Re: [openssl-users] FIPS 140-2 key wrapping transition
The OpenSSL FIPS Validation #1747 is affected by the key wrapping transition and will therefore be moved to Historical at some point. As we’ve said, FIPS will be the focus of our next feature release after 1.1.1 (TLS 1.3). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS 140-2 key wrapping transition
Hi, NIST recently gave notice of Symmetric Key Wrapping Transition, details are found here https://csrc.nist.gov/projects/cryptographic-module-validation-program/notices. It is not clear to me whether the FIPS 2.0 module is affected by this. I am mostly curious about this part: All validations on the Active Validation List that implement the previously allowed AES or TDEA key wrapping: * Entries will be moved to the Historical List. Can someone verify whether the FIPS 2.0 validation is affected by this? Thanks, Zeke Evans Senior Software Engineer Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] usage of SSL_read() and SSL_write() for file transfer
The TLS protocol puts limits on how much application data can appear in a single record. Without knowing all the details, that seems like a very silly requirement. There is no security reason for it. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
> > Hence, if at all, verification requirements must have been lowered in the > > new OpenSSL version. > > No, it is also the case that the new version now more correctly accepts > some chains as valid that because of bugs, the old version did not. Understood! My reply was related to message only, as I was afraid he might have mistook the problem description. Hence, I wanted to clarify this. I have taken your advice to upgrade to OpenSSL 1.1.0 seriously and did accordingly. We are now using OpenSSL 1.1.0g and everything seems to be doing fine so far. This matter can thus be regarded as solved. Thanks to everyone who contributed! Best regards, Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear Viktor, that's quite an detailed elaboration. I have learned something from what you posted, but as far as this problem is concerned, we we're able to get rid of your problems by upgrading to OpenSSL 1.1.0g. I'm sure what you conveyed will be of help when diagnosing future OpenSSL problems, which, I have no doubt, will arise sooner or later. Thank you for your help! Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users