Hi Steve, thank you very much, that fixed it! Erik
.................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dr. Stephen Henson Sent: Thursday, April 19, 2012 8:10 PM To: [email protected] Subject: Re: ENGINE reference leak using FIPS-capable OpenSSL On Fri, Apr 20, 2012, Roumen Petrov wrote: > Dr. Stephen Henson wrote: > >On Wed, Apr 18, 2012, Erik Tkal wrote: > > > >>Any takers? Should I be able to build a FIPS-capable OpenSSL and have some > >>of the implementation be provided via an ENGINE (e.g. let's say I have a > >>hardware module to perform AES) but some by the OpenSSL FIPS canister? Or > >>is it truly all or nothing? > >> > >Yes the FIPS capable OpenSSL should behave in a manner similar to > >non-FIPS capable OpenSSL when not in FIPS mode, though it currently > >use the algorithm implementations in the FIPS module even when not in FIPS > >mode. > > > >I'll look into it. > Openssl test start to fail after "only call FIPS_cipherinit in FIPS > mode" - 1.0.{1|2}_stable fips build: > .... > aes-128-cbc > Error setting cipher AES-128-CBC > Error setting cipher AES-128-CBC > cmp: EOF on ./p.aes-128-cbc.clear > .... > Ooops! This should fix it: http://cvs.openssl.org/chngview?cn=22456 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
