On Wed, Aug 13, 2008, Justin A wrote: > Thanks for the reply. Appreciated. > > Have couple of question which are bothering me. > > These are the steps I followed to build the fips . The place where I download > ftp://ftp.openssl.org/snapshot/ > > 1) Download openssl-fips-test-1.2.0.tar.gz , build it with ./config fips > option to generate fipsld, fipscanister,..etc and downloaded the latest > openssl-0.9.8-fips-test-SNAP-20080813.tar.gz to build the fips capable > openssl libcrypto and libssl . Are these steps right ..? which I followed > through the README. > > 2) I tried checking the PEM_ASN1_write_bio and even the PEM_read_bio which > also uses EVP_md5() internally in 0.9.7. In which of the 0.9.7 fips capable > distribution did you mention that it uses EVP_sha1() internally..I could not > find it, can you please point me to that? Is there a test website where I can > download bits for 0.9.8 which as EVP_sha1() implemented..? > > 3) Lastly all the PEM_write_bio_* routines points to this function > PEM_ASN1_write_bio which uses md5() internally. Will this change to sha1() in > the coming releases of 0.9.8..? to supports fips..? >
The PEM_ASN1_write_bio() function is only really used with encryption and private keys. So you need to check out PEM_write_bio_PrivateKey() et al. The MD5 PEM based encryption is non standard and unique to OpenSSL. It has been there since the SSLeay days. It is retained for compatibility. Instead of making up another non standard version for FIPS mode the standardised PKCS#8 format is used instead. In some future version of OpenSSL PKCS#8 will be the default private key format. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
