Re: OpenSSL compilation errors in Windows

2019-10-21 Thread Nagalakshmi V J 
Hi Matt,

Yes. Exactly we followed the same and able to resolve errors. Thank you so much 
for the support and guidance. I'll get back if any further errors.

Thanks & Regards,
Nagalakshmi V J

From: Matt Caswell 
Sent: 21 October 2019 21:26:32
To: Nagalakshmi V J ; openssl-users@openssl.org 

Subject: Re: OpenSSL compilation errors in Windows

** This mail has been sent from an external source **


On 20/10/2019 08:43, Nagalakshmi V J wrote:
> Hi Matt,
>
> This link is having few APIS. But for getting master_key_length, I don't
> find any API. Not sure if we need to use getMasterKey API for that.

You can use SSL_SESSION_get_master_key() for this.

Note this comment in the RETURN VALUES section:

"For the other functions, if outlen is greater than 0 then these
functions return the number of bytes actually copied, which will be less
than or equal to outlen. If outlen is 0 then these functions return the
maximum number of bytes they would copy -- that is, the length of the
underlying field."

So to discover the master_key_length call the function with outlen to
zero. You can then allocate an appropriate sized buffer and call the
function again in order to get the actual master key.

Matt


>
> I will try to use these APIs and get back.
>
> Thanks & Regards,
> Nagalakshmi V J
> 
> *From:* Matt Caswell 
> *Sent:* 18 October 2019 14:48:33
> *To:* Nagalakshmi V J ;
> openssl-users@openssl.org 
> *Subject:* Re: OpenSSL compilation errors in Windows
>
> ** This mail has been sent from an external source **
>
>
> On 18/10/2019 11:49, Nagalakshmi V J wrote:
>> Now the issue is SSL_session structure is also having accessor APIs
>> which I am not aware of. So I need to get the APIs for accessing the
>> master_key_length,etc.. given in the above code. Those are not listed
>> in the openssl link referred.
>
> On this page look a the various functions beginning with "SSL_SESSION_"
> in the name:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_man1.1.1_man3_=DwICaQ=cxWN2QSDopt5SklNfbjIjg=zbjUR56YPF3jaTRTjX4KZlHM9-LmYAuR5atSqEGOnpA=MZhYFrTAuuHOqAirPiGbT1CY6HDdH2U_CWYq12626Ts=gE0JHTVoToRHQRu5h2amvKa5WzyXsortlw0IoQd3VG4=
>
> From the code sample you gave you are probably mostly interested in the
> functions on this page:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_man1.1.1_man3_SSL-5FSESSION-5Fget-5Fmaster-5Fkey.html=DwICaQ=cxWN2QSDopt5SklNfbjIjg=zbjUR56YPF3jaTRTjX4KZlHM9-LmYAuR5atSqEGOnpA=MZhYFrTAuuHOqAirPiGbT1CY6HDdH2U_CWYq12626Ts=XTuEzS7qyBvIHc_qWJYoh3JVC4zPCzvUzNPStW_SvLI=
>
> Matt
>
> =
> Please refer to https://northamerica.altran.com/email-disclaimer
> for important disclosures regarding this electronic communication.
> =
=
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=

Re: OpenSSL compilation errors in Windows

2019-10-21 Thread Matt Caswell 



On 20/10/2019 08:43, Nagalakshmi V J wrote:
> Hi Matt,
> 
> This link is having few APIS. But for getting master_key_length, I don't
> find any API. Not sure if we need to use getMasterKey API for that.

You can use SSL_SESSION_get_master_key() for this.

Note this comment in the RETURN VALUES section:

"For the other functions, if outlen is greater than 0 then these
functions return the number of bytes actually copied, which will be less
than or equal to outlen. If outlen is 0 then these functions return the
maximum number of bytes they would copy -- that is, the length of the
underlying field."

So to discover the master_key_length call the function with outlen to
zero. You can then allocate an appropriate sized buffer and call the
function again in order to get the actual master key.

Matt


> 
> I will try to use these APIs and get back.
> 
> Thanks & Regards,
> Nagalakshmi V J
> 
> *From:* Matt Caswell 
> *Sent:* 18 October 2019 14:48:33
> *To:* Nagalakshmi V J ;
> openssl-users@openssl.org 
> *Subject:* Re: OpenSSL compilation errors in Windows
>  
> ** This mail has been sent from an external source **
> 
> 
> On 18/10/2019 11:49, Nagalakshmi V J wrote:
>> Now the issue is SSL_session structure is also having accessor APIs
>> which I am not aware of. So I need to get the APIs for accessing the
>> master_key_length,etc.. given in the above code. Those are not listed
>> in the openssl link referred.
> 
> On this page look a the various functions beginning with "SSL_SESSION_"
> in the name:
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_man1.1.1_man3_=DwICaQ=cxWN2QSDopt5SklNfbjIjg=zbjUR56YPF3jaTRTjX4KZlHM9-LmYAuR5atSqEGOnpA=MZhYFrTAuuHOqAirPiGbT1CY6HDdH2U_CWYq12626Ts=gE0JHTVoToRHQRu5h2amvKa5WzyXsortlw0IoQd3VG4=
> 
> From the code sample you gave you are probably mostly interested in the
> functions on this page:
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_man1.1.1_man3_SSL-5FSESSION-5Fget-5Fmaster-5Fkey.html=DwICaQ=cxWN2QSDopt5SklNfbjIjg=zbjUR56YPF3jaTRTjX4KZlHM9-LmYAuR5atSqEGOnpA=MZhYFrTAuuHOqAirPiGbT1CY6HDdH2U_CWYq12626Ts=XTuEzS7qyBvIHc_qWJYoh3JVC4zPCzvUzNPStW_SvLI=
> 
> Matt
> 
> =
> Please refer to https://northamerica.altran.com/email-disclaimer
> for important disclosures regarding this electronic communication.
> =

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

2019-10-21 Thread Dr Paul Dale 
The EOL date for OpenSSL 1.0.2 will not be extended.

It is possible to purchase premium level support which will provide 1.0.2 
updates beyond its normal end of life.  See: 
https://www.openssl.org/support/contracts.html#premium 



Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 21 Oct 2019, at 9:11 pm, Salman Baset  wrote:
> 
> Hello everyone,
> 
> I was wondering if there is any update on getting a new FIPS-validated module 
> for OpenSSL by the end of this year (before EOL of 1.0.2), as was mentioned 
> in this blog post:
> https://www.openssl.org/blog/blog/2018/09/25/fips/ 
> 
> 
> According to this email, the new FIPS module is dependent on OpenSSL 3.0, 
> whose release timing is not certain yet.
> https://mta.openssl.org/pipermail/openssl-users/2019-February/009836.html 
> 
> 
> I will appreciate if someone can provide an update on the new FIPS timeline 
> as that will help folks who are looking to depend on OpenSSL's FIPS-validated 
> modules in the next 6-9 months or so.
> 
> Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till 
> the new FIPS module/OpenSSL 3.0 becomes available?
> 
> Thanks
> Salman

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

2019-10-21 Thread Salz, Rich via openssl-users 
  *   Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 
till the new FIPS module/OpenSSL 3.0 becomes available?

This question gets asked a great deal.  Why?

The OpenSSL project has not done any 1.0.2-FIPS work for years. This means that 
if there are any CVE-level bugs in 1.0.2 that affect(ed) that FIPS module, they 
weren’t getting fixed and the module wasn’t being revalidated. This has been 
the situation for several years. By 1.0.2 going out of support, all this means 
is that the OpenSSL project will not be posting bugfixes.  Nobody is going to 
come and make you delete your own copies.

So why do people  care if it goes out of support?  I suspect the answer is 
this: by using the open source code, you didn’t have to pay anything or do any 
support and maintenance, and now they are worried about having to do so.

Is there another reason?

OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

2019-10-21 Thread Salman Baset 
Hello everyone,

I was wondering if there is any update on getting a new FIPS-validated
module for OpenSSL by the end of this year (before EOL of 1.0.2), as was
mentioned in this blog post:
https://www.openssl.org/blog/blog/2018/09/25/fips/

According to this email, the new FIPS module is dependent on OpenSSL 3.0,
whose release timing is not certain yet.
https://mta.openssl.org/pipermail/openssl-users/2019-February/009836.html

I will appreciate if someone can provide an update on the new FIPS timeline
as that will help folks who are looking to depend on OpenSSL's
FIPS-validated modules in the next 6-9 months or so.

Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till
the new FIPS module/OpenSSL 3.0 becomes available?

Thanks
Salman