query regarding openssl and FIPS
Hi I have two queries. I am new to FIPS validation. The first query is 1. We have a system which is using Arm Cortex-A9 on ThreadX. If I cross compile FIPS module 2.0.16 for Threadx ( Arm Cortex-A9 ) and use openssl 1.0.2s. Can we claim that our product is FIPS compliant ? The second query is 2. One of our client wants to use FIPS module 2.0.5 on a system which is using Arm Cortex-A9 on VxWorks 6.9. If I cross compile FIPS module 2.0.5 for VxWorks 6.9 ( Arm Cortex-A9 ) and use openssl 1.0.2s. Can we claim that our product is FIPS compliant ? Regards Manju
Re: OpenSSL 1.1.1 RPM for CentOS 7
On 7/2/19 12:12 PM, Karel de Henks wrote: Hi, I'm searching on the internet for an OpenSSL version 1.1.1. RPM package for CentOS 7. However, I cannot find this. Perhaps one of the users in the mailing list has this package already available. On CentOS or RHEL 7 it should be totally trivial to just build it from the sources and install into /usr/local. Why do you ( and others ) feel you *need* a package from some mystery person ? -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional
openssl-fips configure parameters to force IANA cipher suite compliance
I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. IANA OpenSSL TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 [0x2f] AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x3c] AES128-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x3d] AES256-SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9d] AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x67] DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x6b] DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9f] DHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc023] ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02b] ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc024] ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc02c] ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc027] ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02f] ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc028] ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384 How would I configure openssl-fips to force this precise compliance, eliminating all other cipher suites? Thank you. --Larry C++ Developer
OpenSSL 1.1.1 RPM for CentOS 7
Hi, I'm searching on the internet for an OpenSSL version 1.1.1. RPM package for CentOS 7. However, I cannot find this. Perhaps one of the users in the mailing list has this package already available. Thanks
