Ok I have been doing some experiments with OpenVPN and I can connect using
1 bit DH parameters. Any bigger than that up to at least 13824 I get the
following 'modulus too large' error on the client log:
TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman
If they have counterparts in TLS that could be used, why wouldn't
the TLS version show up instead ?
Because they are *the same* TLS did not take old ciphers and renumber or
rename them.
___
openssl-users mailing list
To unsubscribe:
In the future, this may change if/when OpenSSL does another FIPS validation.
CMVP has changed the implementation guidance that requires the POST to run
automatically without user intervention. Any future FIPS validations would
be subject to the new rules. Hence, the behavior of
SSLv3 in the ciphersuite definition means it can be used in
SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3,
and then again for TLS1.0, and again for TLS1.1 etc - its just
defined once and is reused across multiple protocol versions.
Yes, this is what I basically understood.
On 28/04/15 13:31, jonetsu wrote:
That refers to the minimum version of the ciphersuite: it
doesn't imply that it will only be used in SSLv3 (which is
disabled in FIPS mode).
Hmmm... I'm sorry but I do not really understand this. Since openssl is
run in FIPS mode, and since SSLv3 is
On Mon, Apr 27, 2015, Rajeswari K wrote:
Hi Steve,
Thanks for the response.
We are using openssl-1.0.1j.
Following is how have configured NID_sha1 and NID_ecdsa_with_sha1.
We use our own signature and digest methods. But, i see modification of
digest has issue. If i dont set any
That refers to the minimum version of the ciphersuite: it
doesn't imply that it will only be used in SSLv3 (which is
disabled in FIPS mode).
Hmmm... I'm sorry but I do not really understand this. Since openssl is
run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
ciphers
From: openssl-users On Behalf Of jonetsu
Sent: Tuesday, April 28, 2015 13:53
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD
A pair means two. An RSA keypair is two keys, the public key and the private
key. You cannot have one without the other, and you cannot generate them
separately. You can, of course, store and use them separately, and must do so.
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at
On 28/04/15 15:39, Nayna Jain wrote:
Hi all,
I want to generate public and private key pair programmatically.
However, I have some basic questions.
The key generated using RSA_generate_key_ex is actually a key pair ,
having both private and public key.
NOw, if I want to extract the
Hi,
Can some one let me know what is the equivalent field in a certifcate that
maps to NID_Name?
Thank you,
Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
What do you mean by “FIPS POST has completed”?
-Bryan
On Apr 24, 2015, at 4:17 PM, John Foley fol...@cisco.com wrote:
Some of the algorithms still invoke the FIPS flavor of the algorithm even
when FIPS is disabled. For example, this code is from EVP_DigestUpdate().
int
Hi,
I believe you can make an app that is FIPS compliant: since OpenSSL can be
made FIPS compliant on a non-validated OS, why not an app on iOS? But it
will be FIPS compliant, not FIPS validated app.
Le mar. 28 avr. 2015 21:45, Sec_Aficionado secaficion...@gmail.com a
écrit :
Hi there,
Total
On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
Hi there,
Total n00b question here. I recently ran across a question on an iOS
forum where someone was building an app with FIPS 140-2 compliant
communications.
Note there really is no such thing as FIPS 140-2 compliant (though you
see that
On 28/04/15 22:10, Nayna Jain wrote:
Is there any other way to store private key and public key rather than
in PEM format in file ?
I mean API to store public and private key separately in memory.
You mean like this:
https://www.openssl.org/docs/crypto/d2i_RSAPublicKey
Matt
Is there any other way to store private key and public key rather than in
PEM format in file ?
I mean API to store public and private key separately in memory.
Thanks Regards,
Nayna Jain
From: Matt Caswell m...@openssl.org
To: openssl-users@openssl.org
Date: 04/28/2015 08:29 PM
Hi Jakob,
Thanks for the feedback, what you say makes sense, so I'll try and
avoid the non-standard Microsoft thing.
Apologies for the top - posting, I get so used to pressing reply.
Kinds regards,
Andy
___
openssl-users mailing list
To
Hello,
What would be the equivalent of the SHA256() function in the EVP
class of methods ? EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD which is, if not mistaken, a env_md_st
structure.
The code I'm adapting to EVP
Unfortunately this didn't solve my problem, but at least I narrowed it down.
The leaks are caused by my call to SSL_CTX_load_verify_locations, which is
essentially X509_STORE_load_locations.
Doesn't freeing the SSL_CTX_free release that data? If not, please file an RT
ticket.
In the context of OpenSSL 1.0.1 or 1.0.2, this means FIPS_mode_set(1)
has returned with a successful return value.
In the future, this may change if/when OpenSSL does another FIPS
validation. CMVP has changed the implementation guidance that requires
the POST to run automatically without user
Unfortunately this didn't solve my problem, but at least I narrowed it
down. The leaks are caused by my call to
SSL_CTX_load_verify_locations, which is essentially
X509_STORE_load_locations.
I found that function in x509_d2.c and I find it suspicious that this
function invokes exactly 4 function
Am 28.04.2015 um 20:06 schrieb Salz, Rich:
Unfortunately this didn't solve my problem, but at least I narrowed it down.
The leaks are caused by my call to SSL_CTX_load_verify_locations, which is
essentially X509_STORE_load_locations.
Doesn't freeing the SSL_CTX_free release that data? If
Hi Jeff,
Thanks a lot for the detailed explanation. Since I have a requirement to
use the certificate public/private keys for encryption/decryption I believe
I should be able to use ECDHE based approach.
Regards
Jayalakshmi
On Sun, Apr 26, 2015 at 11:41 PM, Jeffrey Walton noloa...@gmail.com
Hi there,
Total n00b question here. I recently ran across a question on an iOS forum
where someone was building an app with FIPS 140-2 compliant communications.
Now, from reading here (mailing lists) about FIPS certification, it involves
both the bits and the platform. So it would not be
Thanks Rich, Jakob.
So, can I use openssl as it is to query the values of the extension on an
existing certificate do you think? The usual issue seems that people want to
use openssl to form a request and insert the ms CA template name in there
otherwise it complains. I don't want to do that,
(top posting because OP did so)
Note that as I already said, checking the template name
is usually a mistake, unless you happen to know that
some other software will reject certificates without
specific template names.
It is much more relevant (and should be done even if
the template name is
26 matches
Mail list logo
