Re: [openssl-users] Can OpenSSL applications/utilities use SunSPARC crypto accelerators?
Hi Aaron, SPARC T4 engine is an engine developed and provided by Oracle Solaris, and therefore, it is available through Oracle Solaris. If you would like to take advantage of the SPARC T4 processors and you would like to build your own OpenSSL, OpenSSL 1.0.2 will have an inlined SPARC T4 processor support assuming you have a T4/T4+ system. Hope that answers your question. Regards. -- misaki On 7/15/2015 8:43 PM, Aaron wrote: I checked utility 'openssl' built by my in solaris 11.1 and the default 'openssl' installed in Solaris 11.1. I noticed that my 'openssl' does NOT have SPARC T4 engine support. This may be the reason why my 'openssl' is much slower. Now the question is how to build 'openssl' to let it to have SPARC T4 engine support. I checked the OpenSSL documents, but seems there are no descriptions regarding to this topic. 1) This is the 'openssl' built by me on Solaris 11.1 ksol1% ./1.0.2d/normal/openssl/bin/openssl engine (dynamic) Dynamic engine loading support (4758cca) IBM 4758 CCA hardware engine support (aep) Aep hardware engine support (atalla) Atalla hardware engine support (cswift) CryptoSwift hardware engine support (chil) CHIL hardware engine support (nuron) Nuron hardware engine support (sureware) SureWare hardware engine support (ubsec) UBSEC hardware engine support (gost) Reference implementation of GOST engine 2) This is the default 'openssl' installed in Solaris 11.1 ksol1% /usr/bin/openssl engine (t4) SPARC T4 engine support (dynamic) Dynamic engine loading support (pkcs11) PKCS #11 engine support Anybody knows the answer please? Thanks, Aaron -- View this message in context: http://openssl.6102.n7.nabble.com/Can-OpenSSL-applications-utilities-use-SunSPARC-crypto-accelerators-tp59163p59179.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Disable EXPORT cipher suites during compilation
Hi everyone, I am trying to disable the EXPORT ciphers in my OpenSSL code, during compile-time. I'm able to do so at runtime by including '!EXP' in the string I use with SSL_CTX_set_cipher_list(). However, I'm wondering is there an option (like 'no-rc5') that I can pass to Configure? ./Configure --help says that I can use no-cipher to disable stuff, so I used no-exp, but I think that didn't work since the list of ciphers I get from SSL_get_ciphers() still includes EXP-... ciphers. So does anyone know of a way to compile them out? Thanks, Pratyush ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Loading pkcs11 engine opensc without using command line
Hello, I want to write a program in which I can load a certificate from a smartcard instead of having it in a file on the client machine. In order to do so I will be using the opensc's engine_pkcs11 module. The module works fine using the shell but I want to implement it as an independent program. For example if I use the rsautl module then I can provide the inkey option and keyform option to use the private key from the smartcard. Look at the snippet below: openssl rsautl -sign -in file -keyform engine -engine pkcs11 -inkey slot_1-id_54a4c9bdaf3ff82b3367b586a6658c23 -out sig In order to do so I have to load the engine first. I do that as follows: openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so which yields the result: (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine I want to do the same using C code in an independent program so that I can use the: static X509 *pkcs11_load_cert(ENGINE * e, const char *s_slot_cert_id) function to get the certificate from the smart card. So I tried to debug engine.c using ddd debugger to understand exactly which part of the code was required to just load the engine. In the same program I want to use the opensc function to load certificate directly from the smartcard and then use it in further server client communication. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)
Hi All, I am using OpenSSL library for a SSL client performing mutual authentication. RSA certificate used is signed with SHA512 digest. When I switch to FIPS mode and perform re-authentication, I am hitting an error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA. Can any one tell me what could be the possible issue? Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)
On Thu, Jul 16, 2015, Jayalakshmi bhat wrote: Hi All, I am using OpenSSL library for a SSL client performing mutual authentication. RSA certificate used is signed with SHA512 digest. When I switch to FIPS mode and perform re-authentication, I am hitting an error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA. Can any one tell me what could be the possible issue? A bit more information would be helpful. When you say SSL client do you mean using SSL v3.0 or TLS? SSL 3.0 isn't allowed in FIPS mode but I'd expect a different error. Which version of OpenSSL are you using? Can you reproduce the error using s_client? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Loading pkcs11 engine opensc without using command line
On Thu, Jul 16, 2015, Anirudh Raghunath wrote: Hello, I want to write a program in which I can load a certificate from a smartcard instead of having it in a file on the client machine. In order to do so I will be using the opensc's engine_pkcs11 module. The module works fine using the shell but I want to implement it as an independent program. For example if I use the rsautl module then I can provide the inkey option and keyform option to use the private key from the smartcard. Look at the snippet below: openssl rsautl -sign -in file -keyform engine -engine pkcs11 -inkey slot_1-id_54a4c9bdaf3ff82b3367b586a6658c23 -out sig In order to do so I have to load the engine first. I do that as follows: openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so which yields the result: (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine I want to do the same using C code in an independent program so that I can use the: static X509 *pkcs11_load_cert(ENGINE * e, const char *s_slot_cert_id) function to get the certificate from the smart card. So I tried to debug engine.c using ddd debugger to understand exactly which part of the code was required to just load the engine. In the same program I want to use the opensc function to load certificate directly from the smartcard and then use it in further server client communication. You may be able to make use of the automatic dynamic engine loading mechanism to simplify things. You can pass the ENGINE DSO path as the ENGINE name or to the function ENGINE_by_id() and it should load it. I suggest you try it with the command line utility first. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
