characters or to draw kanji, but these software seems to be age-old and not maintained anymore, like anthy. What is the preferred way to be able to use Japanese characters in Fedora 15 with KDE ? Thanks. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
On Sun, 29 Apr 2012 20:06:50 -0400, jonetsu jone...@teksavvy.com wrote : I've seen a few softwares around to have some kind of keyboard able to either input romanji based (hiragana based ?) characters or to draw kanji, but these software seems to be age-old and not maintained anymore, like anthy. What is the preferred way to be able to use Japanese characters in Fedora 15 with KDE ? I do have the following packages installed, but do not know how to use them in KDE (nor Gnome for that matter) : anthy-9100h-16.fc15.x86_64 ibus-anthy-1.2.7-1.fc15.x86_64 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
Le Mon, 30 Apr 2012 09:14:30 +0900, nomnex nom...@gmail.com a écrit : On Sun, 29 Apr 2012 20:06:50 -0400 jonetsu jone...@teksavvy.com wrote: I've seen a few softwares around to have some kind of keyboard able to either input romanji based (hiragana based ?) characters or to draw kanji, but these software seems to be age-old and not maintained anymore, like anthy. What is the preferred way to be able to use Japanese characters in Fedora 15 with KDE ? I use i-bus mozc, it is in the fedora repo. The following is installed: mozc-1.4.1033.102-1.fc15.x86_64 scim-mozc-1.4.1033.102-1.fc15.x86_64 I'm using KDE. How is Japanese text entered using mozc ? Thanks. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
On Sun, 29 Apr 2012 20:21:40 -0400, jonetsu jone...@teksavvy.com wrote : The following is installed: mozc-1.4.1033.102-1.fc15.x86_64 scim-mozc-1.4.1033.102-1.fc15.x86_64 I'm using KDE. How is Japanese text entered using mozc ? Also the following is installed: ibus-mozc-1.4.1033.102-1.fc15.x86_64 ibus-qt.x86_64 Somewhere in the KDE system configuration menus for the keyboard it is mentioned that Alt-Space triggers keyboard modes, but it seemingly had no effect. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
On Mon, 30 Apr 2012 08:20:57 +0800, Ed Greshko ed.gres...@greshko.com wrote : On 04/30/2012 08:17 AM, jonetsu wrote: I do have the following packages installed, but do not know how to use them in KDE (nor Gnome for that matter) : anthy-9100h-16.fc15.x86_64 ibus-anthy-1.2.7-1.fc15.x86_64 You will need, at a minimum, ibus and ibus-anthy installed. Then run im-chooser and select IBus as your input method. This is preferred over scim these days. OK, I see. It's getting somewhere. I've added Japanese (Japanese, Kana, Kana 86) and it asks me to restart ibus. I've sent the ibus daemon a HUP signal. But all choices in im-chooser are greyed out. It does not seem possible to choose any other input at all. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
On Sun, 29 Apr 2012 20:45:30 -0400, jonetsu jone...@teksavvy.com wrote : On Mon, 30 Apr 2012 08:35:02 +0800, Ed Greshko ed.gres...@greshko.com wrote : Right Click on the icon and pick Preferences. Then go to the Input Method Tab and select and Input Method and Add it to the list of available input methods. OK, got it. Japanese (kana) is chosen. Keyboard is jp(kana). But still, looks like and types like the same keyboard as usual. カテタチトスカンイシ Hmmm... Had to restart the machine ;-) Good thing the login is still done using the US keyboard. I see that once ibus is used, then all input methods have to be configured within ibus. Unless the bus daemon is not used. Now I added English, so I can switch within ibus. Is there any information on how to actually use Japanese input, including descriptions of keyboard layouts ? The keyboard I've chosen seems to be limited to katakana (that is, when knowing what the layout is). Is there a hiragana keyboard ? And is there also kanji selection based on hiragana/romaji ? Or based on pictogram sketches (perhaps like IME on Windows) ? Dooma arigato. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Japanese keyboard: Fedora 15 KDE
Le Mon, 30 Apr 2012 08:55:32 +0800, Ed Greshko ed.gres...@greshko.com a écrit : On 04/30/2012 08:45 AM, jonetsu wrote: OK, got it. Japanese (kana) is chosen. Keyboard is jp(kana). But still, looks like and types like the same keyboard as usual. カテタチトスカンイシ Unless you have a real Japanese keyboard there is no need to change the keyboard type. I'm not exactly sure what you meanbut let me give an example. Let's say you want to type Shibuya. Using a konsole or terminal application. You'd activate the Anthy input method. Then you'd type shibuya. You'd see シブヤ outlined in white. Then you'd hit the space bar and you'd see 渋谷 with a white background. If that is what you want you hit return. If you are not happy with the selection you hit the space bar again and will get a dialog box with choices. Does that help? OK. Got it working in a terminal. Neat. ありがとございます !!! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
starting konsoles in specific locations
Hello, Is it possible at all to start several konsole terminals, each in a specific location, by means of a script ? I used to do that with another type of terminal app years ago. I quickly did a search about konsole and it seems that it does not support standard X parameters like '-geometry'. is there any way to start konsoles in a specific size at a specific location (and optionally using a specific name) ? Thanks for any suggestion. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: [Shorewall-users] Continuous pings going through a full DROP policy
On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep teas...@shorewall.net wrote :
So to stop an existing ping at with shorewall start/restart, you need
to flush the conntrack table ('shorewall restart -p'). That requires
that you install the conntrack utility program (usually, the package
is called simply 'conntrack').
It was indeed a difference of kernels.
Setting the conntrack ICMP timeout value to 1 for instance, for all
practical purposes, stops the pings just about immediately, which is
fine. This approach would be less encompassing that having a
shorewall -p which I suspect resets much more than only the ICMP
timeout. For instance, if an admin is logged in using ssh for setting
up a firewall, using shorewall -p would flush his connection tracking
table which could by detriemental when doing an error such as not
opening a hole for the ssh connection once the firewall is up. Is it
possible to only flush certain tables ? A value of 1 as the ICMP
timeout could perhaps have an effect on normal pings when the network
is slow, do you think so ?
Those were the components:
System that does not stop the pings:
shorewall: 4.5.0.1-4.5.1-Beta2
kernel: 3.0.0
iptables: 1.4.8-3
iproute: 20100519-3
System that does stop the pings:
shorewall: 4.0.15
kernel: 2.6.26
iptables: 1.3.6.0
iproute: 20061002-3
Thanks so much for your help.
--
Virtualization Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Continuous pings going through a full DROP policy
On Sun, 26 Feb 2012 14:33:16 -0800, Tom Eastep teas...@shorewall.net wrote : On Feb 26, 2012, at 2:09 PM, jonetsu wrote: For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 --- eth4 unit3 eth1 ---unit2 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 lan zone net zone In this case, continuous pings from unit1 to unit2 will stop when the 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 (easily made since unit3 is booting from a different compact flash) and copying the files from 4.0.15 to it, and executing 'shorewall start' will not stop the pings from unit1 to unit2 even though the policy is DROP. Other traffic is effectively stopped, but not so with icmp packets. I've looked at the changelog an release notes for 4.4.26.1 but did not find anything about this. firewall is very basic, and shorewall.conf is the same: zones fw firewall net ipv4 lan ipv4 interfaces net eth1 lan eth4 policy all all DROP rules (none) Using the same shorewall.conf might not be appropriate so I also tried with the shorewall.conf provided in the 4.4.26.1 version, while keeping the same zones, interfaces and policy files. Output of 'shorewall dump' as an attachment, please. Hmmm.. Not sure if the other one got to you, so here it is. Sorry for any duplicate. Here is the dump. It was done in the following way: - unit3: reboot w/o any iptable commands applied - start continuous pings from unit1 - unit3: shorewall start - (continuous pingings still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2 = pinging target unit eth1 -- fe-4-2 unit3 fe-3-1 -- fe-3-1 eth2 In a parallel iptables-only test it is possible to immediately stop the pingings when iptables rules are applied by flushing the whole thing before applying any new rules. Thanks ! shorewall.dump.bz2 Description: application/bzip -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sat, 25 Feb 2012 14:59:54 -0800, Tom Eastep teas...@shorewall.net wrote : Here's a patch. The same patch should be applied to the installers of both Shorewall and Shorewall6. Thanks. Now the install proceeds a bit further (Fedora 15) : ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... Installing Shorewall Version 4.5.1-Beta2 Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear to be installed -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sun, 26 Feb 2012 07:41:10 -0800, Tom Eastep teas...@shorewall.net wrote : On 02/26/2012 04:38 AM, jonetsu wrote: Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear to be installed You need to install Shorewall-core first. See http://www.shorewall.net/Install.htm. Duh! ;-) Sorry, that was a rather silly one. Hopefully the next will not be. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Continuous pings going through a full DROP policy
For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 --- eth4 unit3 eth1 ---unit2 192.168.3.2 192.168.3.1 172.30.159.103 172.30.159.102 lan zone net zone In this case, continuous pings from unit1 to unit2 will stop when the 4.0.15 firewall is applied. Rebooting unit3 with 4.4.26.1 (easily made since unit3 is booting from a different compact flash) and copying the files from 4.0.15 to it, and executing 'shorewall start' will not stop the pings from unit1 to unit2 even though the policy is DROP. Other traffic is effectively stopped, but not so with icmp packets. I've looked at the changelog an release notes for 4.4.26.1 but did not find anything about this. firewall is very basic, and shorewall.conf is the same: zones fw firewall net ipv4 lan ipv4 interfaces net eth1 lan eth4 policy all all DROP rules (none) Using the same shorewall.conf might not be appropriate so I also tried with the shorewall.conf provided in the 4.4.26.1 version, while keeping the same zones, interfaces and policy files. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] 4.5.1-Beta2 install: no previous version
HI, I have a Fedora 15 system w/o any Shorewall installed. Running the install.sh (as root) yields the following: ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... ERROR: Shorewall = 4.3.5 is not installed I can yum-install the current Fedora Shorewall, but I found it odd that the installer needs a previous version - or perhaps this is always the case with betas ? Thanks. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] 4.5.1-Beta2 install: no previous version
On Sat, 25 Feb 2012 17:18:27 -0500, jonetsu jone...@teksavvy.com wrote : I have a Fedora 15 system w/o any Shorewall installed. Running the install.sh (as root) yields the following: ./install.sh Perl/compiler.pl syntax OK Installing Redhat/Fedora-specific configuration... ERROR: Shorewall = 4.3.5 is not installed I can yum-install the current Fedora Shorewall, but I found it odd that the installer needs a previous version - or perhaps this is always the case with betas ? Hmmm. After installing both shorewall-4.4.23.3-1.fc15.noarch and shorewall-init-4.4.23.3-1.fc15.noarch and shorewall-lite-4.4.23.3-1.fc15.noarch there's still no compiler.pl in /usr/share/ for the check in install.sh to succeed. I'm tempted to remove that check in install.sh (line 300) but am not sure about the implications of doing so. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [pcre-dev] '-g mode' return code at end of loop
Le Samedi, 25 Février 2012 09:24:33 + (GMT), Philip Hazel p...@hermes.cam.ac.uk a écrit : with a return code of 0. There is clearly some mystery here as to why your version of the code is not right. If you email your pcredemo.c to me (NOT to the list!) I will diff it to try shed some light. Apologies, I found the mistake. I've taken out these options from the empty string condition and always set them: options = PCRE_NOTEMPTY_ATSTART | PCRE_ANCHORED; Which gave the error since they were set when not needed. And for the pcre_fullinfo() bit, yes it's there. I've modified copies of the demo and mistaken these. So all's OK. And thanks for the comments. As I start to know more libpcre, it is quite great. Hopefully my eventual next question will make more sense ! ;-) -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
Re: [pcre-dev] Using pcre: the /g behaviour
Le Vendredi, 24 Février 2012 17:24:40 + (GMT), Philip Hazel p...@hermes.cam.ac.uk a écrit : Which version of PCRE are you using? 1248556 pcre-8.30.tar.bz2 15520 Nov 24 2010 pcredemo.c From: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ (as per the web page) I've also checked 8,21 in both bz2 and zip, as well as the svn as described on the web page: none have that extra PCRE_INFO_NAMETABLE pcre_fullinfo() call in the loop. Also checked 8.21 from Sourceforge: same. Odd. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
Re: [pcre-dev] Using pcre: the /g behaviour
Le Mardi, 23 Février 2012 17:15:27 + (GMT),
Philip Hazel p...@hermes.cam.ac.uk a écrit :
pcredemo -g
pcredemo segfaults when using the -g param, as in the following (cmd
on a single line) :
./pcredemo -g rate (?'rate'\d+)Kbit|ceil (?'ceil'\d+)Kbit
quantum 12500 rate 30Kbit ceil 54Kbit
Match succeeded at offset 14
0: rate 30Kbit
1: 30
Named substrings
(2) ceil:
(1) rate: 30
Match succeeded again at offset 30
0: ceil 54Kbit
1:
2: 54
Named substrings
Segmentation fault (core dumped)
I'm new to pcre (since yesterday) and I think this is solved, from
what I can see so far, by adding a call to pcre_fullinfo() in order to
somehow give some meaning to name_table before tabptr shifts that
value:
/* Loop for second and subsequent matches */
for (;;)
{
[ snip ]
// Added bit:
(void)pcre_fullinfo(
re,
NULL,
PCRE_INFO_NAMETABLE,
name_table);
// Back to original code:
if (namecount = 0) printf(No named substrings\n); else
{
unsigned char *tabptr = name_table;
printf(Named substrings\n);
for (i = 0; i namecount; i++)
{
int n = (tabptr[0] 8) | tabptr[1];
[ etc...]
The pcre_fullinfo() call with PCRE_INFO_NAMEENTRYSIZE could also be
added there although adding it did not seem to change anything, tabptr
being incremented seemingly OK in any case.
If there is no other catch in proceeding like this, it seems quite
straightforward. Not bad at all. Can I ask what would be the pcre
syntax to use to cope with a paragraph (Linux newlines) instead of a
single line using this -g functionality ?
Thanks.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
Re: [Shorewall-users] Adding iptable rules for DSCP marking
On Mon, 20 Feb 2012 13:42:56 -0800, Tom Eastep teas...@shorewall.net wrote : The Beta containing DSCP support will be released sometime this week; probably Saturday. The final release will be around the middle of March. The way I'm going now is that I have a table of DSCP to TC marks. This table is processed when there's some tcrules configuration. Being a table, it allows for quickly having multiple tcrules mark assigned to a single DSCP egress mark. For SIP traffic, for instance, many ports can be AF31 while RTP is EF. Although I am not sure that it provides much more easiness of configuration. After all, a tcrule can filter on many ports. Having one single DSCP mark as part of a tcrule can very well achieve the same goal w/o additional table processing overhead. Would you also think that having a DSCP-mark-to-TC-mark table is overkill ? Thanks. -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Adding iptable rules for DSCP marking
On Mon, 20 Feb 2012 09:10:30 -0800, Tom Eastep teas...@shorewall.net wrote : If you can wait until 4.5.1 is released, you can set the DSCP field with entries in /etc/shorewall/tcrules. Thanks for the suggestions ! It's appreciated. When would be the release of 4.5.1 ? -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
F15: Volume level starts at almost full blast
Hello, I have one F15-64 bit machine on which the volume has to be very close to the minimum as it seems to attain full volume very, very early. Not much play in there. when pushed to the max there is some 'hardware noise' as it is very over-driven. I do not recall having this problem before a recent update on that machine. Another F15 64-bit machine does not show this limited rage at all and has a nice volume control. Would this be a hardware problem or is there something in a recent update that would mess the audio in such a way when seeing some specific hardware ? Thanks. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
[Shorewall-users] Adding iptable rules for DSCP marking
Hello, I would like to DSCP-mark some traffic and have this marking set when shorewall starts. The 'started' file seems to be the place to put those extra iptables commands. Has anyone used the started file for this purpose ? Any drawbacks ? Thanks for any suggestions/comments. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
F15 update: no more nvidia
Hello all, This afternoon I updated the F15 x86_64 workstation I use. There were quite a few updates in the pipe, so why not. There was properly working nvidia setup which gave high Xorg resolution. Before proceeding there was a warning from yum about the nvidia to the effect that: 1:kmod-nvidia-2.6.41.10-3.fc15.x86_64-280.13-2.fc15.16.x86_64 needs: kernel-uname-r = 2.6.41.10-3.fc15.x86_64 And that I should use '--skip-broken' to proceed. So I thought that since everything is working fine right now, there is nothing to loose to ignore this. Wrong. When the update was done I rebooted and no more X server. kernel 2.6.42.3-2.fc15.x86_64 was installed. After a bit of time I decided to edit grub.conf to boot the previous kernel which was 2.6.41.4-1.fc15.x86_64. So now I have graphical output but only in 1024 low resolution. How can I get back the high resolution eg, to get back the nvidia driver in line ? I have both Fedora and rpm fusion repositories configured. uname -a is now: 2.6.41.4-1.fc15.x86_64 When I try a 'yum install kmod-nvidia' (hopefully thinking it would install one for the current kernel) there is the same complaint: kmod-nvidia-2.6.41.10-3.fc15.x86_64-280.13-2.fc15.16.x86_64 needs: kernel-uname-r = 2.6.41.10-3.fc15.x86_64 Which is not part of the three kernels that are installed and available. Is it possible to precisely ask yum to install the 2.6.41.10-3.fc15.x86_64 kernel that would work with nvidia ? Or... How to get back high resolution and if possible, how to get it back with the new kernel that was just installed, 2.6.42.3-2.fc15.x86_64, to which I can point grub to ? Thanks. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: F15 update: no more nvidia
On Sun, 12 Feb 2012 17:38:56 -0700, Pete Travis li...@petetravis.com wrote : yum install akmod-nvidia The akmod will build the module locally when there is disparity between the kmod and kernel versions. You can install them both and not think about it again. Super! This works very nicely. Installed it, then rebooted and now back to high resolution. Also, this is a principle I'm not too familiar with, this capacity for certain drivers to rebuild themselves when needed. I think VmWare also uses that (at last ! ;-). ... If what's at work here with akmod-nvidia is that. Within Fedora, are there any other drivers that works int he same way ? Could be useful to know. Do NOT install the NVIDIA...RUN blob. We have sane repos and competent package management, there is no reason to abandon them because rpmfusion is a day or two behind the kernel. This method is not sustainable, irrevocably changes system files that it shouldn't, and is not supportable here. I also prefer to stick with the dedicated repositories. Thanks. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
