Re: OpenSSL 1.0.0 and FIPS
On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote: > > Actually, no 140-3 will be successor to 140-2 which is successor to > 140-1. The hyphenated number is a release version. Woody, thanks for this clarification... > You are trying to talk about FIPS 140-2, Level 3 certification in your > example. (bottom of page two in the gov't 140-2 PDF; see link below) > > The levels are *within* the particular 140-x standard. Case in point, > the original draft of 140-3 contained five levels but has since been > reduced back to four as is in the 140-2 version. Second example, we > have 140-2, Level 2 certification on a subset of our products (version, > model and product specific). and these additional details! Yes, I had confused the rev level with the FIPS certification level. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 and FIPS
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 William A. Rowe Jr. wrote on 03/31/2010 01:20 AM: > On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote: >> >> I assume the 2010 limit on new validations is the impending finalization >> of 140-3. > > What you are thinking of won't be designated 140-3, it's not sequential, > there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010 > or something like that. > > FIPS 140-3 implies a level of physical validation that an open source project > isn't able to consider validating to. If you were to bundle OpenSSL-FIPS into > a sealed card, and add the appropriate cert/key mgmt, then you could consider > applying for FIPS 140-3 validation for such a physical device. Actually, no 140-3 will be successor to 140-2 which is successor to 140-1. The hyphenated number is a release version. You are trying to talk about FIPS 140-2, Level 3 certification in your example. (bottom of page two in the gov't 140-2 PDF; see link below) The levels are *within* the particular 140-x standard. Case in point, the original draft of 140-3 contained five levels but has since been reduced back to four as is in the 140-2 version. Second example, we have 140-2, Level 2 certification on a subset of our products (version, model and product specific). A reading of the gov't's own file titled "fips1402.pdf" contains data on all four levels of 140-2 certification. Note the phrasing used in the second paragraph and the security levels starting at the bottom of page one in: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Backed by the wording "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2." on: http://csrc.nist.gov/publications/PubsDrafts.html And finally, 140-2 certifications issued continue to be valid even after the release of 140-3, but *new* certifications will be required to meet the 140-3 stricter standard. My original question was centered around the idea of whether the 2010 limit Steve M. mentioned was due to the upcoming release of 140-3, a possible update to 140-2 prior to the finalization and release of 140-3 or if he thought the openssl-fips-1.2 certificate might be revoked (as has happened once before with 1.1.2 if I remember correctly). Thanks, Woody - -- - --- Gatewood Green Sr. Software Engineer/Network Admin Email: wo...@nitrosecurity.com http://www.nitrosecurity.com/ NitroSecurity - --- Imagine, if you will, a world in which there are no hypothetical situations... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org/ iEYEAREDAAYFAkuzvL8ACgkQHnsUla8nzK07GwCfVwX7jVP9T2nPtHzawKHdAVaZ EdIAnioJrMbH7hIpFW2g8emBOTpobgbu =eTij -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Get key from a evp_pkey structure
Hello, I have my public key stored in a card. Using opensc I get the public key from my certificate.I'm doing a C program and I have the key in a EVP_PKEY structure but i need pass the key to a string or file Any idea? Thanks _ ¿Te gustaría tener Hotmail en tu móvil Movistar? ¡Es gratis! http://serviciosmoviles.es.msn.com/hotmail/movistar-particulares.aspx
Openssl issue??
I am trying to to use ftps for secure server. We have two identical client trying to connect to the server.Client 1 can connect but not client 2. Client 2 throws below error error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag Openssl on both clients openssl-0.9.7a-43.1 xmlsec1-openssl-1.2.6-3 openssl-devel-0.9.7a-43.1 client 1 --- curl -3 -v --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 * About to connect() to 10.10.10.1 port 21 * Trying 10.10.10.1... * connected * Connected to 10.10.10.1 (10.10.10.1) port 21 < 220 (vsFTPd 2.0.1) > AUTH SSL < 234 Proceed with negotiation. * successfully set certificate verify locations: * CAfile: /usr/share/ssl/certs/ca-bundle.crt CApath: none * SSL connection using DES-CBC3-SHA * Server certificate: *subject: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com *start date: 2010-03-31 04:53:33 GMT *expire date: 2011-03-31 04:53:33 GMT *common name: test.test.com (does not match '10.10.10.1') *issuer: /C=US/ST=NJ/L=FP/O=test/CN=test.test.com * SSL certificate verify result: error number 1 (18), continuing anyway. > USER abc < 331 Please specify the password. > PASS xyz123 < 530 Login incorrect. * the username and/or the password are incorrect * Closing connection #0 client2 # curl -3 -v --ftp-ssl -k -S ftp://abc:xyz...@10.10.10.1 * About to connect() to 10.10.10.1 port 21 * Trying 10.10.10.1... * connected * Connected to 10.10.10.1 (10.10.10.1) port 21 < 220 (vsFTPd 2.0.1) > AUTH SSL < 234 Proceed with negotiation. * successfully set certificate verify locations: * CAfile: /usr/share/ssl/certs/ca-bundle.crt CApath: none * error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag * Closing connection #0 Cheers CG __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
wget passphrase
Sorry if this has been ask before. I need to use 'wget' to do a secure file download. It works great at the command line. Unfortunately wget asks for the PEM passphrase. However this will eventually be part of an embedded application so the passphrase prompt can't happen. 1. Can you create PEM's without a passphrase? 2. Should i use Curl which seems to provide an option for passphrases. 3. Any better suggestions (fairly new to security). thanx /carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Random Numbers
On Wed, Mar 31, 2010, Anthony Gabrielson wrote: > > Hello, > > I'm actually writing a Matlab toolbox that uses OpenSSL. I put together a > function, actually its really heavily based on the OpenSSL book, that > generates random keys and IV. Anyway, I wasn't comfortable with how I was > seeding prng, it seems like a real easy place to screw up. I just wanted to > make sure I wasn't doing anything obviously wrong. My current function will > look /dev/urandom if its unix based and RAND_screen if its windows based. > With that said, based on your comments I'm wondering if I should just take > that function out all together. > The OpenSSL code already uses /dev/urandom if available and other sources too. On Windows it uses CryptGenRandom() among other things. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Random Numbers
- Original Message - From: "Dr. Stephen Henson" To: openssl-users@openssl.org Sent: Wednesday, March 31, 2010 7:43:06 AM GMT -05:00 US/Canada Eastern Subject: Re: Random Numbers You can use RAND_bytes() on Windows and the OpenSSL PRNG will be automatically seeded from various sources of entropy. If you're only using OpenSSL for random numbers then you could alternatively use other Windows specific APIs such as CryptGenRandom() of CryptoAPI. Steve. -- Hello, I'm actually writing a Matlab toolbox that uses OpenSSL. I put together a function, actually its really heavily based on the OpenSSL book, that generates random keys and IV. Anyway, I wasn't comfortable with how I was seeding prng, it seems like a real easy place to screw up. I just wanted to make sure I wasn't doing anything obviously wrong. My current function will look /dev/urandom if its unix based and RAND_screen if its windows based. With that said, based on your comments I'm wondering if I should just take that function out all together. Thanks, Anthony
Re: Random Numbers
On Tue, Mar 30, 2010, Anthony Gabrielson wrote: > Hello, > > I've been searching around and I'm not finding much on > OpenSSL and random numbers. I'm trying to figure out how to best use > RAND_bytes and RAND_pseudo_bytes; do I still need to worry about entropy or > does OpenSSL take care of it for me these days? If I do need to worry about > it, does anyone have any suggestions on where I can look for pointers for > use with windows? > You can use RAND_bytes() on Windows and the OpenSSL PRNG will be automatically seeded from various sources of entropy. If you're only using OpenSSL for random numbers then you could alternatively use other Windows specific APIs such as CryptGenRandom() of CryptoAPI. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 and FIPS
On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote: > > I assume the 2010 limit on new validations is the impending finalization > of 140-3. What you are thinking of won't be designated 140-3, it's not sequential, there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010 or something like that. FIPS 140-3 implies a level of physical validation that an open source project isn't able to consider validating to. If you were to bundle OpenSSL-FIPS into a sealed card, and add the appropriate cert/key mgmt, then you could consider applying for FIPS 140-3 validation for such a physical device. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Random Numbers
On Tue, Mar 30, 2010 at 11:48 PM, P Kamath wrote: > I said it is an RNG, not cryptographic RNG. By adding current time source, > however crude, and doing a sha1/md5, why should it not be cryptoPRNG? What > properties should I look for? Taking a hash of an entirely predictable (or narrowly bounded) value adds no entropy.
RE: Random Numbers
P Kamath wrote: > I said it is an RNG, not cryptographic RNG. By adding current time > source, > however crude, and doing a sha1/md5, why should it not be cryptoPRNG? > What > properties should I look for? You should look for a cryptographically-secure random number generator. Seriously, you shouldn't be hacking random bits of junk together and then relying on it to be secure. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl ciphers fails when using "!"
On Tue, Mar 30, 2010 at 12:14 PM, Kyle Hamilton wrote: > That's your shell talking. Try: > > openssl ciphers -v 'HIGH:!RSA'# note the single-quotes > > You just have to tell the shell not to interpret the bang, by quoting > it -- either with a backslash or in an uninterpreted-quoted string. fwiw, for each of: sh bash tcsh results, openssl ciphers -v ALL:!RSA RSA: Event not found. openssl ciphers 'ALL:!RSA' RSA: Event not found. openssl ciphers -v "ALL:!RSA" RSA: Event not found. checking escaping, echo "ALL:\!RSA" ALL:!RSA then, openssl ciphers -v ALL:\!RSAWORKS openssl ciphers -v 'ALL:\!RSA'WORKS openssl ciphers -v "ALL:\!RSA"WORKS whereas, in ksh, all of openssl ciphers -v ALL:!RSA openssl ciphers 'ALL:!RSA' openssl ciphers -v "ALL:!RSA" WORK with no escaping required. i've suggested that perhaps a mention in the man page might be worthwhile ? bendj __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org