On 16/04/18 11:38, Matt Caswell wrote:
>
>
> On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote:
>> SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished
>
> There should be no reason to do this. The BIO's will get freed
> automatically by the SSL_free() call.
>
>
>> Is this a faulty
On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote:
> SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished
There should be no reason to do this. The BIO's will get freed
automatically by the SSL_free() call.
> Is this a faulty behavior of OpenSSL 1.1.0 or is the fault on my side?
This
Hello,
we encountered a strange behaviour of OpenSSL 1.1.0 when our test with "sslscan" provokes an unfinished
handshake. The problem exists since OpenSSL 1.1.0 - there were no problems with OpenSSL 1.0.2x.
Our asynchronous communication approach uses memory BIOs in order to read/write data
On Thu, Jul 23, 2009 at 12:27:56PM -0500, Michael Kurecka wrote:
I have no problem what I have so far. It is a stripped down version with
openssl FIPS. Where shall I send it?
If you are willing to license the wpa_supplicant/hostapd changes under
the license used in the project, please send
I tried
export LD_LIBRARY_PATH=/usr/local/ssl/fips
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
and all three failed to avert the assertion failure. How can I be
assured that the FIPS library is being run? Self-tests seem to run and
pass
On Mon, Jul 27, 2009, Michael Kurecka wrote:
I tried
export LD_LIBRARY_PATH=/usr/local/ssl/fips
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin
and
export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0
You need to set that to a directory that contains libssl.so.0.9.8 that is FIPS
capable
That seemed to work using
export LD_LIBRARY_PATH=/usr/local/ssl/fips/lib
I'm not getting the assertion failure but I am now getting a
segmentation fault in memcpy () from /lib/libc.so.6 which I need to
look into. Back to my previous question of -- Is my script wrong or am
I doing something wrong
Failed again with a different error:
make[1]: Entering directory `/usr/src/openssl/crypto'
( echo #ifndef MK1MF_BUILD; \
echo ' /* auto-generated by crypto/Makefile for
crypto/cversion.c */'; \
echo ' #define CFLAGS gcc -fPIC -DOPENSSL_PIC
-DOPENSSL_THREADS -D_REENTRANT
Dr. Henson,
I tried the change for MD5 you mentioned of using the EVP interface,
but it isn't working as I am getting the forbidden algorithm error. Below
is the new code. The init is passing but it is failing on the update. I
noticed that the flag is cleared after the init so I set the
On Fri, Jul 24, 2009, Michael Kurecka wrote:
Dr. Henson,
I tried the change for MD5 you mentioned of using the EVP interface,
but it isn't working as I am getting the forbidden algorithm error. Below
is the new code. The init is passing but it is failing on the update. I
noticed that
On Fri, Jul 24, 2009, Michael Kurecka wrote:
Failed again with a different error:
Erk, OK. I'd suggest starting with linux-generic32 and deleting
-fomit-frame-pointer and -O3 from Makefile and adding -g
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support
I finally succeeded in adding debug to openssl, but it doesn't seem to
be working completely. I was able to set the breakpoint at the point
you mentioned Dr. Henson but I'm not sure how that will tell me what
is being called. I am not able to break on ssl3_init_finished_mac,
ssl3_connect or
On Fri, Jul 24, 2009, Michael Kurecka wrote:
I finally succeeded in adding debug to openssl, but it doesn't seem to
be working completely. I was able to set the breakpoint at the point
you mentioned Dr. Henson but I'm not sure how that will tell me what
is being called. I am not able to break
I did not see anything which I assume means I am using the standard
libssl. How do I correct this?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
On Fri, Jul 24, 2009, Michael Kurecka wrote:
I did not see anything which I assume means I am using the standard
libssl. How do I correct this?
Well it is part of the link process when you build the application. It needs
to link and use the version of libssl in the 0.9.8k distribution and not
On Wed, Jul 22, 2009, David Schwartz wrote:
Michael Kurecka wrote:
Thank you for your help that is definitely a point in the right
direction; however, it leaves me more baffled. I found the only
SSL_CTX_new function that is in the code and it is being passed
the TLSv1_method not an
David Schwartz wrote:
Most likely, you're getting a connection from a non-FIPS endpoint that's
forcing you to use a protocol that's not FIPS compliant. I'm not sure why
you're seeing what you're seeing though -- it should just have reported
that
it was unable to negotiate compatible protocols
Dr. Steve:
How do I enable debug? I want to make sure I have it set right
as it takes a while to rebuild.
If you look at the Configure script you will see different debug options
that the developers have setup. Search the Configure file for lines
with 'debug-' in them. You can adjust the Configure script to setup
your own as well, just follow the pattern. There are quite a few
different configs
Dr Henson wrote:
No that wont bypass the MD5 check. You can use EVP and set the flag
EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
can't find the EVP_MD_CTX_NON_FIPS_ALLOW flag anywhere. Where is the flag
and
On Thu, Jul 23, 2009, Michael Kurecka wrote:
Dr Henson wrote:
No that wont bypass the MD5 check. You can use EVP and set the flag
EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
can't find the
On Thu, Jul 23, 2009, Michael Kurecka wrote:
Dr. Steve:
How do I enable debug? I want to make sure I have it set right as it takes a
while to rebuild.
I'd recommend using OpenSSL 0.9.8k throughout for that you should be able to
use:
./config -d fipscanisterbuild
BLOODY BIG SODDING
Just to be clear
my current config is:
./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config fips (in the 0.9.8k directory)
make
I attempted:
./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config -d fips (in the 0.9.8k directory)
make
but it said
On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote:
Yes in FIPS mode non-compliant ciphersuites are disabled and so should never
be seen. If there is some way to use them which is triggering this in
unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which
On Thu, Jul 23, 2009, Michael Kurecka wrote:
Just to be clear
my current config is:
./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config fips (in the 0.9.8k directory)
make
I attempted:
./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
Jouni,
I have no problem what I have so far. It is a stripped down version with
openssl FIPS. Where shall I send it?
Dr. Henson:
I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
mentioned and that worked OK but I got the following error when I ran make.
#make
if [ -n
On Thu, Jul 23, 2009, Michael Kurecka wrote:
Dr. Henson:
I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
mentioned and that worked OK but I got the following error when I ran make.
Argh... don't have a debug configuration for that platform. Try
deleting the
What determines which SSL version is used? Is it the CTX object,
a configuration setting, etc.? I've tried tracing the code on
the OpenSSL side but it has me baffled even with a stack trace
I'm having trouble understanding its path. I would appreciate
any help you can give on the issue.
/eap.c:368
#12 0x0004e22c in eap_peer_sm_step (sm=0x8ad90) at ../src/eap_peer/eap.c:698
#13 0x0004b9d0 in eapol_sm_step (sm=0x8ac68) at
../src/eapol_supp/eapol_supp_sm.c:900
No proper debugging symbols in the shared library AFAICS.
The actual assertion failure is caused by ignoring an earlier
Michael Kurecka wrote:
Thank you for your help that is definitely a point in the right
direction; however, it leaves me more baffled. I found the only
SSL_CTX_new function that is in the code and it is being passed
the TLSv1_method not an SSLv*_method which is what it should be
according to
Thank you David for your bluntness. Trust me, I'm aware of how significant
making wpa_supplicant FIPSable is. I've been working on it for several
months. Over the past few months I've been in the process of removing
non-compliant code, updating MD5 to SHA-1, etc. I'm close for the AP side
with
I'm not going to comment on David's assertion's or anything about
wpa_supplicants, but lets take a step back:
SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS
140-2 when using FIPS-approved security functions (see the FIPS 140-2
implementation guide).
TLS 1.0 is
with a software only interface) the context is
initialised so that any attempt to use the context produces a hard assertion
failure when you call *update().
The low level interfaces often don't return values and their use directly in
applications has been discouraged for many years. In those cases you
Michael Kurecka wrote:
Thank you David for your bluntness. Trust me, I'm aware of how
significant making wpa_supplicant FIPSable is. I've been working
on it for several months. Over the past few months I've been in
the process of removing non-compliant code, updating MD5 to SHA-1,
etc. I'm
How do I disable SSLv3 so that I can use FIPS?
On Fri, Jul 17, 2009 at 4:22 PM, David Schwartz dav...@webmaster.comwrote:
Michael Kurecka:
I am trying to run wpa_supplicant in FIPS mode.
Why?
I don't think the MD5 function is even called
MD5 is part of SSLv3.
#6 0x4003e6b8 in
Michael Kurecka:
How do I disable SSLv3 so that I can use FIPS?
Sorry to be blunt, but you don't. A FIPS wpa_supplicant is a significant
task, you can't just flip a few switches and make one appear.
DS
__
OpenSSL Project
I am trying to run wpa_supplicant in FIPS mode. The stack trace of the
failure is below. I'm assuming that an algorithm not supported by FIPS
is being used but I'm not sure which one since I thought I removed
them all. I replaced SHA-1 with
EVP_MD_CTX ctx;
size_t i;
unsigned int mac_len;
Michael Kurecka:
I am trying to run wpa_supplicant in FIPS mode.
Why?
I don't think the MD5 function is even called
MD5 is part of SSLv3.
#6 0x4003e6b8 in ssl3_connect () from /usr/lib/libssl.so.0.9.8#7
0x4004ebf4 in SSL_connect () from /usr/lib/libssl.so.0.9.8#8 0x000526c0 in
38 matches
Mail list logo