Hi there,
I am trying to do a DH key exchange between BSAFE and OpenSSL. The server
side uses BSAFE to generate DH parameters and server's public/private key,
and my client uses received DH parameters to generate its keys. Now my
problem is that I cant parse out the DH parameters properly at clien
I have tried these versions:
drwxr-xr-x 22 root root1536 Nov 30 15:00 openssl-0.9.8b
drwxr-xr-x 22 root root1536 Nov 30 14:54 openssl-0.9.8c
drwxr-xr-x 22 root root1536 Nov 30 14:46 openssl-0.9.8d
drwxr-xr-x 22 root root1536 Nov 30 14:41 openss
Read will fail if write must be done. Write will fail if read must be
done. The bug is that you're not checking for the SSL_ERROR_WANT_READ
or SSL_ERROR_WANT_WRITE required error statuses -- if you get either
of those, you just need to retry the operation again (i.e., treat just
like EAGAIN in PO
It should be public, and probably must be public, given it is supposed
to be true open-source, etc. Everyone should be able to do test builds
(on all types of architectures and variants etc) to iron out bugs, etc,
before being submitted for validation. I'd be very surprised if it
wasn't avail
Kyle Hamilton wrote:
> The FIPS validation process is... odd. And not at all conducive to the
> open-source development model.
>
There is a certain dissonance, for sure :-)
> There is no available OpenSSL FIPS Object Module v1.2.
Well, yes and no. Check out the OpenSSL-fips-0_9_8-stable branch
Ok, so it's kindof working now.
kinda because after a do_handshake, any read on the server server return -1,
but if you ignore this one and continue, subsequent read works.
And data transfer works if back to normal with the new session.
Any reason why the read would fail ?
Are there any sett
The FIPS validation process is... odd. And not at all conducive to the
open-source development model.
There is no available OpenSSL FIPS Object Module v1.2. Until it passes
validation, anyway, at which point the openssl-fips-1.2.0.tar.gz file will
be made available. I don't think the source is
Where can I find information about OpenSSL FIPS Object Module v1.2 ???
Where can this be downloaded from? CVS only? Or are there tarballs
somewhere?
Where does FIPS related development/discussion take place? Just the
users mailing list?
Is there a spot on the website dedicated to FIPS relate
It's probably a combination of my misunderstanding and not wording
things correctly :-/
Let's say I want to use the function RSA_X931_generate_key(). Currently
it is surround by an #ifdef OPENSSL_FIPS conditional. Therefore with
the current build system I MUST specify the -fips option to obt
You are contradicting yourself. If you link against the
openssl-fips-1.1.1library, and are in FIPS_mode, then you have FIPS
functionality. If you are
not in FIPS mode, then the fips library trivially behaves as the traditional
openssl (with all functionalities). The former is called FIPS-validated
Hi,
I require FIPS functionality in OpenSSL but I do NOT have a requirement
to run in FIPS mode.
What I would like is to build OpenSSL and have ALL functions available
to me so I can choose which ones I want to use. At the moment there are
some functions that are only available if the -fips
The following footnote is on page 23 of the
OpenSSL FIPS 140-2 User Guide
(http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf)
September 27, 2007
The OPENSSL_FIPS=1 environment variable will enable FIPS mode for an
openssl command built from a FIPS capable OpenSSL distribution.
B
Hi ,
I have client that would connects to a server for a long duration of time.
And i'm trying to refresh the session keys.
>From what I have read for open ssl 0.9.7 and up the step to do the same are
>pretty simple.
SSL_renegotiate(SSL *)
SSL_do_handshake(SSL *)
and then to confirm call SSL
Hi,
The openssl User-Guide only mentions about how to create an application in
FIPS mode ( by calling FIPS_mode_set (1) ). The question is that is it
possible to have the openssl command line tool (generated from
openssl-fips-1.1.1) be in FIPS mode ? If yes, please can someone shed some
light on th
Here's a java library for parsing PKCS8 private keys:
http://juliusdavies.ca/commons-ssl/pkcs8.html
You can download it from here:
http://juliusdavies.ca/commons-ssl/download.html
yours,
Julius
On Nov 29, 2007 7:01 AM, Metalpalo <[EMAIL PROTECTED]> wrote:
>
> Hello
>
> I have such problem. I
Hello,
I'm currently auditing an application (my own) and have come up with a
question I cannot answer: how secure is a TLS session?
The app is the server side of a client-server communication protocol
using TLS. The socket is provided by socat, which I have configured to
delegate encryptio
Hello
I have such problem. I generated private key(RSA1024) through openssl and
now I want to load it via BC in java or through Crypto ++.
But It seems that here is some incompatibility. I don't know to parse PKCS8
format from openssl through JAVA
and vice-versa.
What format is used in openssl.
A significant flaw in the PRNG implementation for the OpenSSL FIPS
Object Module v1.1.1 (certificate #733,
_http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733_)
has been reported by Geoff Lowe of Secure Computing Corporation. Due to
a coding error in the FIPS self-test the
Also happens with 0.9.8f,
Sunfreeware version works, but I need tlsext enabled.
Tried default gcc, then upgraded to latest gcc from sunfreeware. Then
tried another Solaris 10 server entirely.
Tried with shared and without. With threads and without.
0.9.7 compiles, but has no tlsext ;)
[EMA
>
> Doing certs
> Segmentation Fault - core dumped
> RegTP-5R.pem => .0
> Segmentation Fault - core dumped
> WARNING: Skipping duplicate certificate RegTP-6R.pem
> Segmentation Fault - core dumped
> [snip]
>
> # ./apps/openssl
> Segmentation Fault (core dumped)
>
> # gdb ./apps/openssl
> This GDB w
Questions like this should not be sent to the OpenSSL developers
but should rather be sent to the openssl-users mailing list.
I would guess that you should add the dynamic loading functions with "-ldl"
when linking.
Best regards,
Lutz
On Wed, Nov 28, 2007, [EMAIL PROTECTED] wrote:
> Hi,
openssl-0.9.8g
SunOS www01.unix 5.10 Generic_118844-26 i86pc i386 i86pc
gcc version 3.4.6
# rm -rf /usr/local/ssl/
# gtar -zxvf openssl-0.9.8g.tar.gz
# ./config enable-tlsext
[snip]
Configured for solaris-x86-gcc.
# make depend
[snip]
# make
[snip]
make[2]: Entering directory `/export/nfs/src
> I setup my certificate for 10.x.x.x and when I try and access the site, i
> use https://10.x.x.x and I get the error about the certificate being setup
> for a different web site. I've read up on this and the example
> they usually
> use is make sure you use www.foobar.com and not just foobar.c
hi, I have three questions about block ciphers:
1) Is there a way to validate data of streamed block ciphers, As far as i
know when MITH occures there is no way to validate the data, there are few
technics, like reversing the data. Does OpenSSL has any sollution for this?
2) Is there a way to set p
Hi,
I have the following certs
1) End user cert
subject: enduser whatever
issuer : Intermediate CA whatever
2) Intermediate CA cert
subject: Intermediate CA whatever
issuer : Actual CA whatever
3) Actual CA cert (self signed)
subject : Actual CA whatever
issuer : Actual CA whate
openssl-0.9.8g
SunOS www01.unix 5.10 Generic_118844-26 i86pc i386 i86pc
gcc version 3.4.6
# rm -rf /usr/local/ssl/
# gtar -zxvf openssl-0.9.8g.tar.gz
# ./config enable-tlsext
[snip]
Configured for solaris-x86-gcc.
# make depend
[snip]
# make
[snip]
make[2]: Entering directory `/export/nfs/src/
Thanks Ken. Good information.
I setup my certificate for 10.x.x.x and when I try and access the site, i
use https://10.x.x.x and I get the error about the certificate being setup
for a different web site. I've read up on this and the example they usually
use is make sure you use www.foobar.c
27 matches
Mail list logo