I am facing the same issue and getting same error on FreeBED 9.1 as below.
FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not
match:fips.c:232:
Only thing different is I am using openssl-fips-2.0.5. Did anyone get
solution for this problem?
--Girish
--
View this message in co
Do you still see an error if you specify one cipher? f.e. AES256-SHA?
On 2013-11-07 22:26, Dave Thompson wrote:
From: owner-openssl-users On Behalf Of Viktor Dukhovni
Sent: Thursday, November 07, 2013 11:02
On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
> I am using SSL_CTX_set_
> From: owner-openssl-users On Behalf Of Viktor Dukhovni
> Sent: Thursday, November 07, 2013 11:02
> On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
>
> > I am using SSL_CTX_set_client_cert_cb to provide the client
> > certificate when needed. I have a problem in that OpenSSL 1.0.1e
On Thu, Nov 07, 2013 at 03:51:38PM -0500, Dave Thompson wrote:
> To support the (four original) SHA-2 hashes as such, yes.
> But: if you want to sign (and I think verify?) SHA2 and DSA or ECDSA,
> you need the new signature/hash mechanism in 1.0.0, and if
> you want TLSv1.2 suites using HMAC-SHA
Yes, I need to sign and verify so 1.0.0 or 1.0.1 even better. Thanks so much
for the info.
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Thursday, November 07, 2013 3:52 PM
To: openssl-users@openssl.org
If you mean the RSA-PSS scheme that was added in PKCS#1 v2.1, that isn't
supported by rsautl.
Try pkeyutl with -pkeyopt rsa_padding_mode:pss .
Remember that the PKCS#1 v2.1 standard still includes the original (v1_5)
and OAEP schemes
which rsautl does support.
The man page and usage mess
To support the (four original) SHA-2 hashes as such, yes.
But: if you want to sign (and I think verify?) SHA2 and DSA or ECDSA,
you need the new signature/hash mechanism in 1.0.0, and if
you want TLSv1.2 suites using HMAC-SHA256/384 you need 1.0.1.
> -Original Message-
> From: owner-open
Hi,
We are trying to work with the openssl with the v2.1 and not the v1.5 from the
command line.
But it is not documented anywhere how to tell the openssl to work with one
version or the other.
For example we run the command:
openssl rsautl -sign in sha256.bin -out signature.bin -inkey my_key.p
Hi:
When I use SSL authentication in LDAP client, If I set the "TLSVerifyClient
demand" on openldap server side, then I'll got below error
(set TLSVerifyClient as never/allow/try, I can login, but will have
authentication failure in LDAP log)
LS trace: SSL3 alert write:fatal:handshake failure
Hi:
If I set the "TLSVerifyClient demand" on openldap server side, then I'll got
below error
(set TLSVerifyClient as never/allow/try, I can login, but will have
authentication failure in LDAP log)
LS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read clie
On Thu, 7 Nov 2013, Dr. Stephen Henson wrote:
On Thu, Nov 07, 2013, Dimitrios Apostolou wrote:
how can I read the details of a public key written by
PEM_write_RSAPublicKey()? I have tried all the "openssl pkey" and
"openssl rsa" combinations without much success, unfortunately.
If possible
On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote:
> I am using SSL_CTX_set_client_cert_cb to provide the client
> certificate when needed. I have a problem in that OpenSSL 1.0.1e
> does not trigger this callback for all websites that I expect it
> to, only some. Instead on the failing
Hello,
I'm having quite weird problem with openssl (head version). I'm doing
following test:
Step 1:
./openssl s_client -connect some.server.org:443 -cipher "DEFAULT"
I'm getting following error:
CONNECTED(0003)
140453250619072:error:140790E5:SSL routines:ssl23_write:ssl handshake
failure:s2
On Thu, Nov 07, 2013, Dimitrios Apostolou wrote:
>
> how can I read the details of a public key written by
> PEM_write_RSAPublicKey()? I have tried all the "openssl pkey" and
> "openssl rsa" combinations without much success, unfortunately.
>
If possible you should use PEM_write_RSA_PUBKEY inst
Hello list,
how can I read the details of a public key written by
PEM_write_RSAPublicKey()? I have tried all the "openssl pkey" and "openssl
rsa" combinations without much success, unfortunately.
Thanks in advance,
Dimitris
Steve Marquess wrote on 11/07/2013
09:02:05 AM:
> > Is there a basis for asserting FIPS 140 validation with
> > openssl-0.9.8e-26.el5_9.1|(none), or must the original RPM be used?
>
> You'll need to ask Red Hat; it's their proprietary validation. From a
> quick glance it appears to be a knock-of
On Wed, Nov 06, 2013, Karthik Krishnamurthy wrote:
> I have an application built across various Unix flavors that uses
> OpenSSL for SSL/TLS communication. I wanted to enable FIPS mode for my
> application. But, it seems like not all OpenSSL version provides the
> FIPS_mode_set wrapper function.
>
I have an application built across various Unix flavors that uses
OpenSSL for SSL/TLS communication. I wanted to enable FIPS mode for my
application. But, it seems like not all OpenSSL version provides the
FIPS_mode_set wrapper function.
Basically, I want to be able to seamlessly call FIPS_mode_se
On 11/07/2013 08:39 AM, Robert W Weaver wrote:
> Greetings,
>
> Apologies if this has been covered before, but I couldn't find it in a
> search.
>
> I'm trying to deploy FIPS 140 validated crypto to a RHEL 5 box as part
> of a FISMA covered project.
>
> I think the relevant policy is
> htt
On Wed, Nov 06, 2013, sarav.sars wrote:
> Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ?
> Loading this module makes no difference in openssl speed output.
>
> openssl speed -elapsed -evp aes-128-cbc
>
> before loading aesni-intel module
>
> type 16 byt
Greetings,
Apologies if this has been covered before, but I couldn't find it in a
search.
I'm trying to deploy FIPS 140 validated crypto to a RHEL 5 box as part of
a FISMA covered project.
I think the relevant policy is
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1320
Did a truss on the command and see some srandom error.
kioctl(5, 22528, 0x, 0x) Err#25 ENOTTY
kioctl(5, 22528, 0x, 0x) Err#25 ENOTTY
statx("/dev/srandom", 0x0FFDC3F0, 176, 0) Err#2 ENOENT
This srandom device is currently not
openssl >= 0.9.8
On 06.11.2013 17:08, Patetta, Nicholas wrote:
> Anyone know which version of OPENSSL is needed to support SHA256? Thanks.
>
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Raullen Chai
> Sent: Tuesd
Hello,
there are two sets of DH parameters, is there a difference?
./crypto/dh/dh2048.pem
./crypto/dh/dh512.pem
./crypto/dh/dh192.pem
./crypto/dh/dh4096.pem
./crypto/dh/dh1024.pem
./apps/dh2048.pem
./apps/dh512.pem
./apps/dh4096.pem
./apps/dh1024.pem
In DH parameters in ./apps there reference to
Hello,
there are two sets of DH parameters, that is the difference?
./crypto/dh/dh2048.pem
./crypto/dh/dh512.pem
./crypto/dh/dh192.pem
./crypto/dh/dh4096.pem
./crypto/dh/dh1024.pem
./apps/dh2048.pem
./apps/dh512.pem
./apps/dh4096.pem
./apps/dh1024.pem
In DH parameters in ./apps there reference to
>From
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ch03s02s03.html
check with root running "openssl engine -c -tt"
Carl
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on
beha
The Linux kernel module isn't necessary for OpenSSL.
--
Erwann ABALEA
Le 07/11/2013 06:48, sarav.sars a écrit :
Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ?
Loading this module makes no difference in openssl speed output.
__
Is it necessary to load aesni-intel module like 'modprobe aesni-intel' ?
Loading this module makes no difference in openssl speed output.
openssl speed -elapsed -evp aes-128-cbc
before loading aesni-intel module
type 16 bytes 64 bytes256 bytes 1024 bytes 8192
bytes
a
28 matches
Mail list logo