FIPS-capable curl: Solaris 9 - fingerprint does not match
Back to square 2 out of 3: Platform: SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 gcc (GCC) 3.4.6 GNU ld version 2.17 GNU ar 2.17 1. Built fips-1.1.2 successfully 2. Built openssl-0.9.7m successfully with ... ./Configure solaris-sparcv9-gcc27 fips --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ (also tried with -shared, but no successful build) 3. Built modded curl executable, adding a --fips-mode option, using ... ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet --with-ca-path=../x.dcerts --disable-ldap When curl executable is run from command-line with --fips-mode, get ... SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not match I've read all fips solaris forum messages + others ... I thought I had this down, but ... a little guidance would be appreciated.
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? To my best knowledge there does not exist a mathematical proof for the quality of the used entropy pool with hash mixing PRNG. We believe that it is of very high quality. You may also have a look into the thread Fix VIA Padlock RNG support on the openssl-dev mailing list. It discusses the point that OpenSSL does handle RNGs provided via engine interface in fact completely replace the built-in PRNG with the external entropy source. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL for Win XP Professional
Openssl 9.7c. I get the error Unable to load config info Unable to find 'distinguished_name' in config. This while trying to generate a certificate for self signing after a key generation. Is there a fix for this? I assume upgrading to 9.8i will fix this, but I don't know how to install a tarball on windows xp pro. Is there a zip file for download? Is there a specific way to install to avoid errors? If there is a group or website with this info please point me to it.
Re: How to use a hardware RNG with openssl?
F. wrote: If the true random generator is in /dev/random, and I want use only this device for random data using openssl.cnf: RANDFILE = /dev/random Is this correct? This is nearly correct. OpenSSL will read 2048 bytes from it (2048 is hardcoded for device files to avoid endless loops, seems my statement below was not completely up-to-date). The first attempt to generate a pseudo random number will however still read an additonal amount of bytes from /dev/urandom. Best regards, Lutz El vie, 19-09-2008 a las 23:21 +0200, Gerd Schering escribió: Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
convert .cer format to .pem format in command line, Need help...
Hi, I want to convert *.cer* format to *.pem* format with the private key.I tried it by using following command. *openssl x509 -inform der -in certificate.cer -out certificate.pem *But the *certificate.pem* file doesn't contain the private key. To do this task, I want to use command line. Pls can any one help me... Thanks Buddhika
R: RSA_sign, RSA_verify and padding
Hi, I'm using OpenSSL 0.9.8a 11 Oct 2005 (+ security patches to 2007-10-13) on opensolaris 2008.11 b97 and programming in C. My question is about the message digest *m used into functions in object.* ** *I have notice a strange *behavior concerning the length of this string: if too long and/or not a multiple of 8 char i receive this error: error:0407006A:lib(4):func(112):reason(106) error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 m is not a string it is binary data including the message digest value. The length of that data is the length of the corresponding digest. If you wish to sign data as opposed to a digest you should use the EVP_Sign*() functions. Steve. How I can generate this binary data ? I need to make sign in a client program and verify in a server so m value must be known previously by both and can't change (now it's define as constant in both) TNX for help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Fips Shared Library
Can u please tell me what FIPS_set_mode() returns when i am using it will the FIPS_set_mode(1), returns 1 and also when using FIPS_set_mode(1), returns 1 So how can i come out of fips mode once it is entered, how can i come out of fips mode . can u please explain it will sample program. Thank in Advance Joshi On Sat, Sep 20, 2008 at 12:12 AM, Kyle Hamilton [EMAIL PROTECTED] wrote: use 'fipsld' the same way you would use your system-provided ld. It requires a list of input files and a -o to set the name of the output file. -Kyle H On Fri, Sep 19, 2008 at 7:53 AM, joshi chandran [EMAIL PROTECTED] wrote: How to link fipsld linking to set the in-core hash. can u please tell me how to link fipsld to the fips module. when i am using fipsld it is showing no -o specified $ sh fipsld no -o specified can u please tell me wat does -o indicate here and please give the list of other options and there purpose Thank in Advance Joshi Chandran On Thu, Sep 18, 2008 at 10:44 PM, Steve Marquess [EMAIL PROTECTED] wrote: Carlo Milono wrote: How curious that this topic would come up today as I had a discussion on it just two days earlier. The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states: The FIPS Object Module is not a static library. It may be incorporated into shared library files or runtime executable application files, but in any event can only be incorporated intact and in its entirety. This was leading me to believe that we could use this in a shared library mode; perhaps we need to understand the boundaries of what may be included in a shared library? How can we interpret the above quote? The FIPS Object Module is just that, an object module (fipscanister.o). For v1.1.x it may or may not consist of position independent code, depending on the platform. If it does consist of position independent code then you can incorporate it into a shared library just like any other object module, subject of course to the fipsld linking to set the in-core hash. If it isn't position independent, then you're out of luck as the Security Policy rules don't allow you to modify the build-time parameters. For v1.2 the FIPS Object Module is always generated as position independent code. The corresponding FIPS capable OpenSSL distributions (fips option) will automatically include it in the libcrypto shared library. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran
sslv3 Disabling weak ciphers
Hello, I've been disabling weak ciphers for PCI compliance and have succefully disabled them for sslv2: [EMAIL PROTECTED] # openssl s_client -connect IP:443 -ssl2 -cipher EXP-RC4-MD5 CONNECTED(0003) write:errno=104 But for sslv3 it comes up as which fails my compliance audit CONNECTED(0003) 718:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 718:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I have listed the ciphers I use in stunnel.conf ciphers=AES128-SHA:AES256-SHA:DES-CBC3-MD5:DES-CBC3-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-RC4-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC2-CBC-MD5:RC4-MD5 Any help appreciated!
Re: convert .cer format to .pem format in command line, Need help...
Hello, I'm not an expert, but I think, thot you forgot to specify the outform paramter: openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem Best regards Martin buddhika schrieb: Hi, I want to convert *.cer* format to *.pem* format with the private key.I tried it by using following command. *openssl x509 -inform der -in certificate.cer -out certificate.pem *But the *certificate.pem* file doesn't contain the private key. To do this task, I want to use command line. Pls can any one help me... Thanks Buddhika __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to convert .der file to .pem
Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh image002.jpg
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote: Back to square 2 out of 3: Platform: SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 gcc (GCC) 3.4.6 GNU ld version 2.17 GNU ar 2.17 1. Built fips-1.1.2 successfully 2. Built openssl-0.9.7m successfully with ... ./Configure solaris-sparcv9-gcc27 fips --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ (also tried with -shared, but no successful build) 3. Built modded curl executable, adding a --fips-mode option, using ... ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet --with-ca-path=../x.dcerts --disable-ldap When curl executable is run from command-line with --fips-mode, get ... SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not match I've read all fips solaris forum messages + others ... I thought I had this down, but ... a little guidance would be appreciated. You need to link the application using the fipsld script. That will correctly obtain and embed the correct signature in the target. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to convert .der file to .pem
try with: openssl x509 -inform DER -in filename -outform PEM -out filename or look at www.openssl.org LQ Ajeet kumar.S ha scritto: Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: convert .cer format to .pem format in command line, Need help...
buddhika schrieb: Hi, I want to convert *.cer* format to *.pem* format with the private key.I tried it by using following command. *openssl x509 -inform der -in certificate.cer -out certificate.pem *But the *certificate.pem* file doesn't contain the private key. To do this task, I want to use command line. Pls can any one help me... The *.cer extension is usually used for _certificates_. Certificates do not contain a private key (just the public one), so it's not uncommon to run into troubles trying to extract one from it! ;) I guess you'll have to look for a *.p12 file (a PKCS#12 bag) and use openssl pkcs12 (http://www.openssl.org/docs/apps/pkcs12.html) to extract your private key from that. Hope it helps Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: How to convert .der file to .pem
Hi, Try out this: openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM Regards, Shivakumar - Original Message - From: Ajeet kumar.S To: openssl-users@openssl.org Sent: Monday, September 22, 2008 5:06 PM Subject: How to convert .der file to .pem Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh attachment: image002.jpg
RE: How to convert .der file to .pem
Hi all; Thank you Luciano Quartarone for your help. I tried to convert .der file to .pem using your given idea but I did not get success.I am using open ssl command line tool. Any thing more I need to do? Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luciano Quartarone Sent: Monday, September 22, 2008 5:14 PM To: openssl-users@openssl.org Subject: Re: How to convert .der file to .pem try with: openssl x509 -inform DER -in filename -outform PEM -out filename or look at www.openssl.org LQ Ajeet kumar.S ha scritto: Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to convert .der file to .pem
Hi All; Thanks allot Shiva Kumar. I tried it. It is working. Thank you. Regards, --Ajeet Kumar Singh _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shivakumar Balur Sent: Monday, September 22, 2008 5:57 PM To: openssl-users@openssl.org Subject: Re: How to convert .der file to .pem Hi, Try out this: openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM Regards, Shivakumar - Original Message - From: Ajeet kumar.S mailto:[EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Monday, September 22, 2008 5:06 PM Subject: How to convert .der file to .pem Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh image001.jpgimage002.jpg
Re: How to convert .der file to .pem
Hi, Try to use this openssl x509 –in input.crt –inform DER –out output.crt –outform PEM If u still get the error then tell the exact error u r getting during conversion. On Mon, Sep 22, 2008 at 5:54 PM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Hi all; Thank you Luciano Quartarone for your help. I tried to convert .der file to .pem using your given idea but I did not get success.I am using open ssl command line tool. Any thing more I need to do? Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luciano Quartarone Sent: Monday, September 22, 2008 5:14 PM To: openssl-users@openssl.org Subject: Re: How to convert .der file to .pem try with: openssl x509 -inform DER -in filename -outform PEM -out filename or look at www.openssl.org LQ Ajeet kumar.S ha scritto: Hi all; Thanks all of you for your support. I have cert.der file and I want to convert it cert.pem file using open ssl. How I can convert it. Please Tell me. Thank you. Regards, --Ajeet Kumar Singh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- regards, Vineeta Kumari Software engg Mobera Systems Chandigarh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
how to link fipsld with the application .Can u please explain On Mon, Sep 22, 2008 at 4:14 PM, Dr. Stephen Henson [EMAIL PROTECTED]wrote: On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote: Back to square 2 out of 3: Platform: SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 gcc (GCC) 3.4.6 GNU ld version 2.17 GNU ar 2.17 1. Built fips-1.1.2 successfully 2. Built openssl-0.9.7m successfully with ... ./Configure solaris-sparcv9-gcc27 fips --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ (also tried with -shared, but no successful build) 3. Built modded curl executable, adding a --fips-mode option, using ... ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet --with-ca-path=../x.dcerts --disable-ldap When curl executable is run from command-line with --fips-mode, get ... SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not match I've read all fips solaris forum messages + others ... I thought I had this down, but ... a little guidance would be appreciated. You need to link the application using the fipsld script. That will correctly obtain and embed the correct signature in the target. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran
Re: How to use a hardware RNG with openssl?
F. wrote: Any way to collect only from HRNG? This can be a choice or not? e_os.h #ifndef DEVRANDOM /* set this to a comma-separated list of 'random' device files to try out. * My default, we will try to read at least one of these files */ #define DEVRANDOM /dev/random #endif Yes, this will assure that additional entropy will be mixed in from /dev/random only. Please not that still the OpenSSL internal PRNG will be used, it is just the seed that is used from specific sources. If you add seed explicitly the part loaded via DEVRANDOM is only on top. We also add process ids, system time etc for good measure just to stir the pool as on top does not hurt. If you do not agree with this policy you can add an engine code to provide the internally used random numbers according to your policy. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? No. There is no such guarantee using any PRNG. PRNGs provide a much higher bitrate than hardware RNGs or system sources of entropy. They use cryptographic hash functions to whiten data, i.e., these hash functions have the property that a change in a single bit of input changes, on average, half the output bits. Presumably you want a source of nicely-distributed random bits which are computationally infeasible for another party to predict. If you want a security guarantee (reduction proof that if PRNG is insecure, it implies SHA1 is insecure, etc.), then there are design and operational constraints to consider (e.g. generating only 2^N bits with 2^M bits of input from a RBG). Oh, and you'll have to supply the proof -- it's missing on all the commonly used PRNGs. - Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Fips Shared Library
joshi chandran wrote: Can u please tell me what FIPS_set_mode() returns when i am using it will the FIPS_set_mode(1), returns 1 and also when using FIPS_set_mode(1), returns 1 FIPS_mode_set() returns 1 on success and 0 on failure. FIPS_mode() returns the current mode. Tim. PGP.sig Description: PGP signature
RE: FIPS-capable curl: Solaris 9 - fingerprint does not match
Dr. Henson: Thanks for your quick response and your patience. Sometimes I have a way of trying to make things so much harder than they need to be. I reread page 33 of the OFOM User Guide ... The fipsld command requires that the CC and/or FIPSLD_CC environment variables be set, with the latter taking precedence. These variables allow a typical Makefile to be used without modification by specifying a command of the form make CC=fipsld FIPSLD_CC=gcc where fipsld is invoked by make in lieu of the original compiler and linker (gcc in this example), and in turn invokes that compiler where appropriate. So, I stopped trying to edit the curl Makefiles and, instead, actually tried doing exactly what Steve Marquess says to do in the OFOM User Guide (along with copying fipsld into the necessary curl source directories and telling make where to find openssl). Of course, my FIPS-capable curl built successfully. Thanks again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Monday, September 22, 2008 3:44 AM To: openssl-users@openssl.org Subject: Re: FIPS-capable curl: Solaris 9 - fingerprint does not match On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote: Back to square 2 out of 3: Platform: SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 gcc (GCC) 3.4.6 GNU ld version 2.17 GNU ar 2.17 1. Built fips-1.1.2 successfully 2. Built openssl-0.9.7m successfully with ... ./Configure solaris-sparcv9-gcc27 fips --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ (also tried with -shared, but no successful build) 3. Built modded curl executable, adding a --fips-mode option, using ... ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet --with-ca-path=../x.dcerts --disable-ldap When curl executable is run from command-line with --fips-mode, get ... SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not match I've read all fips solaris forum messages + others ... I thought I had this down, but ... a little guidance would be appreciated. You need to link the application using the fipsld script. That will correctly obtain and embed the correct signature in the target. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]