Re: [openssl.org #3089] Building OpenSSL 1.0.1e with FIPS on Win64A
On 07/10/2013 03:46 PM, Graeme Perrow via RT wrote: I am trying to build the FIPS Object Module for Windows on an AMD64 machine. I started with the instructions in section 4.3 of the User Guide 2.0, and was able to build the FIPS module itself, but the instructions for building a FIPS-capable OpenSSL are specific to 32-bit Windows. I adjusted the build procedure as follows: ... Also (and more importantly), if I have to modify the build procedure for the FIPS-capable OpenSSL but not for the FIPS Object Module itself, does that mean my Module is not FIPS 140-2 validated? I think this is more of a user list question. OpenSSL proper (as opposed to the OpenSSL FIPS Object Module) is out of scope of the FIPS 140-2 validation procedure, so you can hack it to your hearts content. You need to embed the HMAC-SHA1 integrity check (incore) digest in the FIPS module embedded in the shared library executable file, but you aren't constrained to a specific command or process. Also note that you must verify the SHA1 digest of the FIPS module files (as is done automatically in the fipsld script). Sort of moot if you just generated those files, but a technical requirement nonetheless. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3089] Building OpenSSL 1.0.1e with FIPS on Win64A
On 07/10/2013 03:46 PM, Graeme Perrow via RT wrote: I am trying to build the FIPS Object Module for Windows on an AMD64 machine. I started with the instructions in section 4.3 of the User Guide 2.0, and was able to build the FIPS module itself, but the instructions for building a FIPS-capable OpenSSL are specific to 32-bit Windows. I adjusted the build procedure as follows: ... Also (and more importantly), if I have to modify the build procedure for the FIPS-capable OpenSSL but not for the FIPS Object Module itself, does that mean my Module is not FIPS 140-2 validated? I think this is more of a user list question. OpenSSL proper (as opposed to the OpenSSL FIPS Object Module) is out of scope of the FIPS 140-2 validation procedure, so you can hack it to your hearts content. You need to embed the HMAC-SHA1 integrity check (incore) digest in the FIPS module embedded in the shared library executable file, but you aren't constrained to a specific command or process. Also note that you must verify the SHA1 digest of the FIPS module files (as is done automatically in the fipsld script). Sort of moot if you just generated those files, but a technical requirement nonetheless. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Crash in RAND_poll for IOS
Hi, I have cross compiled openssl for ios and using it for generating random number and other crypto stuff. When I try to generate random number, I get a crash in XCode from RAND_poll. Does the RAND_poll conform with ios ? Is there any known issue with openssl random generation and ios? Please let me know. Regards Shiva
RE: [Patch] ALPN Implementation for OpenSSL
Understood, I'll start working on this behavior: The client can send ALPN, NPN, or both. If the client only sends one: negotiation will take place normally. If the client sends both: the server will prefer ALPN. If nothing matches with ALPN, it will fall back to NPN and send its list. Also, we have received some feedback off-list on the code we have already posted, and will be reposting with some updates soon. Hi All, I have posted our updated ALPN patch, http://rt.openssl.org/Ticket/Display.html?id=3073. I'm happy to address any feedback. Also, there have been some questions about testing. The new patch has added support to s_client and s_server which should enable testing ALPN without any dependencies. Thanks, Jeff Mendoza __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org