Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Dr. Matthias St. Pierre
On 05.03.2018 10:46, Alan Dean wrote: > Question 1: Is it even feasible to make the FIPS mode always enabled > for the whole OpenSSL library (i.e. for both libcrypto and libssl), so > that most the applications which dynamically linked to libcrypto and > libssl will be automatically use OpenSSL

Re: [openssl-users] x509: recent change in Subject and Issuer printing?

2018-03-05 Thread Matt Caswell
On 04/03/18 02:22, Adam Shannon wrote: > Was there a change included in the 1.1.0 series which prints names > differently? I've looked, but been unable to narrow down what in > specific changed. This was changed by commit f1cece554d. The default "nameopt" setting for the x509 app (and a few

[openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Alan Dean
Hi All: I am working on a project to integrate the OpenSSL FIPS capable library into our product platform. (We will be doing our own FIPS 140-2 level 1 certification) There are a large number of third party applications/ library (e.g. wget, libcurl, postfix, etc) run on our platform which use

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Dr. Matthias St. Pierre
On 05.03.2018 11:57, Dr. Matthias St. Pierre wrote: > > However, I am sceptical whether this approach will be accepted, > because there are (at least) two potential problems: > > * Normally, it is mandatory to check the result of FIPS_mode_set() or > FIPS_mode() to ensure that the FIPS

[openssl-users] Looking for Christophe Renou

2018-03-05 Thread Matt Caswell
Hi all As many of you know we are looking to change the licence for OpenSSL to the Apache Licence. To do that we are trying to trace all previous committers. We have a small number of people left to find. See: https://license.openssl.org/trying-to-find Of these one stands out as being a

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Michael Richardson
Dr. Matthias St. Pierre wrote: > On 05.03.2018 10:46, Alan Dean wrote: >> Question 1: Is it even feasible to make the FIPS mode always enabled >> for the whole OpenSSL library (i.e. for both libcrypto and libssl), so > The optimal location for

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Alan Dean
Thanks a lot Matthias for the suggestion. I have few follow-up questions below: On Mon, Mar 5, 2018 at 2:57 AM, Dr. Matthias St. Pierre < matthias.st.pie...@ncp-e.com> wrote: > > > On 05.03.2018 10:46, Alan Dean wrote: > > Question 1: Is it even feasible to make the FIPS mode always enabled for

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Alan Dean
On Mon, Mar 5, 2018 at 3:04 AM, Dr. Matthias St. Pierre < matthias.st.pie...@ncp-e.com> wrote: > > > On 05.03.2018 11:57, Dr. Matthias St. Pierre wrote: > > > > However, I am sceptical whether this approach will be accepted, > > because there are (at least) two potential problems: > > > > *

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Dr. Matthias St. Pierre
Am 05.03.2018 um 19:55 schrieb Alan Dean: > Thanks a lot Matthias for the suggestion. > > I have few follow-up questions below: > Please see my other replies. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Dr. Matthias St. Pierre
Am 05.03.2018 um 20:07 schrieb Salz, Rich via openssl-users: > > * Did you mean if an application uses the low level crypto algorithm > functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then > they won't work under FIPS mode (and hence may cause unpredictable > issues)? > >

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Alan Dean
Thanks Matthias for your response. I have a different question: Per your suggestion in the previous email, FIPS_mode_set() can be moved inside of OPENSSL_init(), in order to force the FIPS mode enabled in the library level. However currently OPENSSL_init() is actually invoked from within

Re: [openssl-users] Enable the FIPS mode in the library level

2018-03-05 Thread Salz, Rich via openssl-users
* Did you mean if an application uses the low level crypto algorithm functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't work under FIPS mode (and hence may cause unpredictable issues)? Yes. It’s not unpredictable issues, but rather that your application cannot claim

[openssl-users] FIPS_mode_set(1) failing

2018-03-05 Thread Ken Goldman
This call fails on two platforms with: fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE (or line 139) The openssl installs are: OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL 1.0.2g-fips 1 Mar 2016 Any hints? Do I have to call a self test before entering

Re: [openssl-users] FIPS_mode_set(1) failing

2018-03-05 Thread murugesh pitchaiah
Hi, On invoking FIPS_mode_set(1), the self test would be run internally first. The test would be run for all modules like dsa, rsa, rng, etc. This error indicates a failure in any of these self test run. Try to view the "FIPSerr" which could show you which module's test actually failed; so you