On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis thomas.francis...@pobox.com wrote:
This is a bad idea. It can generally be done, and it’s probably not
even too hard (for some uses, anyway). But it’s a bad idea. Here’s
why:
Thanks for the detailed comments. I understand the concerns,
On 01/28/2015 08:31 AM, jone...@teksavvy.com wrote:
...
We have not done any validations that satisfy the various new
requirements introduced in late 2013 and early 2014. New validations
are very expensive, in dollars, time, and grief, and we don't have the
necessary financial backing.
On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Wed, Jan 28, 2015, jone...@teksavvy.com wrote:
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis thomas.francis...@pobox.com wrote:
Thanks for the detailed comments. I understand the concerns, although
there's
On Wed, Jan 28, 2015, Tom Francis wrote:
Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where
OpenSSL would prevent disallowed algorithms from being used, but only if you
used the EVP interfaces. You could, for example, invoke MD5 directly. Did
that change with 2.x?
On Tue, 27 Jan 2015 14:13:57 -0500
Steve Marquess marqu...@openssl.com wrote:
The user guide documents that correctly. For the OpenSSL FIPS Object
Module 2.0 (#1747) the FIPS mode of operation is enabled with
FIPS_mode_set(). There is no library startup; you keep confusing
past validations
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis thomas.francis...@pobox.com wrote:
This is a bad idea. It can generally be done, and it’s probably not
even too hard (for some uses, anyway). But it’s a bad idea. Here’s
why:
Thanks for the detailed comments. I understand the concerns,
On Wed, Jan 28, 2015, jone...@teksavvy.com wrote:
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis thomas.francis...@pobox.com wrote:
Thanks for the detailed comments. I understand the concerns, although
there's one thing I do not see clearly, that is:
2) Applications that don???t know
On 01/28/2015 08:31 AM, jone...@teksavvy.com wrote:
...
We have not done any validations that satisfy the various new
requirements introduced in late 2013 and early 2014. New validations
are very expensive, in dollars, time, and grief, and we don't have the
necessary financial backing.
On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Wed, Jan 28, 2015, jone...@teksavvy.com wrote:
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis thomas.francis...@pobox.com wrote:
Thanks for the detailed comments. I understand the concerns, although
there's
On Wed, Jan 28, 2015, Tom Francis wrote:
Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where
OpenSSL would prevent disallowed algorithms from being used, but only if you
used the EVP interfaces. You could, for example, invoke MD5 directly. Did
that change with 2.x?
On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote:
On Fri, 16 Jan 2015 10:16:48 -0500
Steve Marquess marqu...@openssl.com wrote:
On 01/15/2015 05:52 AM, Marcus Meissner wrote:
On Linux usually triggered by /proc/sys/crypto/fips_enabled
containing 1 or the environment variable
On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote:
On Fri, 16 Jan 2015 10:16:48 -0500
Steve Marquess marqu...@openssl.com wrote:
On 01/15/2015 05:52 AM, Marcus Meissner wrote:
On Linux usually triggered by /proc/sys/crypto/fips_enabled
containing 1 or the environment variable
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.
Tom Francis nailed the answer to this one. We did design the FIPS module
+ FIPS capable OpenSSL combination to make it possible to have a
system wide FIPS mode capability, but
On 01/27/2015 11:09 AM, jonetsu wrote:
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18: Thank
you (and Tom) for your comments - much appreciated.
Tom Francis nailed the answer to this one. We did design the FIPS
module + FIPS capable OpenSSL combination to make it possible to
On Fri, 16 Jan 2015 10:16:48 -0500
Steve Marquess marqu...@openssl.com wrote:
On 01/15/2015 05:52 AM, Marcus Meissner wrote:
On Linux usually triggered by /proc/sys/crypto/fips_enabled
containing 1 or the environment variable
OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs done by SUSE and
On Jan 26, 2015, at 6:21 PM, jone...@teksavvy.com wrote:
On Fri, 16 Jan 2015 10:16:48 -0500
Steve Marquess marqu...@openssl.com wrote:
On 01/15/2015 05:52 AM, Marcus Meissner wrote:
On Linux usually triggered by /proc/sys/crypto/fips_enabled
containing 1 or the environment variable
On Thu, Jan 15, 2015 at 05:46:22AM -0500, jone...@teksavvy.com wrote:
On Tue, 13 Jan 2015 21:33:49 -0500
jone...@teksavvy.com jone...@teksavvy.com wrote:
So basically every app that uses libssl will have to be modified to
add a FIPS_mode_set() call near the beginning. Is that right ?
On Tue, 13 Jan 2015 21:33:49 -0500
jone...@teksavvy.com jone...@teksavvy.com wrote:
So basically every app that uses libssl will have to be modified to
add a FIPS_mode_set() call near the beginning. Is that right ?
Is there a way to automatically have the FIPS test executed when an
18 matches
Mail list logo