Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we will upgrade to 2.3.x since we need OCSP support as well. Any idea which is the stable version in 2.3.x? Hi Viktor, /And then protocols here. Which do you want, the protocol or the ciphers?/ Sorry, i was under the impression that Selecting TLS version automatically sets the same versioned ciphers. I may be mistaken here. Jakobs mail clears the confusion for me. Thanks! Cipher. -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-possible-to-configure-only-TLSv1-2-ciphers-for-FIPS-tp44905p44946.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
Please refer to http://httpd.apache.org for the current version numbers. Note that 2.3.x was a beta series for the current 2.4.x releases. On 4/29/2013 2:22 PM, Cipher wrote: Hi Jakob, I am using Openssl 1.0.1e compiled against FIPS 2.0.2. Thanks a lot! That was some great information. we will upgrade to 2.3.x since we need OCSP support as well. Any idea which is the stable version in 2.3.x? Hi Viktor, /And then protocols here. Which do you want, the protocol or the ciphers?/ Sorry, i was under the impression that Selecting TLS version automatically sets the same versioned ciphers. I may be mistaken here. Jakobs mail clears the confusion for me. Thanks! Cipher. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
On Thu, Apr 25, 2013 at 04:40:12AM -0700, Cipher wrote: For FIPS work, we are planning to support only TLSv1.2 ciphers. Is there a configuration option to use *only* TLSv1.2 ciphers? You say ciphers here. we are using apache/mod_ssl engine(v 2.2.16). *SSLProtocol* directive does not support TLSv1.1/TLSv1.2 option. And then protocols here. Which do you want, the protocol or the ciphers? if there is no config option, which functions need to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. I am not aware of any config option. At runtime you can call: SSL_CTX_set_options() with an argument of: SSP_OP_NO_SSLv2| SSL_OP_NO_SSLv3| SSL_OP_NO_TLSv1| SSL_OP_NO_TLSv1_1 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
On 4/25/2013 1:40 PM, Cipher wrote: Hi, For FIPS work, we are planning to support only TLSv1.2 ciphers. Is there a configuration option to use *only* TLSv1.2 ciphers? we are using apache/mod_ssl engine(v 2.2.16). *SSLProtocol* directive does not support TLSv1.1/TLSv1.2 option. Which version of the OpenSSL library was it built with? Anything less than 1.0.1 will not allow TLSv1.2, and will not work with the current FIPS-certified module 2.0. Due to known security fixes, be sure to use Apache/mod_ssl 2.2.24 or later with OpenSSL 1.0.1e or later. Apache 2.2.24 includes security fixes, and some TLSv1.2 related fixes. I it was built against OpenSSL library 1.0.1, you can use the SSLCipherSuite directive to limit the set of ciphersuites that will work. Also note that the parser for this option in earlier OpenSSL library 1.0.1 patch releases had bugs in the handling of TLSv1.2 related names, so be sure to use the current OpenSSL library version 1.0.1e. According to http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, when built against OpenSSL library 1.0.1e with FIPS module 2.0, mod_ssl 2.2.23 or later *does* support the specification of the TLSv1.2 protocol in the SSLProtocol directive. And please be sure to filter the correct aspect of your setup, as there are 4 independent directives that affect *different* security parameters: # Only use the cipher suites that are new for TLS version 1.2, #regardless of their security or lack thereof. # The value of this option is parsed by the OpenSSL library and the #mod_ssl documentation of its possible values is hopelessly #outdated, for instance the value HIGH and MEDIUM do not mean #what that outdated document says. SSLCipherSuite TLSv1.2 # Only use the version 1.2 handshake and encryption protocol, this #does not prevent negotiating a weak encryption such as #56 bit single DES. # This option is new in Apache mod_ssl 2.2.23 SSLProtocol TLSv1.2 # Only use FIPS-approved algorithms in FIPS-validated implementations, # this is required for US Government work but prevents the use of # security improvements that have not made it through the bureaucracy # yet. SSLFIPS on # Prevent a traffic-analysis attack on some types of cookie- # authentication. These attacks only work if they can trick the users # browser into repeatedly sending their secret cookie with different # attacker-chosen HTTP header values, thus giving different compressed # size depending on which letters are in common between the cookie and # the attackers values. These attacks are called CRIME attacks. # A better defense against these attacks is to cancel (server side!) the # validity of any authentication cookie repeatedly received with wrong # or modified URLs or other header parameters. # Regardless, some security auditors currently insist that all data # compression of encrypted connections is disabled wholesale # regardless of other security measures taken against these attacks. # This option is new in Apache mod_ssl 2.2.24 SSLCompression off if there is no config option, which functions need to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. Thanks, Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is it possible to configure only TLSv1.2 ciphers for FIPS?
Hi, For FIPS work, we are planning to support only TLSv1.2 ciphers. Is there a configuration option to use *only* TLSv1.2 ciphers? we are using apache/mod_ssl engine(v 2.2.16). *SSLProtocol* directive does not support TLSv1.1/TLSv1.2 option. if there is no config option, which functions need to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-possible-to-configure-only-TLSv1-2-ciphers-for-FIPS-tp44905.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
