fipsld in CMake
Hello, I am trying to compile an openSSL wrapper for use on android, using fipsld to generate a fips compliant so file. It seems that android favors cmake now, so I was wondering if anyone got the fipsld steps working within cmake successfully and can give any pointers Thanks
RE: Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c
Hi, There a list ciphers compiled in openssl-1.11.c ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA None support CBC. How compile openssl with CBC support? best regards Ranier Vilela De: Ranier VF Enviado: segunda-feira, 19 de agosto de 2019 17:30 Para: openssl-users@openssl.org Assunto: Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c Hi, I have a trouble with use of openssl-1.1.1c when connects with homologacao.sefaz.mt.gov.br: Server Cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Client is setup with: SSL_set_cipher_list(tls, "ALL") Server disconnects connection. 1.Why, session cipher select by client is: ECDHE-RSA-AES128-SHA 2.How configure client to use server ciphers? Logs: DTLS: no protocol: TLSv1.3 cipher name: (NONE) DTLS: no protocol: TLSv1.3 cipher name: (NONE) SSL_connect:before SSL initialization DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server done DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client key exchange DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSL negotiation finished successfully DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSL negotiation finished successfully DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read hello request DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate request DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server done DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write certificate verify DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL3 alert read:fatal:handshake failure DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:error in error SSL_read failed:: WSAError: 0 SSL State: SSLERR SSL Error: -1 1 error:0001:lib(0):func(0):reason(1) SSL Error: -1 336151568 error:14094410:SSL
Server(TomCat) disconnect client(ECDHE-RSA-AES128-SHA) openssl-1.1.1c
Hi, I have a trouble with use of openssl-1.1.1c when connects with homologacao.sefaz.mt.gov.br: Server Cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Client is setup with: SSL_set_cipher_list(tls, "ALL") Server disconnects connection. 1.Why, session cipher select by client is: ECDHE-RSA-AES128-SHA 2.How configure client to use server ciphers? Logs: DTLS: no protocol: TLSv1.3 cipher name: (NONE) DTLS: no protocol: TLSv1.3 cipher name: (NONE) SSL_connect:before SSL initialization DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server done DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client key exchange DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSL negotiation finished successfully DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSL negotiation finished successfully DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read hello request DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write client hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server hello DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server certificate request DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS read server done DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client certificate DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write client key exchange DTLS: no protocol: TLSv1.2 cipher name: (NONE) SSL_connect:SSLv3/TLS write certificate verify DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS write finished DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL3 alert read:fatal:handshake failure DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:error in error SSL_read failed:: WSAError: 0 SSL State: SSLERR SSL Error: -1 1 error:0001:lib(0):func(0):reason(1) SSL Error: -1 336151568 error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello SSL_connect:SSLv3/TLS read server certificate SSL_connect:SSLv3/TLS read server key exchange SSL_connect:SSLv3/TLS read server done SSL_connect:SSLv3/TLS write client key exchange SSL_connect:SSLv3/TLS write change cipher spec SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS read change cipher spec DTLS: no protocol: TLSv1.2 cipher name: ECDHE-RSA-AES128-SHA SSL_connect:SSLv3/TLS read finished SSL_read failed:: WSAError: 10054 SSL State: SSLOK SSL Error: -1 5 error:0005:lib(0):func(0):DH lib
Re: client certs with no subjectName only SAN
On 8/16/2019 9:34 AM, Erwann Abalea via openssl-users wrote: > Remove the 2 Netscape extensions, they're way obsolete (don't know why > OpenSSL keeps them by default). > Is there a preferred alternative to the "Netscape Comment"? That seems like a useful attribute, and I don't find anything more generic. -- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
Can we build FOM with static runtime on win32?
Dear Experts, Can we build the FIPS object module with static CRT (/MT) on windows? Can I run 'perl configure' before calling ms/do_fips.bat while building FOM? Could not infer this from the documents. Thank you.
FIPS object module with /MT
Dear Experts, Why can one not build the OpenSSL FIPS object module (FOM) with /MT on windows officially? I read that modifying any flags / steps while building FOM is not allowed. Is there any complaint workaround for using FOM with an application which is built with /MT? Thank you.
