FIPs algorithm code vs default implementation
Hi All, This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you kindly let me know: 1> Can you please help to understand the differences in the FIPs algorithm implementation code vs default? Are there additional validations performed in FIPs code? Can you point to any API (FIPs and non FIPs version) to make this clear? 2> In normal code, EVP_DigestFinal_ex->HASH_FINAL Which API is equivalent to HASH_FINAL in FIPs code? How can we navigate to the FIPs code path? 3> When does "FIPS_MODULE" get defined? Thanks Bala
Re: Version compatibility issues - Re: openssl development work / paid - SSL now FIXED
Le 3/26/21 à 12:35 PM, Embedded Devel a écrit : This has now been fixed SSL is working In a few hours ?
Re: How to establish a connection with self signed certificate
Hello, As you control both the server keypair and client, I'd suggest you to use the openssl s_server/s_client application to debug the connection. On Sun, Mar 28, 2021 at 9:41 AM preethi teekaraman wrote: > Hi > > I'm using latest version 1.1.1i 8 Dec 2020 openssl version to create self > signed certificate with sha256 algorithm. > > I tried loading the certs in device and in server side. The client sends > "hello packet" to server and server refused to connect with an error " > alert internal error ". The handshake failing between server (nginx load > balancer) and client with latest openssl certificate. > > Any idea to resolve this? > -- SY, Dmitry Belyavsky
Re: FIPs algorithm code vs default implementation
1> Can you please help to understand the differences in the FIPs algorithm implementation code vs default? Are there additional validations performed in FIPs code? There are some additional validations, there are other differences. Grep the source code for FIPS_MODULE to find all the code differences. There are other differences. The FIPS provider offers a cut down selection of algorithsm, look at providers/fips/fipsprov.c for these. The FIPS provider also has to run power up selt tests, these are in the providers/fips directory. Can you point to any API (FIPs and non FIPs version) to make this clear? One example is for AES XTS mode where the two keys are confirmed to be different: Lines 54 - 63 of providers/implementations/ciphers/cipher_aes_xts.c. There are plenty of others, grep for FIPS_MODULE. 2> In normal code, EVP_DigestFinal_ex->HASH_FINAL Which API is equivalent to HASH_FINAL in FIPs code? How can we navigate to the FIPs code path? EVP_DisgestFinal_ex is the equivalent. The decision to use FIPS or not is made when fetching the algorithm not when using it. In use FIPS and non-FIPS algorithms are accessed identically. I'd suggest having a look at the 3.0 design document: https://www.openssl.org/docs/OpenSSL300Design.html and the 3.0 wiki page: https://wiki.openssl.org/index.php/OpenSSL_3.0. 3> When does "FIPS_MODULE" get defined? When OpenSSL is being build and a FIPS relevant file is being compiled. This symbol is never defined for you when you build your application. Pauli
openssl speed ecdh
I would like to know if there is a way to calculate the time spend in generate a key pair and in compute the shared secret for the ecdh algorithm. "openssl speed ecdh" only calculate the number of operations in 10s. Jesus Molina
How to establish a connection with self signed certificate
Hi I'm using latest version 1.1.1i 8 Dec 2020 openssl version to create self signed certificate with sha256 algorithm. I tried loading the certs in device and in server side. The client sends "hello packet" to server and server refused to connect with an error " alert internal error ". The handshake failing between server (nginx load balancer) and client with latest openssl certificate. Any idea to resolve this?
Openssl - G and P params value increase in DHE cipher
Hi Openssl, I'm using the latest version of openssl to create a self -signed certificate. My request is like, we need to observe G and P Param to 256 as value but we could see only 2 as value while a handshake happens between server & client. is there any option or command based solution to increase the G and P parameters? Regards, Preethi Teekaraman
