Thanks for the comments.
If you are implementing HMAC, perhaps for PBKDF2 (which does
that prehash-if-too-long), I hope you mean the code does...
Yes it does.
The man page (the one online from OpenSSL project - SHA256.html)
gives a description using SHA1() which computes a message digest.
SSLv3 in the ciphersuite definition means it can be used in
SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3,
and then again for TLS1.0, and again for TLS1.1 etc - its just
defined once and is reused across multiple protocol versions.
Yes, this is what I basically understood.
That refers to the minimum version of the ciphersuite: it
doesn't imply that it will only be used in SSLv3 (which is
disabled in FIPS mode).
Hmmm... I'm sorry but I do not really understand this. Since openssl is
run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
ciphers
Hello,
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD which is, if not mistaken, a env_md_st
structure.
The code I'm adapting to EVP
Hi,
... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
Specifically:
FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0
FCS_TLSS_EXT.2.2 The TSF shall deny connections
Hello,
Does GnuTLS implements its own random number generator ? If so, are there any
documents describing it ?
Regards.
___
Gnutls-help mailing list
Gnutls-help@lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help
Hello,
In FIPS mode SSL 3.0 is not allowed: that has always been the
case.
% openssl version
OpenSSL 1.0.1f 6 Jan 2014
% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA SSLv3
DHE-RSA-AES256-SHA SSLv3
DHE-DSS-AES256-SHA SSLv3
What is the security risk?
Management ? :)
--
View this message in context:
http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57670.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
It can be indeed easy to find out about companies in Hartford, CT but, I
still do not see any threat to any existing product. 'Having problems with
OpenSSL' is not good enough.
In any case, when concerned, do like many people and use a pseudo from
another mailing system. Employees will not gain
From: Lennart Sorensen lsore...@csclub.uwaterloo.ca
Date: 04/14/15 09:01
But certainly libreswan does the actual packet encryption either with
xfrm or with klips, both in the kernel, which is where it belongs.
Len, I see from the source that indeed all crypto is through XFRM. And we
From: Steve Marquess marqu...@openssl.com
Date: 04/14/15 09:31
and note that of the 101 platforms (OEs) appearing there, most of
those operating systems are neither CC certified nor have any other FIPS
140-2 validated crypto. Keep in mind that at Level 1 the validation
applies to the
From: Paul Wouters p...@nohats.ca
Date: 04/14/15 10:18
Just to clarify, XFRM is only used for the IPsec packet
encryption, not the IKE packet encryption.
Yes.
IKE is encrypted using the NSS library (which has been FIPS
certified in itself on some distributions such as RHEL)
NSS has
Salz, Rich wrote
As the old joke goes, if you have to ask, you can't afford it.
Well, exploration can be free. I noticed that Strongswan uses a plug-in
architecture for crypto that seemingly allows the use of OpenSSL instead of
the kernel for crypto operations, for use under FIPS. Does anyone
Thanks for all the comments, they're much appreciated. It is a Debian
system, so there is no Red Hat FIPS validation (or SuSE which also has one I
think) or validated components that can be used.
If I may, I'd like to ask about including the Linux kernel in the
validation. Now, including glibc2
Thanks for the comments - much appreciated.
The following question might be on the naive side of things, but then I'm
all new to this. Since crypt() in glibc2 supports SHA-256 and SHA-512 for
password, and assuming that these two are FIPS compatible, what would be the
(financial) overhead of
Hello,
I am new to NSS. The goal is to use NSS in FIPS mode and to provide the OS
(Linux) some kind of notification when a FIPS error happens. I presume that
FIPS POST tests are run when NSS is put into FIPS mode using modutils. I also
assume that 'continuous, pair-wise tests as well as
Hello,
While it is possible to set the connection mark for a packet, what does the
RESTORE command do in terms of numerical value ? Eg. it will put into the
packet the connection mark, but what is the connection mark in the first place
and how can this unknown value relate to any mark
Hello,
As part of development, still using the fips_hmac test code, this time on a
target unit using 1.0.1e, the following errors are shown at the console:
3069614096:error:2D088086:FIPS
routines:FIPS_selftest_x931:selftest
failed:fips_rand_selftest.c:171:
3069614096:error:2D082086:FIPS
Hello,
What would be the earliest rsyslog release to support secure remote
syslogging using GnuTLS ? I have a 'old' version here, 5.8.11 that has a
rsyslog-gnutls component, although I wonder: 1) If this could be a 'Debian
thing', if the same approach of having this rsyslog-gnutls component
From: jonetsu jone...@teksavvy.com
Date: 03/26/15 11:11
Is FIPS_mode_set(1) taking care of setting up a default DRBG ?
Yes. It does. When using post_cb() from fips_test_suite.c in for instance the
fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that
the four
Hello,
Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Would a
subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG (
256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in
the User Guide, and one that is called
Hello,
When an application does not define OPENSSL_DRBG_DEFAULT_TYPE nor
OPENSSL_DRBG_DEFAULT_FLAGS nor any compilation options (if applicable), is the
default DRBG the 256 bit CTR AES (+ deviation function) in FIPS mode ?
Regards.
___
Hello,
This is not about OpenSSL, although from experience, maybe some know the
answer. Does anyone know if actual documentation exists for the Linux kernel
FIPS mode apart from the source itself ? There is nothing in Documentation/ as
per 3.18.2. - thanks.
Regards.
From: Steve Marquess marqu...@openssl.com
Date: 03/24/15 12:38
No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early
2014) for use as-is in doing copycat validations. Some non-trivial code
hacks will be necessary.
We'll do a new open source based validation to
From: Steve Marquess marqu...@openssl.com
Date: 03/24/15 09:22
At the time that validation was obtained the four (at the time) DRBGs
were specified by SP800-90. That document was subsequently reissued in
several pieces; the current SP800-90A now contains the specifications
for the three
Hello,
Following on the 'SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?' topic, the
OpenSSL source code does not seem to mention SP 800-90A. Only SP 800-90. So
the certifications were made for SP 800-90, is that right ?
Also, does it depend on the application to choose which DRBG and
From: Dr. Stephen Henson st...@openssl.org
Date: 03/20/15 12:48
OPENSSL_FIPS=1 openssl ciphers -v
openssl ciphers -v FIPS
Thanks, this works great, on the workstation where I have installed at default
development location /usr/loca/ssl/, using OpenSSL 1.0.1.k.
However, we
Hello,
I have the impression that the 'ciphers -v' option to openssl, when OpenSSL
is compiled in FIPS mode, lists more than FIPS-only. There are RC5 and RC4 in
there, for instance. Is there a specific openssl command that will list only
the ones that are FIPS-allowed ?
Regards.
From: Rainer Gerhards rgerha...@hq.adiscon.com
Date: 03/19/15 06:33
Thx - could you open an issue tracker at github?
OK, done. FIPS mode #274.
Thanks.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
Hello,
There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.
On my machine the following is declared global:
000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key
On another machine, they are declared local
Hello,
There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.
On my machine the following is declared global:
000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key
On another machine, they are declared local
From: Dr. Stephen Henson st...@openssl.org
Date: 03/17/15 12:28
What are the two platforms? That is what does:
First of all, I'm very, very sorry to have posted duplicates of the question.
The web-access email client is, was, a bit on the fuzzy side, stalling and
reporting errors.
It
Hello,
There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.
On my machine the following is declared global:
000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key
On another machine, they are declared local
Hello,
There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.
On my machine the following is declared global:
000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key
On another machine, they are declared local
Hello,
An application that needs converting to FIPS is currently using
AES_ctr128_encrypt(). That function calls in turn
CRYPTO_ctr128_encrypt() which then does some internal
computations. They are not documented in the 'full list of
crypto APIs'. What would be the FIPS-compatible EVP
Hello,
The licenses, patents for ECC was noticed. In short, if we do not care about
this in the sense of not willing to be in any patent infringement situation
down the road, the -ecb archive should be used, is that right ? Also, there is
a mention of a NSA-PLA.pdf agreemnet statement.
From: Dr. Stephen Henson st...@openssl.org
Date: 03/10/15 20:04
I mean you could add a callback to FIPS_mode_set using
FIPS_post_set_callback: see the fips_test_suite.c application
for an example. The supplied callback is called during each
POST, continuous RNG and pairwise consistency
From: Nikos Mavrogiannopoulos n...@gnutls.org
Date: 03/12/15 02:19
That's correct, but I don't think that SP800-52 is a requirement in
FIPS140-2. Do you have such a reference?
Yes, that's right. Everything points to not having TLS1.0 in the (near) future
btu at the moment it is allowed
From: Nikos Mavrogiannopoulos n...@gnutls.org
Date: 03/11/15 11:27
GNUTLS_FORCE_FIPS_MODE=1 ./gnutls-cli -l --priority NORMAL
./gnutls-cli -l --priority NORMAL
Thanks. In the resulting list many TLS1.0 are found:
(abridged list)
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 TLS1.0
Hello,
Is there a way to list at runtime all algorithms and ciphers that GnuTLS can
be using ? The gnutls-cli help does not seem to show such functionality. Is
there ?
Regards.
___
Gnutls-help mailing list
Gnutls-help@lists.gnutls.org
Hello,
Is there a method that is always in the path of execution when a crypto error
occurs ? The reason for asking is that I would like to very slightly modify
the OpenSSL FIPS version so that it will write a file in tmpfs when an error
occurs. That place will be observed by another app
From: Steve Marquess marqu...@openssl.com
Date: 03/10/15 08:56
Hello,
Thanks for your reply.
You're talking about a Level 2 validation (or higher)? You most
definitely do *not* want to include the OS or applications in the
cryptographic module boundary for Level 1.
It's a level 2.
Is there a method that is always in the path of execution when a crypto error
occurs ?
It looks like fips_set_selftest_fail() would be a likely candidate where to
create an empty file on a tmpfs in order to let the OS know about the error.
Comments and suggestions welcomed. Based on
Hello,
The list of ciphers provided by 'gnutls-cli -l' is the same in FIPS mode or
not. The test:
/usr/local/bin/gnutls-cli -v
gnutls-cli 3.3.13
1)
/usr/local/bin/gnutls-cli --fips140-mode
library is NOT in FIPS140-2 mode
/usr/local/bin/gnutls-cli -l
(nonfips list
From: Dr. Stephen Henson st...@openssl.org
Date: 03/10/15 10:21
Although you cannot modify the FIPS module itself without voiding the
validation you *can* change the FIPS capable OpenSSL.
You might (for example) change FIPS_mode_set() to always add a callback
which logs any errors.
I
Hello,
I|m looking at using libreswan. NSS can be put into FIPS mode by a proper
modutil command. I understand so far that libreswan uses NSS only. Is that
the case ? Once in FIPS mode, will libreswan restrict the calls to approved
algorithms ?
Thanks.
Hello,
I tried a simple test to see if FIPS mode would fail, using the example given
in the FIPS user guide 2.0. The test consisted of replacing the /dev/random
and /dev/urandom with /dev/zero. I would have expected that no source of
randomness would make the tests ran at the call of
Hello,
To grasp how FIPS methods are called, and following one method
as an example, HMAC_Update() in hmac.c, we can see that if FIPS
mode is active then FIPS_hmac_update() will be called. This is
fine although searching the sources for the physical definiton of
FIPS_hmac_update() does not
On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:
I'm not sure it will be called on every conceivable error in
the FIPS module, but what I do in similar situations is
something like this:
static int post_cb(int op, int id, int subid, void *ex)
{
if (op == FIPS_POST_FAIL)
From: Dr. Stephen Henson st...@openssl.org
To: openssl-users@openssl.org
Date: 02/19/15 11:34
Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting
The low level cipher and digest APIs cannot be used in FIPS mode: you have to
use EVP.
That's quite an important
-Original Message-
From: Salz, Rich rs...@akamai.com
To: openssl-users@openssl.org
Date: 02/19/15 07:43
Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting
For that matter and in a general sense, so far I've seen that many
encryption
methods do not
-Original Message-
From: Marcus Meissner meiss...@suse.de
To: openssl-users@openssl.org
Date: 02/19/15 08:07
Subject: Re: [openssl-users] OpenSSL FIPS mode system integration
Well, the writing is that the crypto module must stop operating
on error.
We solved this by
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.
Tom Francis nailed the answer to this one. We did design the FIPS module
+ FIPS capable OpenSSL combination to make it possible to have a
system wide FIPS mode capability, but
Le Dimanche, 09 Sep 2012 18:32:57 +0200,
François Patte francois.pa...@mi.parisdescartes.fr a écrit :
If you want to have any chances to make the difference between what
comes from the distribution and what you have added, you should create
your local font directories in /usr/local/share/fonts
Hello,
There are many nice fonts for rendering kanji characters.
Unfortunately the ones that I got so far does not work with the standard
ibus anthy romaji input. Many render the resulting kanji as a square,
no matter what. They are mapped directly to the keyboard keys and so
are useless.
Hello,
I'd like to know now to add fonts so that LibreOffice and Gimp can
use them. For instance, I have downloaded a HGRSKP.TTF file which is a
Japanese font. What is the procedure to make available that font in
the system ? Also, some fonts are .exe files. Are these also
installable in
Le Lundi, 30 Avril 2012 22:37:36 +0900,
nomnex nom...@gmail.com a écrit :
Glad you got it working.
Ctrl+Space switch i-bus on/off
Alt+Shift switch the input language (I use French/Japanese on a en_US
OS)
I've tried the Anthy German keyboard that I use to write French
although it's not at all
Hello all,
I've seen a few softwares around to have some kind of keyboard able
to either input romanji based (hiragana based ?) characters or to draw
kanji, but these software seems to be age-old and not maintained
anymore, like anthy. What is the preferred way to be able to use
Japanese
On Sun, 29 Apr 2012 20:06:50 -0400,
jonetsu jone...@teksavvy.com wrote :
I've seen a few softwares around to have some kind of keyboard able
to either input romanji based (hiragana based ?) characters or to draw
kanji, but these software seems to be age-old and not maintained
anymore, like
Le Mon, 30 Apr 2012 09:14:30 +0900,
nomnex nom...@gmail.com a écrit :
On Sun, 29 Apr 2012 20:06:50 -0400
jonetsu jone...@teksavvy.com wrote:
I've seen a few softwares around to have some kind of keyboard
able to either input romanji based (hiragana based ?) characters or
to draw
On Sun, 29 Apr 2012 20:21:40 -0400,
jonetsu jone...@teksavvy.com wrote :
The following is installed:
mozc-1.4.1033.102-1.fc15.x86_64
scim-mozc-1.4.1033.102-1.fc15.x86_64
I'm using KDE. How is Japanese text entered using mozc ?
Also the following is installed:
ibus-mozc-1.4.1033.102-1
On Mon, 30 Apr 2012 08:20:57 +0800,
Ed Greshko ed.gres...@greshko.com wrote :
On 04/30/2012 08:17 AM, jonetsu wrote:
I do have the following packages installed, but do not know how to
use them in KDE (nor Gnome for that matter) :
anthy-9100h-16.fc15.x86_64
ibus-anthy-1.2.7-1.fc15
On Sun, 29 Apr 2012 20:45:30 -0400,
jonetsu jone...@teksavvy.com wrote :
On Mon, 30 Apr 2012 08:35:02 +0800,
Ed Greshko ed.gres...@greshko.com wrote :
Right Click on the icon and pick Preferences. Then go to the
Input Method Tab and select and Input Method and Add it to the
list
Le Mon, 30 Apr 2012 08:55:32 +0800,
Ed Greshko ed.gres...@greshko.com a écrit :
On 04/30/2012 08:45 AM, jonetsu wrote:
OK, got it. Japanese (kana) is chosen. Keyboard is jp(kana). But
still, looks like and types like the same keyboard as usual.
カテタチトスカンイシ
Unless you have a real
Hello,
Is it possible at all to start several konsole terminals, each in a
specific location, by means of a script ? I used to do that with
another type of terminal app years ago. I quickly did a search about
konsole and it seems that it does not support standard X parameters
like
On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep teas...@shorewall.net wrote :
So to stop an existing ping at with shorewall start/restart, you need
to flush the conntrack table ('shorewall restart -p'). That requires
that you install the conntrack utility program (usually, the package
is
On Sun, 26 Feb 2012 14:33:16 -0800,
Tom Eastep teas...@shorewall.net wrote :
On Feb 26, 2012, at 2:09 PM, jonetsu wrote:
For a same configuration in which the default policy is drop and
only one connection is accepted in rules, continuous pinging to
devices will stop squarely in 4.0.15
On Sat, 25 Feb 2012 14:59:54 -0800,
Tom Eastep teas...@shorewall.net wrote :
Here's a patch. The same patch should be applied to the installers of
both Shorewall and Shorewall6.
Thanks. Now the install proceeds a bit further (Fedora 15) :
./install.sh
Perl/compiler.pl syntax OK
Installing
On Sun, 26 Feb 2012 07:41:10 -0800,
Tom Eastep teas...@shorewall.net wrote :
On 02/26/2012 04:38 AM, jonetsu wrote:
Shorewall 4.5.1-Beta2 requires Shorewall Core which does not appear
to be installed
You need to install Shorewall-core first. See
http://www.shorewall.net/Install.htm.
Duh
For a same configuration in which the default policy is drop and only
one connection is accepted in rules, continuous pinging to devices
will stop squarely in 4.0.15 as soon as a very basic firewall is
enabled whereas in 4.4.26.1, pinging will still continue after the
firewall is enabled.
All
HI,
I have a Fedora 15 system w/o any Shorewall installed. Running the
install.sh (as root) yields the following:
./install.sh
Perl/compiler.pl syntax OK
Installing Redhat/Fedora-specific configuration...
ERROR: Shorewall = 4.3.5 is not installed
I can yum-install the current Fedora
On Sat, 25 Feb 2012 17:18:27 -0500,
jonetsu jone...@teksavvy.com wrote :
I have a Fedora 15 system w/o any Shorewall installed. Running the
install.sh (as root) yields the following:
./install.sh
Perl/compiler.pl syntax OK
Installing Redhat/Fedora-specific configuration
Le Samedi, 25 Février 2012 09:24:33 + (GMT),
Philip Hazel p...@hermes.cam.ac.uk a écrit :
with a return code of 0. There is clearly some mystery here as to why
your version of the code is not right. If you email your pcredemo.c
to me (NOT to the list!) I will diff it to try shed some
Le Vendredi, 24 Février 2012 17:24:40 + (GMT),
Philip Hazel p...@hermes.cam.ac.uk a écrit :
Which version of PCRE are you using?
1248556 pcre-8.30.tar.bz2
15520 Nov 24 2010 pcredemo.c
From:
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
(as per the web page)
I've also
Le Mardi, 23 Février 2012 17:15:27 + (GMT),
Philip Hazel p...@hermes.cam.ac.uk a écrit :
pcredemo -g
pcredemo segfaults when using the -g param, as in the following (cmd
on a single line) :
./pcredemo -g rate (?'rate'\d+)Kbit|ceil (?'ceil'\d+)Kbit
quantum 12500 rate 30Kbit ceil
On Mon, 20 Feb 2012 13:42:56 -0800,
Tom Eastep teas...@shorewall.net wrote :
The Beta containing DSCP support will be released sometime this week;
probably Saturday. The final release will be around the middle of
March.
The way I'm going now is that I have a table of DSCP to TC marks. This
On Mon, 20 Feb 2012 09:10:30 -0800,
Tom Eastep teas...@shorewall.net wrote :
If you can wait until 4.5.1 is released, you can set the DSCP field
with entries in /etc/shorewall/tcrules.
Thanks for the suggestions ! It's appreciated.
When would be the release of 4.5.1 ?
Hello,
I have one F15-64 bit machine on which the volume has to be very
close to the minimum as it seems to attain full volume very, very
early. Not much play in there. when pushed to the max there is some
'hardware noise' as it is very over-driven. I do not recall having this
problem before a
Hello,
I would like to DSCP-mark some traffic and have this marking set when
shorewall starts. The 'started' file seems to be the place to put
those extra iptables commands. Has anyone used the started file for
this purpose ? Any drawbacks ?
Thanks for any suggestions/comments.
Hello all,
This afternoon I updated the F15 x86_64 workstation I use. There
were quite a few updates in the pipe, so why not. There was properly
working nvidia setup which gave high Xorg resolution.
Before proceeding there was a warning from yum about the nvidia to
the effect that:
On Sun, 12 Feb 2012 17:38:56 -0700,
Pete Travis li...@petetravis.com wrote :
yum install akmod-nvidia
The akmod will build the module locally when there is disparity
between the kmod and kernel versions. You can install them both and
not think about it again.
Super! This works very
101 - 181 of 181 matches
Mail list logo