Re: [openssl-dev] OPenssl 1.1.0 and FIPS

2017-09-16 Thread Salz, Rich via openssl-dev
> FIPS is not supported for 1.1.0 > >jUST A SMALL FIX WILL DO. No. All of the FIPS supporting code has been pulled out of 1.1.0 Even if you get it to compile, it will fail at link or runtime because of missing functions. -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] OPenssl 1.1.0 and FIPS

2017-09-16 Thread Richard Levitte
The Doctor skrev: (16 september 2017 15:26:16 CEST) >On Sat, Sep 16, 2017 at 12:56:08PM +, Salz, Rich via openssl-dev >wrote: >> >> Tryong to compile Fips into OPEnssl-1.1.0 and I run into >> >> FIPS is not supported for 1.1.0 >> > >jUST A SMALL FIX

Re: [openssl-dev] OPenssl 1.1.0 and FIPS

2017-09-16 Thread The Doctor
On Sat, Sep 16, 2017 at 12:56:08PM +, Salz, Rich via openssl-dev wrote: > > Tryong to compile Fips into OPEnssl-1.1.0 and I run into > > FIPS is not supported for 1.1.0 > jUST A SMALL FIX WILL DO. > -- > openssl-dev mailing list > To unsubscribe:

Re: [openssl-dev] OPenssl 1.1.0 and FIPS

2017-09-16 Thread Salz, Rich via openssl-dev
Tryong to compile Fips into OPEnssl-1.1.0 and I run into FIPS is not supported for 1.1.0 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] OPenssl 1.1.0 and FIPS

2017-09-16 Thread The Doctor
I thought it was just me. Tryong to compile Fips into OPEnssl-1.1.0 and I run into cc: warning: argument unused during compilation: '-rdynamic' [-Wunused-command-line-argument] crypto/err/err_all.c:47:69: error: invalid operands to binary expression ('void' and 'int')

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-23 Thread Steve Marquess
On 02/23/2016 08:16 AM, Wall, Stephen wrote: > Thanks for the feedback, I was deliberately ignoring the issue of not > running non-FIPS algos, there are actually instances where it's > desirable to have access to them in FIPS mode (RADIUS, eg). A > generic way to handle that (aside from Richards

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-23 Thread Wall, Stephen
> A generic > way to handle that (aside from Richards dream proposal) would be to > have a NO_INTERNAL_ALGORITHMS setting somewhere in the API. Possibly > split into NO_INTERNAL_SYMMETRIC_ALGOS, ASYMMETRIC, HASHES, etc, for > finer grained control. Replying to my own post, a second idea: what if

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-23 Thread Wall, Stephen
Thanks for the feedback, I was deliberately ignoring the issue of not running non-FIPS algos, there are actually instances where it's desirable to have access to them in FIPS mode (RADIUS, eg). A generic way to handle that (aside from Richards dream proposal) would be to have a

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Jaroslav Imrich
On 22 February 2016 at 20:18, Richard Levitte wrote: > > This is where I go dreamy eyed with a desire to make all our built in > algorithm into an engine, loadable like any other engine. I have never tried such setup but this sounds like SoftHSM2 [0] with OpenSSL crypto

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Steve Marquess
On 02/22/2016 01:58 PM, Dr. Stephen Henson wrote: > On Mon, Feb 22, 2016, Wall, Stephen wrote: > >> I wonder if I could get the thoughts of some of you developers on how >> difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of >> the current (2.0.11?) fipscanister.o. Also,

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Richard Levitte
In message <20160222185829.ga19...@openssl.org> on Mon, 22 Feb 2016 18:58:29 +, "Dr. Stephen Henson" said: steve> On Mon, Feb 22, 2016, Wall, Stephen wrote: steve> steve> > I wonder if I could get the thoughts of some of you developers on how steve> > difficult it would

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Dr. Stephen Henson
On Mon, Feb 22, 2016, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of > the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a > legitimate way to get

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Steve Marquess
On 02/22/2016 11:01 AM, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes > use of the current (2.0.11?) fipscanister.o. Also, opinions on if > this would be a legitimate way to get

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread John Foley
, opinions on if this would be a legitimate way to get FIPS in 1.1.0. Thanks, spw -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] OpenSSL 1.1.0 and FIPS

2016-02-22 Thread Wall, Stephen
I wonder if I could get the thoughts of some of you developers on how difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a legitimate way to get FIPS in 1.1.0. Thanks, spw -- openssl-dev