Hi,
... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
Specifically:
FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0
FCS_TLSS_EXT.2.2 The TSF shall deny connections
Hello openssl-users,
I have an issue with update of ECDSA digests in our environment.
We have our own digest functions for init, update and final where we
registered with these functions for NID_sha1, NID_sha256, NID_sha384 and
NID_sha512. These digests were updated at openssl, via
What OpenSSL command is required to generate a proper
“Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)”
Signature Value
I have the following guidelines in generating the SignatureValue
BinarySecurityToken u:Id=*
ValueType=
Some of the algorithms still invoke the FIPS flavor of the algorithm
even when FIPS is disabled. For example, this code is from
EVP_DigestUpdate().
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
#ifdef OPENSSL_FIPS
return FIPS_digestupdate(ctx, data, count);
#else
Using OpenSSL 1.0.1m on 64-bit Windows and Linux.
I have implemented RSA encryption using the RSA_public_encrypt and
RSA_private_decrypt functions and various padding types. This is working fine
except that in very rare cases, my test fails because decrypting succeeds when
it should fail. I'm
Hello everyone,
I am using OpenSSL sockets and I have the problem I described in the following
thread, i.e. a bunch of memory-leaks that happen most likely because I don't
uninitialize OpenSSL properly. I believe this to be the cause, because the
errors appeared exactly at the moment when I
On Fri, Apr 24, 2015 at 03:55:18PM +, Salz, Rich wrote:
To generate the signature look at the pkeyutl app. (Sorry, don?t
remember any other details)
Typically, signatures are created with:
openssl dgst -sha256 -sign key.pem ...
See the dgst(1) manpage.
--
Viktor.
WS-Security? Blast from the past … ☺
To fill in the BinarySecurityToken field, take the PEM version of the cert,
strip off the leading and trailing marker lines ---BEGIN… and output that. To
generate the signature look at the pkeyutl app. (Sorry, don’t remember any
other details)
--
Senior
On Sat, Apr 25, 2015 at 12:49:21AM +, Perrow, Graeme wrote:
Using OpenSSL 1.0.1m on 64-bit Windows and Linux.
I have implemented RSA encryption using the RSA_public_encrypt and
RSA_private_decrypt functions and various padding types. This is working
fine except that in very rare cases,
On Fri, Apr 24, 2015, jonetsu wrote:
... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
Specifically:
FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0
On Fri, Apr 24, 2015, Rajeswari K wrote:
Hello openssl-users,
I have an issue with update of ECDSA digests in our environment.
We have our own digest functions for init, update and final where we
registered with these functions for NID_sha1, NID_sha256, NID_sha384 and
NID_sha512. These
We are using a single SSL_CTX across all the threads, so I will create multiple
SSL_CTX per thread. I implemented dynlock callbacks yesterday, but I didn’t
see them being used in the tests I did. I also added atomic counters to see
what type of locks are having contention (see logs below):
When you create the private key given to SSL_CTX, be sure to instantiate
a private key for each thread as well. If you share the same key across
all threads, this can introduce contention.
Here are the type 1 2 locks:
# define CRYPTO_LOCK_ERR 1
# define CRYPTO_LOCK_EX_DATA
Hello,
In FIPS mode SSL 3.0 is not allowed: that has always been the
case.
% openssl version
OpenSSL 1.0.1f 6 Jan 2014
% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA SSLv3
DHE-RSA-AES256-SHA SSLv3
DHE-DSS-AES256-SHA SSLv3
In my last email I ran the benchmark on Fedora 21 (big mistake). Here are the
results when running it back on the 28/56 core RHEL 6.5 server showing
contention in a different place (fips). Is there a reason it would be calling
into the FIPS code to get a lock of FIPS is not enabled?
On Fri, Apr 24, 2015, jonetsu wrote:
Hello,
In FIPS mode SSL 3.0 is not allowed: that has always been the
case.
% openssl version
OpenSSL 1.0.1f 6 Jan 2014
% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA SSLv3
16 matches
Mail list logo
