Re: [Shorewall-users] Shorewall not start at boot

On Thu, 19 May 2022 10:34:09 +0200 wrote: > And this is looks like when shorewall doesn't work and as I see > whorewall died, I start it yesterday on terminal Take a look at Poldi's solution (#3) in : https://bugs.launchpad.net/ubuntu/+source/shorewall/+bug/1511869 The other comments in the

Re: [Shorewall-users] Shorewall not start at boot

This is what it looks like on a healthy system when managed using systemd : % cat /usr/lib/systemd/system/shorewall.service # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall # # Copyright 2011 Jonathan Underwood # [Unit] Description=Shorewall IPv4 firewall

Re: [Shorewall-users] Shorewall not start at boot

On Wed, 18 May 2022 19:04:54 +0200 wrote: > So you are saying there is not possible to run shorewall at boot. It > is only possible to start it with cmd/terminal What I am saying is always go back to a reliable way. You are saying the same when you say that it works fine on previous Centos

Re: [Shorewall-users] Shorewall not start at boot

On Wed, 18 May 2022 18:12:08 +0200 wrote: > I am soure I am not the only one with this problem, but I am also > soure other guys switched to some other firewall. >From years of using shorewall on various devices, it always starts from the command line. In any problem like this I immediately

[rsyslog] rsyslog without any journald in sight

Hello. I searched for a few hours and did not find any solid technical (not belief based) in having systemd's journald in the logging path. So I decided to remove it and use only rsyslog. I appreciate the effort made by the rsyslog team to support journald, but simply did not find any reason

Re: Guest restarting after issuing a shutdown

On Fri, 1 Apr 2022 13:42:00 -0400 Andrea Bolognani wrote: > Try passing --no-reboot to virt-install. Thanks, this works very well. ... And it reminded me to look at the manual ! :) Cheers.

Guest restarting after issuing a shutdown

Hello everyone, I create kvm machines using a bash script. As expected from the script, the resulting virtual machines are performing as they should be. The aspect that I do not get is at the end of the creation, when issuing a 'shutdown now' in the guest and expecting that it will shut down.

Re: [libvirt-users] Understanding the use of virt-install from the CLI (Linux)

On Thu, 7 Nov 2019 16:44:45 +0200 (EET) Timo Lindfors wrote: > At least the following works on Debian 10: Thanks. That's quite a few options to read about. One question: what is the pressed.cfg about ? Is it to seed the rng early in the install process ?

Re: [libvirt-users] Understanding the use of virt-install from the CLI (Linux)

On Thu, 7 Nov 2019 17:52:32 +0100 Pavel Hrdina wrote: > The issue is that you are using the virt-install --disk option > incorrectly. If you look into man page of virt-install you can see > some examples. The options for each parameter needs to be separated > by comma. The command line that

[libvirt-users] Understanding the use of virt-install from the CLI (Linux)

Hello, I've created several VMs using virt-manager and am using them. This time around though, I'd like to use the CLI approach. The problem resides in defining a storage space. This is using virt-install 1.5.1 on Xubuntu 18.04. For the occasion I created a new directory to store images. So

Re: [zeromq-dev] anyone done work with zmq4 and go

On Sun, 3 Nov 2019 20:51:43 -0800 Jerry Scharf wrote: > I am starting on a go/zmq/protobuf project with multiple pieces. I > was wondering if anyone has done significant work with go and zmq > that I can talk to off list. Want to wrap my head around how to > structure to comms part of the

Re: [zeromq-dev] New ZeroMQ website and help needed

On Sun, 16 Jun 2019 15:05:40 +0300 Doron Somech wrote: > I'm working on a new website for zeromq, you can check it out here: > > https://new.zeromq.org/ As an aside, is The Guide available as PDF ? Cheers. ___ zeromq-dev mailing list

Re: [zeromq-dev] Difference between libzmq and zeromq ?

On Mon, 1 Apr 2019 20:00:20 +0200 Michal Vyskocil wrote: Hi, > However libzmq equals to zeromq for you. See release page > https://github.com/zeromq/libzmq/releases tarballs are named zeromq. > That's more the historical coincidence. > > Nowadays zeromq is the project umbrella and libzmq is

[zeromq-dev] Difference between libzmq and zeromq ?

Hello, New to zeromq. I would like to incorporate zeromq in C++ developments. From the main page, 'Download' I got to the github page and downloaded zeromq-4.3.1.tar.gz. I built it and installed at the default location (Linux, /usr/local/lib/). Looking for a C++ interface, the cppzmq

[lfs-support] ch6: 'Automating' tzselect configuration in glibc

Hello, Thanks for the previous reply about glibc errors. Is it possible to 'automate' the tzselect portion of building glibc ? By 'automating' I mean to get rid of the user interaction. I did some searches although what I've seen so far was related to the Debian system. Is there a config file

[lfs-support] ch6: Failures with glibc - is that still OK ?

Hello, Although it's expected that the glibc 'make check' can have errors, I'd like to just list the ones I got here just in case there's something really serious. Some are listed in the book, some are not. The computer is an Intel Core i5-3570 CPU. Would that be considered a relatively not

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Fri, 18 Jan 2019 18:53:03 +0100 Pierre Labastie wrote: > I agree the error message is misleading... "gcc" is a wrapper, as > explained above. It tries to launch sequentially "cpp", "cc1", "as", > and "collect2" (which in turn launches "ld"). If it does not find one > of those files, it just

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Fri, 18 Jan 2019 09:23:38 +0100 Pierre Labastie wrote: > The missing asm-goto issue could come from a similar error (not using > \ continuation) in binutils pass 2... Yes, that was the case ! -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ:

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Fri, 18 Jan 2019 08:54:54 +0100 Thomas Seeling wrote: > you could solve that by exporting the variables. only exported > variables are visible in sub shells, or variables listed on the same > command line in front of the command invoked. > > "CC=... make" would make the CC variable visible

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Fri, 18 Jan 2019 09:23:38 +0100 Pierre Labastie wrote: > But I haven't asked you to run "./gcc", but to run "./gcc -v". That > makes a big difference: gcc is just a wrapper which calls other > programs sequentially (normal sequence: cpp, cc1 (compiler), as, and > collect2 (itself a wrapper to

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Fri, 18 Jan 2019 02:26:24 + Ken Moffat wrote: > This is also why, no matter how well somebody knows how to script, > we recommend a manual build until you have successfully booted LFS. > Of course, doing that would have not highlighted the problem in > quite the same way. But technically

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Thu, 17 Jan 2019 10:36:33 -0500 jonetsu wrote: > make: gcc: Command not found Confirmed. It now works. Two modifications were made since last time. One is about a gcc directory that did not get erased when supposed to. The other is about the gcc 2nd pass configure command that

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Thu, 17 Jan 2019 14:46:33 -0600 Bruce Dubbs wrote: > Typically the solution for errors like you describe is to start over > and be more careful following the commands in the book. Yes. This is why it's all scripted. Doing some searches I found this quote in the mailing list, perhaps by

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Thu, 17 Jan 2019 14:20:19 -0600 Bruce Dubbs wrote: > In my experience, these types of errors result from not building > Chapter 5 as user lfs or that the lfs user environment is wrong. One > mistake is that the change to user lfs is done with 'su lfs' and not > 'su - lfs'. Do you know in

Re: [lfs-support] gcc not found, beginning of ch6, LFS-8.3

On Thu, 17 Jan 2019 10:36:33 -0500 jonetsu wrote: > make: gcc: Command not found I should add that ldd (as chroot) gives: lfs chroot) root:/tools/bin# ldd gcc linux-vdso.so.1 (0x7ffeed749000) libc.so.6 => /tools/lib/libc.so.6 (0x7f75b5b98000) /lib64/ld

[lfs-support] gcc not found, beginning of ch6, LFS-8.3

Hello, I have rebuilt ch5 twice now. The 2nd time around I have scripted all build commands so that there's a firm reliable base to work with. Each package has its own build file. The build instructions can be compared with the book and adjusted if necessary. Less guess work. And each

[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

Hello, We are using FOM 2.0.9 for an embedded product that will go for FIPS validation.  Validation of the full product, that is.  All development so far is with 2.0.9.  What would be the reasons, if any, to update to 2.0.12 before going to the lab ? Thanks - comments much appreciated. --

[gnutls-help] Intermediate CAs

Hello, Is there an example or two around on how to handle intermediate CAs using GnuTLS ? Thanks. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help

[openssl-dev] FIPS mode: how is the code put together ?

Hello, When using the FIPS module (version 2.0.9 if it matters, with OpenSSL 1.0.1e) the source code of both the regular openssl and the openssl-fips have a certain number of files named the same. For instance, crypto/bn/bn_rand.c. The FIPS version of this file has an additional check for

Re: [openssl-users] FIPS: using libcrypto.so ?

Thanks for the explanation. > Just link against the library produced by the FIPS capable > OpenSSL build. If, for some reason, that only produced > libcrypto.a, then you need to investigate why — perhaps you > passed “no-shared” when running the config script? The confusion came from trying to

[openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?

FIPS: Need to use FIPS versions of (EVP) methods ? In FIPS mode, is there a need to use the FIPS_* methods instead of the regular ones once FIPS_mode_set(1) was successfully executed ? For instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1() ? Wouldn't the FIPS version of

[openssl-users] FIPS: using libcrypto.so ?

The current FIPS User Guide mentions: "3.3 Creation of Shared Libraries The FIPS Object Module is not directly usable as a shared library, but it can be linked into an application that is a shared library. A “FIPS compatible” OpenSSL distribution will automatically incorporate an

[openssl-users] linker input file unused/linking not done gcc warning

Hello, Is it normal to get a 'linker imput file unused because linking not done' warning when compiling C code that uses OpenSSL in FIPS mode, hence using fipsld ? The object file is actually generated,a s well as the executable, and it does execute in a meaningful manner. The warning: [...]

[Swan] OCSP apect: Intermediate CA support

Hello, Is there explicit Intermediate CA support in libreswan itself, or is it exclusively handled by NSS ? Thanks. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan

[Shorewall-users] DSCP marking

Hello, Some time ago I did a user interface for DSCP marking, taking the documentation from the tcrules of that time, in which it was mentioned that the DSCP mark can be follwoed by either F (forward chain) or T (postrouting - default).  The current mangle documentation page does not have

[openssl-users] FIPS: Simulating failure at run-time ?

Hello, Is it possible to simulate FIPS failure at run-time, at any given time ? Or does OpenSSL have to start in failure simulation mode ? Also, is failure simulation a standard part of a normal, non-debug, build ? Thanks. -- View this message in context:

186-4 (RSA) support

Hello, Does the current stable GnuPG release have the 186-4 support mentioned in Issue1736 'FIPS 186-4 compliance patches' ? Thanks. -- View this message in context: http://gnupg.10057.n7.nabble.com/186-4-RSA-support-tp47978.html Sent from the GnuPG - User mailing list archive at

[openssl-users] FIPS canister 2.0.12 and 186-4

Hello, Does 2.0.12 support 186-4 ?  Specifically, does it support the RSA requirements  ? Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-dev] FIPS: AES CTR KAT tests

Hello, I am looking for the selftests, the KAT tests, for AES CTR and CBC in openssl_fips 2.0.9. Although many tests are directly defined, such as:   FIPS_selftest_aes_gcm(void) in aes/fips_aes_selftest.c   gcmtest(FILE *in, FILE *out, int encrypt) in ../aes/fips_gcmtest.c   And for CBC:  

[Swan] Is libreswan's OCSP periodically doing checks ?

Hello, Is libreswan's OCSP periodically doing checks to see of the certificate in use is still valid ?  If so, at which frequency ? Thanks. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan

[openssl-users] FIPS 186-4 support ?

Hello, Is there anything new regarding the prime number requirement handling for FIPS 186-4, as far as supporting it ? I asked some time ago. Just want to see if anything has changed, if there's anything planned. - thanks ! -- View this message in context:

Disabling all uses of elliptical curves

Hello, Is there a run-time option to disable all and every uses of elliptical curves ? If not, is there a compile option ? Thanks. -- View this message in context: http://mozilla.6506.n7.nabble.com/Disabling-all-uses-of-elliptical-curves-tp354147.html Sent from the Mozilla - Cryptography

[gnutls-help] Disabling all uses of elliptical curves

Hello, It was suggested previously to compile with the '--disable-ecdhe' option to disable the use of elliptical curves.  Will this compile option effectively get rid of all and every uses of elliptical curves or will there still be some uses allowed ? Thanks.

Re: [rsyslog] Certificate usage

> From: "David Lang" > Date: 04/04/16 14:56 > rsyslog just uses whatever gnutls does by default. It doesn't try to be > fancy, > it just does a minimal wrapper around it's normal communications. The background to this is the observance of the NSA NIAP requirements when

[rsyslog] Certificate usage

Hello, In using certificates for secure remote syslogging, does rsyslog take into account the certificates's Extended Key Usage ? For instance, in this case rsyslog is a client.  The certificate used would have the Extended Key usage field set to serverAuth. If the certificate does not have

[openssl-users] TLS 1.0 in FIPS mode ?

Hello, Does OpenSSL allows TLS 1.0 when running in FIPS mode ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe:

[Shorewall-users] L2TPv3 traffic control ?

Hello, Is there any provision within Shorewall to provide traffic control inside L2TPv3 ? Thanks. -- Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics

[gnutls-help] Disabling use of elliptic curves at compile time

Hello, Subject line basically says it.  Is it possible to disable the use of elliptic curves at compile time ? Thanks. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help

[rsyslog] Control over encryption ?

Hello, When setting up for encrypting syslog traffic, is there any option within rsyslog to restrict any crypto parameter ?  For instance, is it possible to disable the use of curves CURVE-SECP224R1 and CURVE-SECP192R1 in GnuTLS ? Thanks. ___

[gnutls-help] Restricting 224 and 192 curves

Hello, Is it possible to disable the use of CURVE-SECP224R1 and CURVE-SECP192R1 at runtime (by a parameter or programmatically) ? Thanks. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help

[gnutls-help] Key sizes available for DSA

Hello, Which key sizes are available for DSA signature generation and verification ? Thanks. ___ Gnutls-help mailing list Gnutls-help@lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help

Re: Using NSS in FIPS mode

Paul Wouters wrote: > Why would that be the right choice? Because this is the FIPS/CC way. Moreover, our FIPS/CC consultant have made it clear. This being said, a difference must be established between a unit, a hardware unit, and software components running inside. It might very well be that

Re: Using NSS in FIPS mode

Paul Wouters wrote: > How is a library in FIPS mode when it hasn't yet initialised because > the application has not kicked of yet? Do you actually initialise > them using a test program? Yes. This is the case for OpenSSL and GnuTLS. For NSS, as we have seen, the FIPS initialisation is done

Re: Using NSS in FIPS mode

Robert Relyea wrote: > The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The > dance to programatically is to call SECMOD_DeleteInternalModule(), > which toggles the module between FIPS and non-FIPS modes. Thanks. I will try it. When are the self-tests run, from an application

Re: Using NSS in FIPS mode

Paul Wouters wrote: > Oh, I did not know about this one. I guess once we (the application) > detect the system is in FIPS mode, we could verify that NSS is as > well. >> Finally, is there any example code out there that uses NSS in FIPS >> mode ? > libreswan uses NSS and supports a FIPS mode.

Re: Using NSS in FIPS mode

Paul Wouters wrote: > So while I just added a check, it should be completely redundant. Depends. I'd be wary of a system that proclaims itself FIPS enabled without 'seeing it with my own eyes'. So I am not convinced this is redundant. > Those are done within the libraries and applications.

Using NSS in FIPS mode

Hello, Please let me know if this is not the right place to ask about the following... I am new to NSS and would like to use it in FIPS mode. I do know about OpenSSL and GnuTLS, both of them having explicit calls to enabled FIPS mode. With NSS, so far I have seen that the modutil

[openssl-users] Difference in the methods for listing the FIPS ciphers

Hello, Using 1.0.1e running FIPS module 2.0.9, the following two commands for querying the ciphers do not yield the same results. There are more ciphers declared in the 'string' version. The 'environment variable' version: % OPENSSL_FIPS=1 openssl ciphers -v | The 'string' version: % openssl

Re: [openssl-users] openSSL and SLOTH attack

> Does FIPS mode prevent use of MD5: Yes. > Does FIPS mode prevent insecure uses of SHA-1 (a FIPS > algorithm): No. > Does FIPS mode prevent the SSL/TLS handshake from using 96 bit > truncated HMAC values: Probably not. > Does FIPS mode prevent use of the insecurely designed > 'tls-unique'

Re: [openssl-users] openSSL and SLOTH attack

Does this mean that running 1.01e in FIPS mode is protected regarding this SLOTH attack ? -- View this message in context: http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62074.html Sent from the OpenSSL - User mailing list archive at Nabble.com.

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Is there any current solution to have RSA 186-4 in OpenSSL FIPS (now, even if this means an upgrade ?) Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61769.html Sent from the OpenSSL - User mailing list

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Sorry, I forgot: What about the code itself, if we do not mind the validation ? Is the 185-4 RSA compatible code present in any OpenSSL/FIPS module ? -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61774.html Sent

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

What would then be the permitting conditions to pursue a new validation ? If you don't mind me asking. I have read several notes you have on the subject and I agree that the whole thing is of Dedalus proportions. In a nutshell what would be these conditions ? Thanks, much appreciated. --

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Fair enough (in this context). But what about the code itself, is it ready to be RSA 186-4 compliant ? And, if we go through a validation, can OpenSSL benefit from it ? -- View this message in context:

[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

Hello, I have read about the use of FIPS_rsa_x931_generate_key_ex() for 186-4 compliance.  We are using OpenSSL 1.0.1e with the fips-2.0.9 module.    Would it make functional sense using those versions to patch RSA_generate_key_ex() (../crypto/rsa/rsa_gen.c) to have:  #ifdef OPENSSL_FIPS

[gnutls-help] FIPS checks in FIPS mode

Hello, Are any FIPS self-checks done when executing gnutls_global_init(); and  gnutls_init(); when GnuTLS runs in FIPS mode (as reported by the return value of '1' to gnutls_fips140_mode_enabled()) ?  If not, is it possible to have these tests made explicitly ? Thanks.

Re: [Shorewall-users] I'll be off of the list for several days

Wish you all the best !! -Original Message- > From: "Tom Eastep" > To: "Shorewall Users" , "Shorewall > Development" > Date: 11/17/15 11:13 > Subject: [Shorewall-users] I'll be off

[openssl-users] How to access a bug fix ?

Hello,  I would like to see the bug fix for RT3515 'Use 3DES in pkcs12 if built with no-rc2' although the opnssl tree I got recently does not show it: % git status On branch master Your branch is up-to-date with 'origin/master'. % git show 92830dc1ca0bb2d12bf05a12ebb798709595fa5a fatal: bad

[openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)

Hello, There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to handle a certificate using a non-FIPS component.  I think I found the commit that fixes this, although it is part of a quite huge

Re: [openssl-users] Elliptic curves approved or recommended by government

In the NSA page referred above, the p-384 curves are specifically mentioned for DH. These would be the ones covered by the Suite B NSA license sub-licensed to OpenSSL, are they ? Is it possible to build OpenSSL in FIPS in such a way that only these curves will be used ? Regards. -- View this

[openssl-users] OpenSSL public repository, bug tracker ?

Sorry if this is answered elsewhere ... Is the version control repository as well as the bug tracker of public read access ? Is it possible to find a specific commit in the OpenSSL repository that would hopefully fix a single discovered/reported bug ? We have hit the

[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e

In 1.0.1e the following is observed when using OpenSSL in FIPS mode:  % OPENSSL_FIPS=1 openssl pkcs12 -export -in  /tmp/ipsec.d/certs/192.168.11.1 -inkey  /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out  /tmp/ipsec.d/192.168.11.1.p12 -password pass:""  

[openssl-users] CAVP protocol testing - what does it really consist of ?

Hello, Sorry if this is a bit beside OpenSSL per se, the idea behind this post is to perhaps have some information form the OpenSSL experience with FIPS validation.  There was so much effort put into FIPS compliance that it would not be far-fetched to consider that there is also knowledge

Re: [openssl-users] CAVP protocol testing - what does it really consist of ?

> From: "Steve Marquess" > Date: 10/21/15 14:18 > See Appendix B of the OpenSSL FIPS User Guide: >  https://openssl.org/docs/fips/UserGuide-2.0.pdf Thanks. > The specific algorithm tests have changed quite a bit since then > (constant change is part of the fun), but

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

> From: "Tom Eastep" > Date: 10/09/15 12:59 > > When having a complex TC configuration for both IPv4 and IPv6, > > setting TC_ENABLED=Internal in both Shorewall .conf files seems > > natural.  Is this the way to proceed ? > You want TC_ENABLED=Internal in one

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

> From: "Tom Eastep" > Date: 10/09/15 12:59  > Also note the warnings about the settings for CLEAR_TC in both files. It works using files instead of symlinks.  I was simply wondering if Shorewall would take into account the nature of the symlinks themselves in its

Re: [Shorewall-users] Using both IPv4 and IPv6 TC

> From: jonetsu <jone...@teksavvy.com> > Date: 10/09/15 14:42 > I have another question regarding Shorewall6 conf: why isn't there a Simple > option for TC_ENABLED ? The above question stemmed from the online shorewall6.conf in which the Simple option for TC_ENABLE

[Shorewall-users] Using both IPv4 and IPv6 TC

Hello, When having a complex TC configuration for both IPv4 and IPv6, setting  TC_ENABLED=Internal in both Shorewall .conf files seems natural.  Is this the way to proceed ? Thanks. --

[gnutls-help] How to run the test suite in FIPS mode ?

Hello, Following on the recent thread, I would like to know how to run the tests after a successful compile while in FIPS mode.  Currently there are over 80 failures when running 'make check' so something is wrong.   Thanks. ___ Gnutls-help

Re: [gnutls-help] make check errors in system running FIPS mode

> From: "Nikos Mavrogiannopoulos" > Date: 09/23/15 07:06 > They are run on the gnutls global initializer. There is no > documentation for the FIPS140 operations. It affects too few people to > make sense writing it. Unless there is someone contributing that > documentation I

Re: [gnutls-help] make check errors in system running FIPS mode

> From: "Nikos Mavrogiannopoulos" > Date: 09/22/15 02:24 > In FIPS140-2 mode the library must have integrity tests, and if these > are not present it will fail to load. You may use the environment > variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS (set to 1), to skip these >

Re: [openssl-users] Behaviour facing a broken OCSP responder

> From: "Salz, Rich" > Date: 09/14/15 16:07 > Are you talking about the command-line? Yes. > It would be great if someone sent in a patch that standardized > and documented exit codes, like 0 for got a "good" > response, "1" for got a "bad" response, and 10 for got an >

[openssl-users] Behaviour facing a broken OCSP responder

Hello, The documentation does not seem too clear about what the behaviour exactly is when OpenSSL deals with a broken OCSP responder.  For instance, one that would send an OK without any contents.  We call openssl from an application and would like to know what is returned in such a case, or

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Thanks for your comments - much appreciated. What is exactly the poodle patch and how doe sit come into providing some form of protection against the BEAST attack ? -- View this message in context:

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL 3.0 ? Thanks. -- View this message in context:

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the solution for the BEAST attack. Is there a solution while keeping TLS 1.0 and SSL v3.0 ? Thanks. -- View this message in context:

[Shorewall-users] routeback option explicitly disabled generates error

Hello, Having an undefined zone along with disabling explicitly the routeback option generates an error as if the '0' value of the routeback option (which i assume is disabling the option) is not taken into account: Shorewall 4.6.4.3. interfaces   -    eth2        -    

Re: [Shorewall-users] Error output has changed

@lists.sourceforge.net Date: 08/06/15 12:32 Subject: Re: [Shorewall-users] Error output has changed On 08/04/2015 12:33 PM, jonetsu wrote: From: Robert K Coffman Jr. -Info From Data Corp. bcoff...@infofromdata.com Date: 08/04/15 15:18 The TC files were changed - the error

[Shorewall-users] mangle documentation example

Hello, The examples shown in the mangle documentation are the same as for tcrules. I ran: (config files, including shorewall.conf, are stored in /tmp/shorewall/) % cd /tmp/shorewall/ % shorewall update -t . And from a tcrules that is: #MARK  SOURCE     DEST       PROTO   DPORT(S)  

[Shorewall-users] No error reported when missing default tcclass

Shorewall 4.6.4.3 Still using tcrules, so I ran 'shorewall update -t .' and it created a mangle file, and modified the shorewall.conf file. The configuration is missing a default tcclass.  Shorewall 4.5.5.3 will report: % shorewall check .  [...]  Checking Martian Logging...  Checking

[Shorewall-users] No error reported when out bandwidth is exceeded in tcclasses

Hello, This is basically the same as the previous post about no error output when a default tcclass is missing.  This time around the out bandwidth is exceed.   Shorewall 4.5.5.3 has a warning output:  Checking Martian Logging...  Checking /tmp/shorewall/tcdevices...  Checking

[Shorewall-users] Error output has changed

Hello, I have noticed that between versions 4.5.5.3 and 4.6.4.3 that the error output concerning a missing TC default class is missing in the latter, for a same configuration: 4.5.5.3: Checking /tmp/shorewall/tcdevices... Checking /tmp/shorewall/tcclasses...    ERROR: No default class

Re: [Shorewall-users] Error output has changed

From: Robert K Coffman Jr. -Info From Data Corp. bcoff...@infofromdata.com Date: 08/04/15 15:18 The TC files were changed - the error message on the newer version telling you how to update your files. Hmmm... The 'shorewall update -t' command ... That is quite a lot.  The system relies so

[gnutls-help] Patch still needed in 3.3.16 ?

Hello, On Wed Jan 14 08:13:47 a patch was given re.: 'Compiling with the FIPS option'.  Today with version 3.3.16 I see that the patch was not applied upstream.  Is it still needed at all ? Thanks. ___ Gnutls-help mailing list

[openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Hello, Our Nessus version  6.4.1 is detecting a BEAST vulnerability against OpenSSL  1.0.1e.  The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as 0x0800L and several tests are made for this value in the code.  The CHANGES mentions though that this had some side effects, the

Re: [openssl-users] New FIPS 140-2 SE Validation Approved

The validation is on the ARM platform using Linux 2.4. I am one of those 'unlucky' having to deal with FIPS so please pardon any silly questions. Would this validation be limited to these two aspects ? And, is there any money-saving advantage at using an already validated OpenSSL when the whole

[Shorewall-users] Reverse Path filtering: iptables and kernel ?

Hello,   When specifying a rpfilter option for an interface, we can see after applying the firewall configuration that there is a rpfilter being added for that interface, as well as a rpfilter chain.  OTOH, no rp_filter option is set in /proc/sys/net/ipv4/conf/interface|all/rp_filter. What

[gnutls-help] TLS v1.1 in GnuTLS

GnuTLS supports TLS v1.1 although none TLS1.1 is shown in the cipher list.  But it is shown as protocol.  Does this mean that there were no ciphers added at the TLS 1.1 stage (only protocol changes) and, the ciphers supported by 1.1 are already listed using a previous version ? Regards.

Re: [openssl-users] SHA256() to EVP_* ?

Even a small convenience is still a convenience. And eventually they add up. Thanks for the comments - it's appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57826.html Sent from the OpenSSL - User mailing list archive at Nabble.com.

[openssl-users] Porting to EVP methods: AES_set_encrypt_key()

Hello, The context is migrating an application to use EVP only methods. AES_set_encrypt_key(...) AES_cfb128_encrypt(...) The AES_cfb128_encrypt() is pretty clear to migrate to EVP_*, what about the AES_set_encrypt_key() ? I haven't found yet any correlation to the EVP methods, let alone an

  1   2   >