Hi All,
We currently use OpenSSL 1.0.2h, we are in the process of upgrading to
OpenSSL 1.1.1. To address some legacy functionalities we are planning to
write engines for OpenSSL 1.0.2h offload crypto operation to external
components.
We have few queries regarding the same
1. Can we offload a
Hi All,
We are writing a RSA engine for OpenSSL library to handle certificates up
to 4096 bytes strength. We do support certificates up to 8k.
How to we make engine to handle certificates only up to 4K and others
handled by OpenSSL itself.
Any help, inputs are appreciated.
Thanks and Regards,
J
Hi All,
We are trying to compile OpenSSL 1.1.1i on our system. It is a hybrid
system. Compiler is arm -gcc for WinCE 6.0 and the module that compiles
openssl is on Vxworks 5.0 abstraction.
I am getting the below error. Does anyone have inputs. Any help would be
appreciated.
openssl/safestack.h(
Hi All,
We are trying to integrate OpenSSL 1.1.1i on our device that runs on the
ARM platform. Device boots to ready
state with OpenSSL 1.1.1i. However when we try to access the device EWS, we
are getting below error
error:0B080074:x509 certificate routines:X509_check_private_key:key values
mism
Hi All,
We upgraded our device to use OpenSSL 1.1.1k from OpenSSL 1.0.2h. Device is
on an ARM processor. Embedded web server comes to ready state with compiler
optimization set to -O0.
With value -O1 we are seeing issues in d2i_RSAPrivateKey.
I wrote a sample test program as below. The test progr
Hi All,
We have a product that has 2 network interfaces i.e. wired and wireless.
Both interfaces uses separate OpenSSL library. However FIPS validated
OpenSSL crypto module is common for both interfaces as shown below.
FIPS validated openSSL
Hi All,
We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our
product. Recently we have added TPM support. TPM chip is not FIPS
compliant. Hence in FIPS mode none of the SSL applications are working.
I wanted inputs on the following questions. I would be grateful to receive
a
:36 PM, Steve Marquess <
marqu...@opensslfoundation.com> wrote:
> On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote:
> > On Fri, Jul 04, 2014, Jayalakshmi bhat wrote:
> >
> >> Hi All,
> >>
> >> We are using OpenSSL 1.0.1c along with OpenSSL FIPS obje
. Stephen Henson
wrote:
> On Fri, Jul 04, 2014, Jayalakshmi bhat wrote:
>
> > Hi All,
> >
> > We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our
> > product. Recently we have added TPM support. TPM chip is not FIPS
> > compliant
Thanks a lot Steve for the quick response.
On Fri, Jul 4, 2014 at 10:21 PM, Steve Marquess <
marqu...@opensslfoundation.com> wrote:
> On 07/04/2014 12:06 PM, Jayalakshmi bhat wrote:
> > Hi Steve,
> >
> > Thank you very much for the response. I have one more question.
Hi All,
We want to support a hardware accelerator on our device. We are using
OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
engine support in OpenSSL FIPS Object module.
I welcome all valuable inputs.
Regards
Jayalakshmi.
wrote:
> On Sat, Jul 05, 2014, Jayalakshmi bhat wrote:
>
> > Hi All,
> >
> > We want to support a hardware accelerator on our device. We are using
> > OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add
> > engine support in OpenSSL FIPS Obj
Hi Kyle,
Thanks a lot for detailed explaination, it helped me lots.
Regards
Jayalakshmi
On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton wrote:
>
> On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
> > Thanks a lot for the explanation. We have range of products that
> > provides ne
Hi Jakob,
Thank you very much for detailed and helpful explanation.
Regards
Jayalakshmi
On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm wrote:
> On 7/6/2014 10:44 AM, Kyle Hamilton wrote:
>
>>
>> On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote:
>>
>>> Thanks a lot f
Hello All,
I am working on a project where there is need to encrypt and decrypt
certain data using certificate public/private key pair. So far we were
using RSA based certificates. OpenSSL provides good number of API's for RSA
based encryption/decryption operation.
Now we are planning to support
Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat
> wrote:
> > Hello All,
> >
> > I am working on a project where there is need to encrypt and decrypt
> certain
> > data using certificate public/private key pair. So far we were using RSA
> > based certificates. OpenSS
Hi All,
We are using OpenSSL on a multihome device. Device has 4 interfaces. Each
network interface creates one SSL context (SSL_CTX) and supports 16
connections. As per OpenSSL implementation Each SSL context can maintain a
free buffer list of 32. And this retained till SSL context (SSL_CTX) is
Hi All,
I am using OpenSSL library for a SSL client performing mutual
authentication. RSA certificate used is signed with SHA512 digest. When I
switch to FIPS mode and perform re-authentication, I am hitting an
error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA.
Can any one t
. API's changed are EVP_MD_flags from evp_lib.c
and pkey_fips_check_ctx from rsa_pmeth.c
Regards
Jayalakshmi
On Fri, Jul 17, 2015 at 4:20 AM, Dr. Stephen Henson
wrote:
> On Thu, Jul 16, 2015, Jayalakshmi bhat wrote:
>
> > Hi All,
> >
> > I am using OpenSSL library for a
Hi All,
Does *a**lternative chains certificate forgery** issue* affects the
OpenSSL stacks earlier than 1.0.1n releases Why I am asking this
question is affected code seems to be available in earlier versions as
well.
Thanks and Regards
Jayalakshmi
__
Hello all,
I have a question on FIPS. We have OpenSSL FIPS module integrated with our
product. We have an option to enable/disable FIPS at run time. We are
executing the following openSSL API's every time when FIPS status changes.
{
We have mapped OpenSSL crypto locks to mutex intenally. Hence w
Hi Tom,
Thanks a lot for clarifying the doubt.
Regards
Jayalakshmi
On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis
wrote:
>
> > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <
> bhat.jayalaks...@gmail.com> wrote:
> >
> > Hello all,
> >
> > I have a que
Hi All,
I have ported OpenSSL 1.0.2d on out device. When I am using any cipher
(AES,3DES) in CBC mode I am ending with the
result SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC in SSL_F_SSL3_GET_RECORD
function.
TLS 1.2 with working fine with AES_GCM ciphers.
Has any one faced this issue?. Any help
Hi All,
I have ported OpenSSL 1.0.2d on our product. After that CBC mode is not
working. Handshakes are failing with bad mac alert failure. When I checked
the code mac retrieved from ssl3_cbc_copy_mac does not match with the
calculated mac.
Any help on this is appreciated.
Thanks and Regards
Jay
Hi All,
In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a
check * if (params->trust >0)* before invoking check_trust function.
This has been removed in OpenSSL 1.0.2d. Does it mean applications are
expected to set the X509_VERIFY_PARAM properly?
Our application works fi
2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote:
>
> > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert
> had a
> > check * if (params->trust >0)* before invoking check_trust function.
>
> The OpenSSL source code is available via git:
>
> htt
or the applications to
set X509_VERIFY_PARAM in X509_STORE_CTX
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 11:40 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
>
> > On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat <
> bhat.jayalaks...@gmail.com> wrote:
> >
l upstream versions) is not working the way you expect.
>
> On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:
>
> > Our device acts as TLS/SSL client. The device receives chain of
> > certificates as part of SSL handshake, when it is trying to get connected
&g
er if I do not install
intermediate CA-2 things works fine.
Any help is well appreciated.
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell wrote:
>
>
> On 16/11/15 06:52, Jayalakshmi bhat wrote:
> > Hi Victor,
> >
> > Thanks a lot for details explana
Hi All,
Recently we have ported OpenSSL 1.0.2d. Everything works perfect except the
below explained issue.
When we enable only TLS 1.0 protocol and select CBC ciphers, TLS handshake
fails with the error "bad record mac".
Error is in function static int ssl3_get_record(SSL *s). Error happen
omething specific about your environment that is causing the
> issue. Comments inserted below.
>
> On 04/12/15 06:53, Jayalakshmi bhat wrote:
> > Hi All,
> >
> >
> >
> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except
> > the belo
Hi Matt,
I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation
available in OpenSSL 1.0.1e. Things worked fine.
Regards
Jaya
On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell wrote:
>
>
> On 04/12/15 11:31, Jayalakshmi bhat wrote:
> > Hi Matt,
> >
>
n (unsigned char)(constant_time_eq(a, b));
}
Regards
Jaya
On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell wrote:
>
>
> On 04/12/15 11:31, Jayalakshmi bhat wrote:
> > Hi Matt,
> >
> > Thanks a lot for the response.
> >
> > Is your application a client or a serve
uirks.
>
> On 04/12/2015 12:31, Jayalakshmi bhat wrote:
>
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using OpenSSL 1.0.2d?
> If not, what is the other end using?
> >>Our device has both TLS client,server apps
Hi All,
Is there inputs or suggestions.
Thanks and Regards
Jaya
On Fri, Dec 4, 2015 at 11:37 AM, Jayalakshmi bhat <
bhat.jayalaks...@gmail.com> wrote:
> Hi Matt,
>
> s3_cbc.c uses the function constant_time_eq_8. I pulled only this
> function definition from OpenSSL 1.0.1e i
arguments.
>
> I ask because your proposed fix may be affected by compiler and/or CPU
> quirks.
>
> On 04/12/2015 12:31, Jayalakshmi bhat wrote:
>
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using OpenSSL
gt; On 09/12/15 23:13, Benjamin Kaduk wrote:
> > On 12/09/2015 05:04 PM, Matt Caswell wrote:
> >>
> >> On 09/12/15 11:44, Jayalakshmi bhat wrote:
> >>> Hi Matt,
> >>>
> >>> I could build and execute the constant_time_test. I have atta
Hi All,
Thanks for all the responses. As mentioned by Matt in the discussion
thread,constant_time_msb performs the copy the msb of the input to all of
the other bits so the return value should either be one of 0x or
0x.
I found another interesting thing,constant_time_msb worke
. Thanks every one for the valuable time and
fruitful discussion.
Regards
Jaya
On Sun, Dec 13, 2015 at 11:13 AM, Jayalakshmi bhat <
bhat.jayalaks...@gmail.com> wrote:
> Hi All,
>
>
>
> Thanks for all the responses. As mentioned by Matt in the discussion
> thread,consta
Hi All,
I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am
generating these CSR on our device. We have windows 2008 R2 servers and I
am signing these CSR using certificate authority on windows server. I am
setting only client and server authentication bits in the CSR sin
Hi All,
OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have
question associated with this.
1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation
function*
2. Where as the document
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
me
Hi All,
Please can any one let me know the release date or time line for OpenSSL
1.1.1?
Regards
Jayalakshmi
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Matt,
I do understand. Thanks a lot for the reply.
Regards
Jayalakshmi
On Thu, May 18, 2017 at 2:47 PM, Matt Caswell wrote:
>
>
> On 18/05/17 06:32, Jayalakshmi bhat wrote:
> > Please can any one let me know the release date or time line for OpenSSL
> > 1.1.1?
>
>
Hi All,
I am using OpenSSL-FIPS-2.0.4 library on ARM7 + WinCE 6.0 with "user
affirm" the validation for Y per I.G. G.5.
We want to run latest CAVP test suites. We have built the *build_algvs and
other executable* for the above product/build environment.
However when we are trying to execute the
Hi All,
I am trying to build CAVP test executable for WinCE. Most of the executable
are built except 1-2. I am facing iob_func unresolved error.
Every thing seems to be proper. Any idea or help is well appreciated.
Regards
Jaya
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.o
Hi All,
I am trying to build openssl. As part of that I want to remove some ciphers
like md4, rc5 etc.
I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the
case MD4 and RC5 directories are still getting compiled.
Please can you let me know what could be going wrong.
Regar
Hi All,
I am looking for details on options used to disable or remove unwanted
ciphers, components while openssl building. This is for OpenSSL 1.0.2h. I
am seeing many things on internet. But most of them have minimum
explanation, please can you tell me is there any link that I can refer.
Regards
gt; On 24/10/17 07:06, Jayalakshmi bhat wrote:
> > Hi All,
> >
> > I am looking for details on options used to disable or remove unwanted
> > ciphers, components while openssl building. This is for OpenSSL 1.0.2h.
> > I am seeing many things on internet. But most of th
Hi All,
Our device uses TPM to protect certificate private keys. We have written
engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets
loaded as an engine instance.
Also we have mapped RSA operations to TPM APIS as like
encryption/decryption etc.
Now we are into few issues.
-cswift
no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padlock no-hw-sureware
no-hw-ubsec no-hw-zencod) does not seems to work. Is there any way to do it?
Regards
Jayalakshmi
On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell wrote:
>
>
> On 25/10/17 18:02, Jayalakshmi bhat wrote:
&g
-sureware no-hw-ubsec no-hw-zencod.
However as of now using the above values with ./Configure is not turning
off the compilation of the other hardware components.
Regards
Jaya
On Thu, Nov 2, 2017 at 3:56 PM, Matt Caswell wrote:
>
>
> On 02/11/17 07:07, Jayalakshmi bhat wrote:
&g
hardware
like aep, chill, cswift etc from compilation.
Regards
Jayalakshmi
On Thu, Nov 2, 2017 at 4:38 PM, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the reply. We dont want to turn off the engine fully. We have
> TPM chip, that is part of OpenSSL. I just want to turn
Hi,
We are planning to use DHE_RSA TLS ciphers into our product. I have few
questions on using DH parameter. We would like to use DH-2048.
our product includes both TLS client and server applications. Thus any time
there will be considerable number of active connectioons.
I believe we can use sa
Hi,
I have a question on ECC ciphers implementaion in OpenSSL. I do see
README.ECC file in FIPS certfied OpenSSL crypto library. That says The
OpenSSL Software Foundation has executed a sublicense agreement
entitled "Elliptic Curve Cryptography Patent License Agreement" with the
National Security
Hi Jakob and Paul,
Thank you so much for the reply. We have the RSA certificates. I wanted to
understand how generally DH parameters are generated. Thanks for the
detailed answers.
Regards
Jayalakshmi
On Wed, Dec 6, 2017 at 12:48 AM, Jakob Bohm wrote:
> On 06/12/2017 07:02, Jayalakshmi b
[mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Jayalakshmi bhat
> > Sent: Wednesday, December 06, 2017 01:07
>
> > Does it mean to use ECC ciphers from OpenSSL does the end user needs to
> get the license from Citricom?
>
> Consult a lawyer. Opinions on this t
Hi Michael,
Thanks for very detailed answers. This will surely help me to investigate
further.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik <
michael.woj...@microfocus.com> wrote:
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich via ope
Hi Rich,
Thanks for the reply. We are planning to use DHE_RSA based ciphers.
Regards
Jaya
On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
> You can re-use the keys, but then you get no forward secrecy, and sessions
> generated with one connectio
Hi All,
Thanks for the inputs, This gives me a good understanding on these ciphers
usage.
Thanks and Regards
Jayalakshmi
On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohm wrote:
> On 07/12/2017 15:05, Michael Wojcik wrote:
>
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Hi All,
We are using DRBG using AES-CTR-256 in FIPS mode. I could find test
suite/file that takes CAVP test request and generating the response for
DRBG using AES-CTR-256.
However I am not finding any test suite/file that validates AES-CTR
128/192/256 bits. Please can any one let me know while te
Hello All,
We have 2 RSA OpenSSL engines in our product. Both the engines performs
same RSA encyrpt/decrypt operations. For easy explaination I am naming
engines as
1. RSA smart card engine
2. RSA TPM engine
Engine usage is application specific.There are couple of applications
dependent on RSA
Hi All,
I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried
using openssl-fips-2.0.13 and openssl-fips-2.0.4
I am building FIPS externally with the below environmental settings
---
FIPS_signature
Regards
Jayalakshmi
On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat wrote:
> Hi All,
>
> I am building FIPS supported OpenSSL in yocto for ARM architecture. I
> tried using openssl-fips-2.0.13 and openssl-fips-2.0.4
>
>
> I am building FIPS externally with the below en
63 matches
Mail list logo