Re: [openssl-users] Error compiling openssh with openssl

[Jakob Bohm]

On 11/06/2018 18:14, Michael Wojcik wrote:

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich via openssl-users
Sent: Monday, June 11, 2018 08:52

  So is there is any other way we can still make it work without disabling FIPS 
mode ?

No.  The version of openssh you are using makes API calls that are not allowed 
in FIPS mode. I suspect
later versions of OpenSSH also do this, and therefore “FIPS mode openssh” will 
require some coding work.

The OP should also note this also implies this is an issue in OpenSSH, not 
OpenSSL. OpenSSL is working properly. FIPS 140-2 has various requirements, and 
OpenSSH is violating one of them.

And, further, note that even if there were a way to suppress this check without disabling 
FIPS mode, that would be pointless. A product that uses non-FIPS cryptography cannot 
claim FIPS validation or "FIPS Inside" (which is the claim that only 
FIPS-validated cryptography is used). Consequently, such a product doesn't meet the FIPS 
requirement, for customers who have such a requirement; and there's little or no other 
benefit to FIPS.

Note that what seems to be violated here is not the FIPS requirements as
such, but the OpenSSL-specific rule that the older crypto functions are
not directed to the FIPS blob, just outright rejected.  In this case,
that the more easy to use SHA256 OpenSSL 1.0.x API isn't forwarded to
the FIPS validated SHA256 implementation.

I don't know if FIPS-enabled OpenSSL 0.9.8 forwarded those calls to the
old FIPS validated implementation or just left the non-FIPS implementation
available by accident.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

[Srivalli Kuppa (srikuppa) via openssl-users]

Interesting. Yes, I did take a look at Cloudflare patch but wasn't sure if I 
could use that.
Alright. This helps. 

My only option is to upgrade to OpenSSL 1.1.0 in order to support 
CHACHA+Poly1305 cipher support.

Thanks Rich.
-Srivalli


On 6/11/18, 1:40 PM, "Salz, Rich"  wrote:

>Just curious, is there a possibility to patch CHACHA cipher specific 
changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?
  
It can be done; CloudFlare posted some patches at 
https://github.com/cloudflare/sslconfig/tree/master/patches but I think they 
used the pre-IETF version and so might need some tweaks.  The OpenSSL project 
won't do it (we don't add features to existing releases).



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error compiling openssh with openssl

[Short, Todd via openssl-users]

You will need to patch OpenSSH to not call the SHA256_XXX() APIs directly. To 
work with FIPS enabled, the EVP API must be used for all crypto operations.

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Jun 11, 2018, at 10:44 AM, Sandeep Deshpande 
mailto:sandeep@gmail.com>> wrote:

Thanks for the reply. Our appliance is enabled in FIPS mode by default.
All these days, we were using openssh 6.2 with openssl 0.9.8.
Now we need to upgrade openssl to 1.0.2j.
But we would not like to upgrade openssh at this time.

So is there is any other way we can still make it work without disabling FIPS 
mode ?

Thanks,
Sandeep

On Sat, Jun 9, 2018 at 10:38 AM, Viktor Dukhovni 
mailto:openssl-us...@dukhovni.org>> wrote:


> On Jun 9, 2018, at 1:35 PM, Sandeep Deshpande 
> mailto:sandeep@gmail.com>> wrote:
>
> We have compiled and built older version (6.2p2) of openssh with 1.0.2j 
> version of openssl.
> When the system in is crypto mode, we are getting the following error when a 
> user logs in :
> "
> OpenSSL internal error, assertion failed: Low level API call to digest SHA256 
> forbidden in FIPS mode "
>
> How do we overcome this without having to upgrade openssh ?

Don't enable FIPS mode.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

[Salz, Rich via openssl-users]

>Just curious, is there a possibility to patch CHACHA cipher specific 
> changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?
  
It can be done; CloudFlare posted some patches at 
https://github.com/cloudflare/sslconfig/tree/master/patches but I think they 
used the pre-IETF version and so might need some tweaks.  The OpenSSL project 
won't do it (we don't add features to existing releases).

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

[Srivalli Kuppa (srikuppa) via openssl-users]

Thanks Matt. Appreciate your answers.

Just curious, is there a possibility to patch CHACHA cipher specific changes to 
OpenSSL 1.0.2 version still and get SSL handshake succeed?

I am not looking for an upgrade to OpenSSL 1.1.0 at this point. So, I am 
interested to know if I can get CHACHA to working with OpenSSL 1.0.2.

Thanks for your time.

-Srivalli

On 6/11/18, 11:59 AM, "openssl-users on behalf of Matt Caswell" 
 wrote:



On 11/06/18 16:44, Srivalli Kuppa (srikuppa) via openssl-users wrote:
>  1. Do we have a stable OpenSSL patch that can be applied to OpenSSL
> 1.0.2 version to support CHACHA cipher both as a server/client?

No. Chacha/Poly1305 support is only available from version 1.1.0 upwards.

>  2. Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with
> different browsers (Chrome/Firefox etc.,)?

Yes.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error compiling openssh with openssl

[Salz, Rich via openssl-users]

>This is one of several reasons why FIPS 140-2 is a problem. Unfortunately 
> the FIPS 140-3 effort seems to be moribund, and I haven't heard anything 
> about "ISO FIPS" in some time.
 
If I understood what was said at the ICMC conference last month, the FIPS 140-3 
plan is to just point to the ISO FIPS-equivalent spec.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error compiling openssh with openssl

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Salz, Rich via openssl-users
> Sent: Monday, June 11, 2018 08:52

> >  So is there is any other way we can still make it work without disabling 
> > FIPS mode ?

> No.  The version of openssh you are using makes API calls that are not 
> allowed in FIPS mode. I suspect
> later versions of OpenSSH also do this, and therefore “FIPS mode openssh” 
> will require some coding work.

The OP should also note this also implies this is an issue in OpenSSH, not 
OpenSSL. OpenSSL is working properly. FIPS 140-2 has various requirements, and 
OpenSSH is violating one of them.

And, further, note that even if there were a way to suppress this check without 
disabling FIPS mode, that would be pointless. A product that uses non-FIPS 
cryptography cannot claim FIPS validation or "FIPS Inside" (which is the claim 
that only FIPS-validated cryptography is used). Consequently, such a product 
doesn't meet the FIPS requirement, for customers who have such a requirement; 
and there's little or no other benefit to FIPS.

So, since you can't claim FIPS Inside while using OpenSSH, it seems your 
choices are: 1) disable FIPS mode and do not claim FIPS Inside; 2) find a 
commercial SSH implementation that is FIPS-validated, if there is such a thing; 
or 3) as Rich suggested, modify OpenSSH to only use FIPS-allowed APIs, which I 
suspect would not be trivial (but I haven't looked into it).

This is one of several reasons why FIPS 140-2 is a problem. Unfortunately the 
FIPS 140-3 effort seems to be moribund, and I haven't heard anything about "ISO 
FIPS" in some time.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

[Matt Caswell]

On 11/06/18 16:44, Srivalli Kuppa (srikuppa) via openssl-users wrote:
>  1. Do we have a stable OpenSSL patch that can be applied to OpenSSL
> 1.0.2 version to support CHACHA cipher both as a server/client?

No. Chacha/Poly1305 support is only available from version 1.1.0 upwards.

>  2. Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with
> different browsers (Chrome/Firefox etc.,)?

Yes.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

[Srivalli Kuppa (srikuppa) via openssl-users]

Hi OpenSSL team,

I am Srivalli Kuppa. I have a couple of questions regarding support of CHACHA 
and Poly1305 cipher suites with OpenSSL.


  1.  Do we have a stable OpenSSL patch that can be applied to OpenSSL 1.0.2 
version to support CHACHA cipher both as a server/client?
  2.  Can CHACHA+Poly1305 ciphers be used with TLSv1.2 today with different 
browsers (Chrome/Firefox etc.,)?

Thanks.
Srivalli

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error compiling openssh with openssl

[Salz, Rich via openssl-users]

  *   So is there is any other way we can still make it work without disabling 
FIPS mode ?

No.  The version of openssh you are using makes API calls that are not allowed 
in FIPS mode. I suspect later versions of OpenSSH also do this, and therefore 
“FIPS mode openssh” will require some coding work.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error compiling openssh with openssl

[Sandeep Deshpande]

Thanks for the reply. Our appliance is enabled in FIPS mode by default.
All these days, we were using openssh 6.2 with openssl 0.9.8.
Now we need to upgrade openssl to 1.0.2j.
But we would not like to upgrade openssh at this time.

So is there is any other way we can still make it work without disabling
FIPS mode ?

Thanks,
Sandeep

On Sat, Jun 9, 2018 at 10:38 AM, Viktor Dukhovni  wrote:

>
>
> > On Jun 9, 2018, at 1:35 PM, Sandeep Deshpande 
> wrote:
> >
> > We have compiled and built older version (6.2p2) of openssh with 1.0.2j
> version of openssl.
> > When the system in is crypto mode, we are getting the following error
> when a user logs in :
> > "
> > OpenSSL internal error, assertion failed: Low level API call to digest
> SHA256 forbidden in FIPS mode "
> >
> > How do we overcome this without having to upgrade openssh ?
>
> Don't enable FIPS mode.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Selection of DHE ciphers based on modulus size of DH

[Sanjaya Joshi]

Hi,
Thank you for the clarifications.

Regards,
Sanjaya

On Fri, Jun 8, 2018 at 4:30 PM, Jakob Bohm  wrote:

> (Top posting for consistency).
>
> Once the client receives the TLS1.2 servers choice of DH group,
> it can either accept it or abort the connection.
>
> However if both client and server support the "supported_groups"
> extension (RFC4492) with the additional DH group identifiers in
> RFC7919, they can negotiate a common accepted group of desired
> strength, though the mechanism (like TLS1.3) is artificially
> limited to a fixed set of groups listed in the RFC.
>
>
> On 08/06/2018 12:15, Sanjaya Joshi wrote:
>
>> Hello,
>> Thank you Matt and Jordan. So, it seems that it's possible to modify my
>> client to accept/reject the DH group key length. But i have one more issue
>> to be clarified.
>>
>> Is it possible that if a client does not accept the DH group key length
>> used by the server, then, a different possible cipher (for e.g., RSA) is
>> tried to be negotiated. It seems that the connection is rejected, instead
>> of falling back to a different possible cipher. At least, i tested this
>> quickly using s_client and s_server, and the behavior is as stated above,
>> i.e., no fallback and connection was terminated. Is this the default
>> OpenSSL behavior or this behaviour could be modified somehow by
>> applications ?
>>
>> Regards,
>> Sanjaya
>>
>> On Thu, Jun 7, 2018 at 8:43 PM, Matt Caswell > m...@openssl.org>> wrote:
>>
>>
>>
>> On 07/06/18 16:02, Jordan Brown wrote:
>> > I do not understand, however, how the 80 relates to a 1024-bit
>> limit.
>>
>> It's a measure of the "security bits" of an algorithm according to
>> table
>> 2 in this doc:
>> https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.
>> sp.800-57pt1r4.pdf
>> > sp.800-57pt1r4.pdf>
>>
>>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users