On Tue, Nov 13, 2012 at 4:26 PM, mclellan, dave wrote:
> We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1)
> and I’d like to test out this set of assumptions (or maybe they are
> ‘assertions’)
>
> - In the context of OpenSSL, FIPS compliance is all about algorit
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
> Hi,
>
> At one place, we are using following logic for generating self-signed
> certificate:
>
> #define SEED_SIZE 128
>
> k = RAND_status();
> while(k == 0)
> {
> // custom logic for getting random numbers from system variables
> ...
>
> Crypt
> WORKING EXAMPLES would be REAL cool.
You kind of have it with the source code to openssl.exe.
Crypto++ had the same way back when (its a C++ crypto library, and its
not nearly as popular as OpenSSL). Users did not check cryptest.exe
for API usage (cryptest.exe is the equivalent of openssl.exe).
On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton wrote:
> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
>>
>> CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS
>> apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS
>>
Speaking of poor d
On Fri, Nov 16, 2012 at 9:17 AM, Graham Leggett wrote:
> On 16 Nov 2012, at 4:36 AM, Jeffrey Walton wrote:
>
>> On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton wrote:
>>> On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai wrote:
>>>>
>>>> CryptGen
Hi Jacob,
On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm wrote:
> On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
>>
>> ...
>>
>> Headless servers, entropy starvation, and rollbacks are a concern in
>> modern environments. OpenSSL and other entropy gathers, such as ED
On Sat, Nov 17, 2012 at 10:56 PM, wrote:
> On 16-11-2012 19:57, Jeffrey Walton wrote:
>>
>> Hi Jacob,
>> On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm wrote:
>>>
>>> On 11/16/2012 3:36 AM, Jeffrey Walton wrote:
>>>>
>>>> ...
>>
On Sun, Nov 18, 2012 at 11:19 PM, Thomas J. Hruska
wrote:
> On 11/13/2012 11:34 AM, Sanford Staab wrote:
>>
>> I have been struggling with openssl for a few months now writing batch
>> scripts on windows trying to make a .net web client with a client
>> certificate work with 2-way ssl against an a
On Mon, Nov 19, 2012 at 10:53 AM, Deeztek.com Support
wrote:
> I fixed the command and it created the end user .pfx file. It imported
> successfully into windows but I get this message when I looked at the
> certification chain for the intermediate ca:
>
> This certification authority is not allow
On Tue, Nov 20, 2012 at 11:56 AM, wrote:
> it would be swell if I could get my email address removed from the list
> without removing my subscription too. This way I could just use my
> newsreader to get the messages without having my email box cluttered every
> day with this high-volume list.
On Tue, Nov 20, 2012 at 6:16 PM, Santhosh Kokala
wrote:
> Hi,
> I am trying to build an application with the FIPS Object module. I followed
> the build instructions mentioned in FIPS User Guide 2.0.
>
> FIPS Object Module:
>
> ./config
> Make
> make install
>
> Open SSL:
>
> ./config fips
> make d
On Mon, Nov 26, 2012 at 5:59 PM, Bill Durant wrote:
> Hello:
>
> Is PKCS5_PBKDF2_HMAC() thread safe?
See the "Is OpenSSL thread-safe?" under the PROG section:
http://www.openssl.org/support/faq.html.
Jeff
__
OpenSSL Project
> I need to know, first, what "Secure Renegotiation" is, and then, if it is a
> legitimate way to configure a secure server, why it is used.
Secure Renegotiation is a variant of the original negotiation supplied
in SSL way back when. There were two separate issues in renegotiation.
First was an aut
On Thu, Nov 29, 2012 at 9:57 AM, Staneva, Yana wrote:
> Help please.
>
> I have a Win32 application (service) that loads several dlls that make
> OpenSSL calls. Also there is a separate dll that takes care of the OpenSSL
> initialization (thread setup, SSL_library_init(), SSL_CTX_new() ).
>
> I’ve
you are practicing the
same sloppy programming techniques. I don't discriminate.
Jeff
> On Fri, Nov 30, 2012 at 9:03 AM, Jeffrey Walton wrote:
>>
>> On Thu, Nov 29, 2012 at 9:57 AM, Staneva, Yana
>> wrote:
>> > #define MUTEX_TYPEHANDLE
>> &g
On Fri, Nov 30, 2012 at 1:42 PM, Jeffrey Walton wrote:
> On Fri, Nov 30, 2012 at 12:24 PM, NuSkooler wrote:
>> I think responses like this would be much more helpful without the FUD.
> I have no fear since I don't suffer uncertainty. The macros are broken.
>
>>
On Fri, Dec 7, 2012 at 5:05 AM, LN wrote:
>
> ...
>
>> MS CAPI has an option to mark a private key as "exportable" when you
>> create or install it, which means that the private key can then be read
>> anyway, but I don't know if that feature is used by the OpenSSL "CAPI
>> Engine". It is almost
Hi All,
On page 133 of the User Guide 2.0 for the OpenSSL FIPS Object Module
v2.0, the document (book?) talks about symbol renaming. The discussion
occurs in "Appendix I, API Entry Points by Source File," and the text
is below.
Why does symbol renaming occur?
Jeff
Symbol renaming: Some symbol n
On Tue, Dec 11, 2012 at 5:51 AM, Jakob Bohm wrote:
> On 12/10/2012 9:38 PM, Markus Wernig wrote:
>
> Some experts believe that setting the IV to
> Encrypt(key=key,IV=0,data=filenumber) is safe, others disagree, but the
> mathematical arguments on both sides of the debate seems to make a lot
> of d
On Tue, Dec 11, 2012 at 6:27 PM, redpath wrote:
> When using this command
>
> openssl genrsa -out test.pem 2048
>
> an RSA pair is created. Its not so much I want to know how a pair is
> randomly selected
> but how secure is that random selection.
It depends. In theory, the way entropy is gathere
On Wed, Dec 12, 2012 at 12:39 PM, Salz, Rich wrote:
> Until someone breaks the website, spoofs it, buys out the owner, etc.
>
> Q2.4: Are the numbers available in a secure fashion?
>
> Yes, since April 2007 you can access the server via https://www.random.org/
>
> I should probably note that while
On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele
wrote:
> Hi i tried to load private key into 224 curve for ecdsa and I am
> getting below error.
>
> EC_KEY_check_key failed:
> error:100B1043:lib(16):func(177):reason(67).
>
> Bleow is my fun to load key.
>
> Can anybody guide me?
$ openssl errs
On Thu, Dec 13, 2012 at 4:04 AM, jeetendra gangele wrote:
> HI,
>
> I am trying to sign the data using EC-DSA algorithm.
> i have the private key to sign the data and I could load using
> EC_KEY_set_private_key.
> But when check the loaded key its failing with the error code below.
> error:100B104
On Thu, Dec 13, 2012 at 7:21 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Thursday, 13 December, 2012 16:31
>
>> On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele
>> wrote:
>
>>...
>>
>
On Sat, Dec 15, 2012 at 12:21 PM, Markus Wernig wrote:
> ...
>
> After encrypting multiple files with blowfish-cbc and distinct IV for
> each file, do I need to keep the IVs secret?
It depends on your security posture. IVs are considered public
parameters, so there is usually no need to keep them
On Mon, Dec 17, 2012 at 11:16 PM, jeetendra gangele
wrote:
> Hi,
> Do we have support for 448 bit hash value generation in openssl.?
> I looked into the header file and I did not find functiobn related to that.
>
> Actually I need to compute shared key for ecdh and that should be 56 Bytes
> long.
cause its anonymous or non-authenticated. NIST
Special Publication 800-56A, Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography, might
help guide you.
Jeff
> On 18 December 2012 09:57, Jeffrey Walton wrote:
>> On Mon, Dec 17, 2012 at 11:16 PM, jeetendra
On Tue, Dec 18, 2012 at 3:24 AM, Matt Caswell (fr...@baggins.org)
wrote:
>
>
> On 18 December 2012 05:30, jeetendra gangele wrote:
>>
>> Ok,
>>
>> can you expain me how ec_compute_key work and specially this last
>> argument.
>> Why its need hash value to calculate the secret key.
>> I need to ge
On Tue, Dec 18, 2012 at 11:15 PM, Bill Durant wrote:
> Is it not possible to build a FIPS-capable OpenSSL with assembly language
> optimization enabled in the fipscanister that works under non-SSE2 capable
> processors?
>
> On SUSE Linux Enterprise Server 10, I have built the fipscanister with
On Mon, Dec 24, 2012 at 12:35 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jakob Bohm
>> Sent: Friday, December 21, 2012 8:23 PM
>> To: openssl-users@openssl.org
>> Subject: Re: RSA_privat
On Mon, Dec 24, 2012 at 1:54 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jeffrey Walton
>> Sent: Monday, December 24, 2012 11:25 AM
>> To: openssl-us
On Mon, Dec 24, 2012 at 9:11 PM, Jeffrey Walton wrote:
> Hi Steve,
>
> What is the expectation of OPENSSLDIR when building the FIPS Object
> Module and FIPS Capable OpenSSL?
>
> Users are usually allowed to modify the environment (within reason).
> Do users expect that OPENS
Hi All,
I'm having problem building on Mac OS X (2012 MBP, OS X 10.8, Xcode
4.5). The target is iOS, but this appears to be a host problem.
Apple lacks DTLS, STCP, and friends, so I needed to ./config with
-no-dtls. That required a `make depend` cycle.
`makedepend` is missing, so that resulted i
On Tue, Dec 25, 2012 at 8:35 AM, Jeffrey Walton wrote:
> Hi All,
>
> I'm having problem building on Mac OS X (2012 MBP, OS X 10.8, Xcode
> 4.5). The target is iOS, but this appears to be a host problem.
>
> Apple lacks DTLS, STCP, and friends, so I needed to ./confi
Hi Steve,
What is the expectation of OPENSSLDIR when building the FIPS Object
Module and FIPS Capable OpenSSL?
Users are usually allowed to modify the environment (within reason).
Do users expect that OPENSSLDIR will be honored and 'properly' wired
into --openssldir when configuring the FIPS gear
On Mon, Dec 24, 2012 at 9:12 PM, Jeffrey Walton wrote:
> On Mon, Dec 24, 2012 at 9:11 PM, Jeffrey Walton wrote:
>> Hi Steve,
>>
>> What is the expectation of OPENSSLDIR when building the FIPS Object
>> Module and FIPS Capable OpenSSL?
>>
>> Users are us
Hi All,
Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or
is compression available through other libraries?
Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Li
On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote:
> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote:
>> I fetched `makedepend` from FreeDesktop.org
>> (http://xorg.freedesktop.org/releases/individual/util/). It would not
>> build due to missing dependencies. Ad
Hi All,
I'm trying to split hairs on the meanings of -no-shared and -no-dso.
I believe -no-shared means the output of the build process does not
include a shared object (*.so, *.dylib, etc). Other build process
artifacts, such as static libraries (*.a) will still be produced.
I believe -no-dso m
the location of the previous definition
In file included from ssl_locl.h:165,
from s2_lib.c:112:
../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
: error: this is the location of the previous definition
...
[30 or 50 or so duplicate errors removed]
...
ist, it cannot be executed.
Jeff
> On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton wrote:
>>
>> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller
>> wrote:
>> > i compiled openssl with no-zlib
>> >
>> > ldd client
>> > linux-vd
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton wrote:
> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller wrote:
>> i compiled openssl with no-zlib
>>
>> ldd client
>> linux-vdso.so.1 => (0x7fff059ff000)
>> libssl.so.1.0.0 => /li
On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra
wrote:
> Hello!!
>
> I am implementing DH algorithm using OpenSSL library.
> My scenario is -
> using DH key exchange algorithm for key generation and exchange between
> client and server. Using DSA for two way authentication.
> server:
Could be tr
ved properly by the peer!!
Use BSON to package the data. It sounds like its a presentation layer problem.
Jeff
> On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton wrote:
>>
>> On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra
>> wrote:
>> > Hello!!
>> >
>
On Fri, Dec 28, 2012 at 6:32 PM, Dr. Stephen Henson wrote:
> On Fri, Dec 28, 2012, Jeffrey Walton wrote:
>
>> On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller wrote:
>> > i was going to do this:
>> >
>> > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_
Hi All,
I'm trying to work through a couple of issues on Mac OS X. The steps
are below, all performed in openssl-1.0.1c/ directory.
The problem with ERR_load_COMP_strings has showed up on at *least* two
Apple platforms now. I've also had to fix MAKEDEPEND on two Apple
platforms.
Looking through
On Sun, Dec 30, 2012 at 8:23 AM, Jeffrey Walton wrote:
> Hi All,
>
> I'm trying to work through a couple of issues on Mac OS X. The steps
> are below, all performed in openssl-1.0.1c/ directory.
>
> The problem with ERR_load_COMP_strings has showed up on at *least* two
>
On Sun, Dec 30, 2012 at 11:06 AM, Dr. Stephen Henson wrote:
> On Sat, Dec 29, 2012, Dr. Stephen Henson wrote:
>
>> On Fri, Dec 28, 2012, Jeffrey Walton wrote:
>>
>> > On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller
>> > wrote:
>> > > i was goi
Hi All,
While working on Apple with Mac OS X and iOS, I found I needed to
patch OpenSSL 1.0.1c's Makefile.
Makefile.org has the following line, and it was copied directly into
Makefile by Configure:
MAKEDEPPROG=makedepend
When the Configure target is iphoneos (cross), iphonesimulator
(cross
On Sun, Dec 30, 2012 at 3:20 PM, wrote:
> On 30-12-2012 21:01, Jeffrey Walton wrote:
>>
>> Hi All,
>>
>> While working on Apple with Mac OS X and iOS, I found I needed to
>> patch OpenSSL 1.0.1c's Makefile.
>>
>> Makefile.org has the following li
On Sun, Dec 30, 2012 at 3:20 PM, wrote:
> On 30-12-2012 21:01, Jeffrey Walton wrote:
>>
>> Hi All,
>>
>> While working on Apple with Mac OS X and iOS, I found I needed to
>> patch OpenSSL 1.0.1c's Makefile.
>>
>> Makefile.org has the following li
On Mon, Dec 31, 2012 at 8:39 AM, Jakob Bohm wrote:
> On 12/31/2012 12:39 PM, Jeffrey Walton wrote:
>>
>> On Sun, Dec 30, 2012 at 3:20 PM, wrote:
>>>
>>> On 30-12-2012 21:01, Jeffrey Walton wrote:
>>>>
>>>>...
>>
>> Configure s
On Mon, Dec 31, 2012 at 1:58 PM, Walter H. wrote:
> Hello,
>
> why does the following makefile not succeed?
>
> ...
> I have isolated the problem:
>
> openssl crl -noout -text -in $< >$@
> exits with exit code 1 instead of 0, why?
>
> openssl crl -noout -text -in $< -out $@
> does the same ..., ex
Hi All,
Is it possible to configure a build that does not include documentations?
I'm working on Mac OSX, and I have three targets under /usr/local/ssl/
(iphoneos, iphonesimulator, and macosx). There's no reason to install
the documentation over top itself multiple times.
Jeff
__
On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie wrote:
> On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton wrote:
>> On Sun, Dec 30, 2012 at 3:20 PM, wrote:
>>> On 30-12-2012 21:01, Jeffrey Walton wrote:
>>>>
>>>>
>>
>> Configure s
On Wed, Jan 2, 2013 at 5:07 AM, Jakob Bohm wrote:
> On 1/2/2013 9:34 AM, Jeffrey Walton wrote:
>>
>> On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie wrote:
>>>
>>> On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton
>>> wrote:
>>>>
>>>&
On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess
wrote:
> On 01/04/2013 03:45 AM, Jeffrey Walton wrote:
>> Hi All,
>>
>> I'm wondering how the single pass linker affects symbol resolution. If
>> I specify:
>>
>> fipscanister.o libcrpyto.a
>>
On Fri, Jan 4, 2013 at 11:21 AM, Jeffrey Walton wrote:
> On Fri, Jan 4, 2013 at 10:56 AM, Steve Marquess
> wrote:
>> On 01/04/2013 03:45 AM, Jeffrey Walton wrote:
>>>
>>>
>>>
>> Either the libcrypto.a is from a "FIPS
>> capable"
On Tue, Jan 8, 2013 at 11:13 AM, Florian Weimer wrote:
> On 01/08/2013 04:34 PM, Serhiy Ivanov wrote:
>>
>> Is there way to get some 3rd party documentation about advanced
>> configuration of ssl.
>> I need to
>> 1) Get rid from linkage
>> b75d6000-b75e6000 r-xp 08:03 54611
>> /lib/i386-l
On Tue, Jan 8, 2013 at 1:14 PM, Carson Gaspar wrote:
> On 1/8/13 9:52 AM, Jeffrey Walton wrote:
>>
>> That seems like a really odd requirement. Is there any reading on the
>> topic?
>
> man nsswitch.conf
>
>> Generally, I prefer static linking in high integrit
On Wed, Jan 9, 2013 at 7:02 AM, Serhiy Ivanov
wrote:
> Tried to turn off one cipher via:
> #!/bin/bash
> make clean && ./config -no-CAMELLIA-128-CBC && make depend && make
Try make dclean
Jeff
__
OpenSSL Project
On Wed, Jan 9, 2013 at 10:42 AM, Jakob Bohm wrote:
> On 1/8/2013 7:59 PM, Jeffrey Walton wrote:
>>
>> On Tue, Jan 8, 2013 at 1:14 PM, Carson Gaspar wrote:
>>>
>>> On 1/8/13 9:52 AM, Jeffrey Walton wrote:
>>>>
>>>> ...
>>
>&
On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain wrote:
>
> Hi,
>
> I want to use FIPS compliant algorithms and keys. For that I understand, I
> need to have Openssl FIPS object library along with default openssl.
>
> However, I am not understanding how to install them. My questions are :
>
> 1. Both a
On Thu, Jan 10, 2013 at 6:13 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jakob Bohm
>> Sent: Friday, December 21, 2012 8:23 PM
>> To: openssl-users@openssl.org
>> Subject: Re: RSA_private
On Thu, Jan 10, 2013 at 9:01 AM, Tayade, Nilesh
wrote:
>> -Original Message-
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> us...@openssl.org] On Behalf Of Jakob Bohm
>> Sent: Thursday, January 10, 2013 6:56 PM
>> To: openssl-users@openssl.org
>> Subject: Re: RSA_privat
)
283-bit Elliptic Curves (Binary Fields)
AES-128
SHA-256
So, you have to plug in the required parameters.
Jeff
> From: Jeffrey Walton
> To: openssl-users@openssl.org
> Date: 01/10/2013 04:01 PM
> Subject:Re: How to link openssl FIPS 140-2 object module with op
On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal wrote:
> Never mind, the application (virtualbox) was incorrectly trying to use the
> 32bit version of openssl. But I still don't understand why a 32bit version
> has different symbols that the 64bit one.
The message is probably similar to "Symbol not f
U _FIPS_set_locking_callbacks
U _FIPS_set_malloc_callbacks
U _RAND_init_fips
...
Jeff
> On Thu, Jan 10, 2013 at 6:09 PM, Jeffrey Walton wrote:
>>
>> On Thu, Jan 10, 2013 at 5:50 PM, Ribhi Kamal wrote:
>> > Never mind, the application (virtualbo
On Fri, Jan 11, 2013 at 7:45 AM, Ribhi Kamal wrote:
> I guess the next time I see a linker complain about _ I'll know what's
> wrong :)
Absolutely. I've done the same many times, and that's why I knew :)
> On Fri, Jan 11, 2013 at 6:07 AM, Michel wrote:
>>
>>
>> Found interresting related article
On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole wrote:
>
> 1) I am trying to build OpenSSL for FIPS. When I link to the below
> functions from an external program linking to libcrypto.a, I get a linking
> error for them. When I grepped for the below functions in libcrypto.a and
> aes_core.o ( aes_
On Mon, Jan 14, 2013 at 7:24 AM, Rahul Godbole wrote:
> Thanks Jeff. Please see inline.
>
Did you build the FIPS Object Module first?
$ rm -rf openssl-fips-2.0.1/
$ tar xzf openssl-fips-2.0.1.tar.gz
$ cd openssl-fips-2.0.1/
$ ./config
$ make
$ sudo make install
After you build the FI
Hi Dr. Henson,
On Mon, Jan 14, 2013 at 10:04 AM, Dr. Stephen Henson wrote:
> On Mon, Jan 14, 2013, Rahul Godbole wrote:
>
>> Hi
>>
>> Can someone please help me on the following 2 issues? I am using FIPS 2.0
>>
>> 1) I am trying to build OpenSSL for FIPS. When I link to the below
>> functions fr
On Wed, Jan 16, 2013 at 9:02 AM, Bruce Cran wrote:
> On http://www.openssl.org/support/community.html the mailing list
> subscription feature is broken - clicking "Send to Majordomo" just displays
> the majordomo.cgi script.
It also looks like its injectable:
$query_string = $ENV{'QUERY_STRING'
On 1/17/13, Memmott, Lester wrote:
> I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the
> FIPS module 2.0.2. From a practical perspective I'm trying to sort out in
> my mind the following:
Be careful - its a bit dated and some information is not correct. I
understand its
On Thu, Jan 17, 2013 at 4:21 PM, MauMau wrote:
> Hello,
>
> I'm using OpenSSL 1.0.1c on Linux and Windows to implement encryption
> feature of my software. I need to compare performance of cases where AES-NI
> is enabled and where it is disabled on the same computer. If possible, I
> want to avo
On Thu, Jan 17, 2013 at 9:17 PM, ask wrote:
> How can I print out result string from return code of
> SSL_get_verify_result?
> For example, for my test, I got 18,
> ERR_error_string( return_code) does not yield any thing?
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
_
On Fri, Jan 18, 2013 at 10:21 AM, Memmott, Lester
wrote:
> I'm in the process of incorporating FIPS enabled OpenSSL into an application
> when I realized that by default the FIPS module is built by dynamically
> linking the C runtime, not statically linking. In my case, for Windows using
> Mic
On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
wrote:
>>All modern Versions of Microsoft's C Runtime are thread safe. That occurred
>>around Visual Studio 6.0 (circa 2000 or so).
> >From http://msdn.microsoft.com/en-us/library/abx4dbyh.aspx: "The
> >single-threaded CRT (libc.lib, libcd.lib) (
On Fri, Jan 18, 2013 at 5:53 PM, Hazrat Shah wrote:
>
> I am having problem with server certificate verification the
> SSL_get_verify_result() returns
>
> Error code 20.
>From http://www.openssl.org/docs/apps/verify.html, that is
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
> I add a (xx.cert) f
On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote:
> On 26 December 2012 20:07, Jeffrey Walton wrote:
>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wrote:
>>> On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton wrote:
>>>> I fetched `makedepend` f
On Sun, Jan 20, 2013 at 6:51 PM, wrote:
> On 18-01-2013 20:26, Jeffrey Walton wrote:
>>
>> On Fri, Jan 18, 2013 at 11:01 AM, Memmott, Lester
>> wrote:
>>>>
>>>> All modern Versions of Microsoft's C Runtime are thread safe. That
>&g
On Sat, Jan 19, 2013 at 11:42 AM, Ben Laurie wrote:
> On 19 January 2013 16:31, Jeffrey Walton wrote:
>> On Sat, Jan 19, 2013 at 9:17 AM, Ben Laurie wrote:
>>> On 26 December 2012 20:07, Jeffrey Walton wrote:
>>>> On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie wro
On Wed, Jan 23, 2013 at 9:42 AM, Viktor Dukhovni
wrote:
> On Wed, Jan 23, 2013 at 09:12:41AM -0500, Ken Goldman wrote:
>
>> My experience is that you should not expect binary compatibility.
>> Since errors will often be in little used corner cases, it's safer
>> to always recompile.
>
> Please do
On Wed, Jan 23, 2013 at 3:02 PM, John A. Wallace wrote:
> I also have questions about this issue. Am I correct in saying that IDEA,
> which is a patented algorithm, has legal restrictions from our implementing
I believe IDEA is no longer encumbered in the US. I seem to recall it
expired around 201
On Wed, Jan 23, 2013 at 1:20 PM, Smith, Russell (Shane), Contractor
wrote:
> I am looking for a way to disable weak ciphers in openssl.
> I have a legacy program that uses the "default" SSL ciphers and is not
> configurable like apache and httpd.conf etc.
> Is there any way I can change the a
Hi All,
I just made a recommendation for Thomas Wu's Secure Remote Password (SRP).
I know Thomas Wu submitted patches some time ago
(http://rt.openssl.org/Ticket/Display.html?id=1794&user=guest&pass=guest).
What is the status of SRP in OpenSSL? Is it in mainline? Or does it
need to be pulled fro
On Mon, Jan 28, 2013 at 7:18 AM, Rahul Godbole wrote:
>
> When I call the function FIPS_mode_set() from my code, the function returns
> 0. It returns 0 because the flag OPENSSL_FIPS is not set during compilation.
> What option should I pass to the Configure or config script so that it gets
> set d
On Tue, Jan 29, 2013 at 6:37 AM, Joseandro Luiz
wrote:
> Hello everyone,
> I am using the OpenSSL user guide from
> http://www.openssl.org/docs/fips/UserGuide-2.0.pdf in order to create a FIPS
> 140-2 compliant iOS app.
> So far I've successfully built the Incore utility and the FIPS Object Module
On Mon, Jan 28, 2013 at 8:24 AM, René Klomp wrote:
> Could someone tell me how i could disable *only* the EAS-NI instructions
> when compiling openssl?
I don't believe AES-NI can be disable at compile time. `./config -t`
might offer some useful options (I can't check at the moment because I
am on
Hi All,
This relates to 'OpenSSL Security Advisory [05 Feb 2013]' and the
accompanying CVEs. The bulletin did not address combinations of FIPS
Object Module and FIPS Capable Library Combinations.
Please forgive my ignorance. I don't like to take a lot of latitude or
license on these things. I'm t
On Wed, Feb 6, 2013 at 2:40 PM, Memmott, Lester
wrote:
> Jon,
>
> I’m having trouble with fipslink as well and thought it might help to compare
> notes. These are the linker errors I’m getting using Visual Studio 2008:
> fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char
On Sun, Feb 10, 2013 at 11:31 PM, Daniel Black
wrote:
> On 11/02/13 14:12, Jeffrey Walton wrote:
>> Hi All,
>>
>> I'm trying to extract a public key (subjectPublicKeyInfo) form an X509
>> certificate.
>>
>
> from apps/x509.c in the openssl source:
&g
Hi All,
I'm trying to memory map a file. Does OpenSSL BIO's allow this?
I seem to be failing on BIO_read_filename with a `ret` of 0. The docs
state I should expect `ret` of 1. When I look for the problem, I'm
getting an error code of 0 (`err`, success).
I ask because the doc's appear to be incor
On Mon, Feb 11, 2013 at 12:41 AM, Viktor Dukhovni
wrote:
> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
>
>> >> I'm trying to extract a public key (subjectPublicKeyInfo) form an X509
>> >> certificate.
>> >
>> > from apps/x50
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>> Sent: Monday, 11 February, 2013 01:12
>
>> I'm trying to memory map a file. Does OpenSSL BIO's allow this?
>>
>> I seem to be f
On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
>> Sent: Monday, 11 February, 2013 00:41
>
>> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
>>
>> > &
Hi All,
I'm probably doing something wrong here, but I don't see what it is.
I'm calling SSL_CTX_load_verify_locations() with a CAT of PEM files.
I'm not calling SSL_CTX_set_default_verify_paths():
/* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */
/* I've also tried with a
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton wrote:
> ...
>
> I've used `openssl x509 -text -in "AddTrust External CA Root.pem"`
> (copied out directly from s_client), and everything looks OK. CA is
> TRUE, AKI is present, KU includes "Certificate Sign, CRL S
I was missing "Add Trust External CA Root",
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=9&nav=0,1.
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton wrote:
> Hi All,
>
> I'm probably doing something wrong here, but I d
On Thu, Feb 14, 2013 at 5:12 AM, Gayathri Manoj
wrote:
> Hi All,
>
> Please let me know if openssl version 1.0.0 is fips compliant?
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
__
OpenSSL Project
201 - 300 of 760 matches
Mail list logo