Re: [openssl-users] Runtime list of FIPS ciphers
On Fri, Mar 20, 2015, jonetsu wrote: > > > > From: "Dr. Stephen Henson" > > Date: 03/20/15 12:48 > > > OPENSSL_FIPS=1 openssl ciphers -v > > openssl ciphers -v FIPS > > Thanks, this works great, on the workstation where I have installed at > default development location /usr/loca/ssl/, using OpenSSL 1.0.1.k. > > However, we have built Debian packages for the target unit, using 1.0.1e. > While the example fips_hmac runs fine, we have a problem with openssl itself, > which seems to be that the openssl shared object is somehow not FIPS enabled, > or, is 1.0.1e lacking in any respect to FIPS mode ? : > Some of the apps used to default to SSLv3 if OpenSSL was compiled with no-ssl2. This is fixed in later versions of OpenSSL. Try manually adding the -tls1 option to the ciphers command. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Runtime list of FIPS ciphers
> From: "Dr. Stephen Henson" > Date: 03/20/15 12:48 > OPENSSL_FIPS=1 openssl ciphers -v > openssl ciphers -v FIPS Thanks, this works great, on the workstation where I have installed at default development location /usr/loca/ssl/, using OpenSSL 1.0.1.k. However, we have built Debian packages for the target unit, using 1.0.1e. While the example fips_hmac runs fine, we have a problem with openssl itself, which seems to be that the openssl shared object is somehow not FIPS enabled, or, is 1.0.1e lacking in any respect to FIPS mode ? : % ./fips_hmac -v gcrypt_pkglist FIPS mode enabled ret: 1 51dedc633485ccb55f4624763e9d118d6df15b3c % OPENSSL_FIPS=1 openssl ciphers -v 3069818064:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1729: % ldd fips_hmac libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6dbc000) % ldd /usr/bin/openssl libssl.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6f5e000) libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6e03000) % openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Runtime list of FIPS ciphers
On Fri, Mar 20, 2015, jonetsu wrote: > Hello, > > I have the impression that the 'ciphers -v' option to openssl, when OpenSSL > is compiled in FIPS mode, lists more than FIPS-only. There are RC5 and RC4 > in there, for instance. Is there a specific openssl command that will list > only the ones that are FIPS-allowed ? > If you are in FIPS mode it will only list FIPS ciphersuites in the default cipher string: OPENSSL_FIPS=1 openssl ciphers -v If outside FIPS mode you can use the cipher string "FIPS": openssl ciphers -v FIPS Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Runtime list of FIPS ciphers
Hello, I have the impression that the 'ciphers -v' option to openssl, when OpenSSL is compiled in FIPS mode, lists more than FIPS-only. There are RC5 and RC4 in there, for instance. Is there a specific openssl command that will list only the ones that are FIPS-allowed ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users