Re: how to compile openssl with -bindist option
Hi Matt, One more doubt. Please let me know if I compiled my openssl 0.9.8za without -no-ec option and I am not using this alogorithm in any of my application then shall I can say my application is fips complaint? Thanks, Gayathri On Wed, Aug 6, 2014 at 7:22 PM, Gayathri Manoj wrote: > Hi, > > Thanks for your update. > We tried to compile without -no-ec . but its got failed. > > Thanks, > Gayathri > > > On Wed, Aug 6, 2014 at 7:16 PM, Matt Caswell wrote: > >> On 6 August 2014 14:35, Gayathri Manoj wrote: >> > Hi Matt, >> > >> > Is there any solution to compile openssl-0.9.8za without -no-ec option. >> Or >> > do we have any patch available to fix the fips breakage issue. >> > Known issues in OpenSSL 0.9.8za: >> > >> > FIPS capable link failure with missing symbol BN_consttime_swap. Fixed >> in >> > 0.9.8zb-dev. Workaround is to compile with no-ec: the EC algorithms are >> not >> > FIPS approved in OpenSSL 0.9.8 anyway. >> > >> >> 0.9.8zb is being released later today. So probably your best bet is to >> wait for that. >> >> Although this does beg the question why you need a FIPS build if >> you're going to be using non FIPS approved algorithms anyway? >> >> Matt >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
Re: how to compile openssl with -bindist option
Hi, Thanks for your update. We tried to compile without -no-ec . but its got failed. Thanks, Gayathri On Wed, Aug 6, 2014 at 7:16 PM, Matt Caswell wrote: > On 6 August 2014 14:35, Gayathri Manoj wrote: > > Hi Matt, > > > > Is there any solution to compile openssl-0.9.8za without -no-ec option. > Or > > do we have any patch available to fix the fips breakage issue. > > Known issues in OpenSSL 0.9.8za: > > > > FIPS capable link failure with missing symbol BN_consttime_swap. Fixed in > > 0.9.8zb-dev. Workaround is to compile with no-ec: the EC algorithms are > not > > FIPS approved in OpenSSL 0.9.8 anyway. > > > > 0.9.8zb is being released later today. So probably your best bet is to > wait for that. > > Although this does beg the question why you need a FIPS build if > you're going to be using non FIPS approved algorithms anyway? > > Matt > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: how to compile openssl with -bindist option
On 6 August 2014 14:35, Gayathri Manoj wrote: > Hi Matt, > > Is there any solution to compile openssl-0.9.8za without -no-ec option. Or > do we have any patch available to fix the fips breakage issue. > Known issues in OpenSSL 0.9.8za: > > FIPS capable link failure with missing symbol BN_consttime_swap. Fixed in > 0.9.8zb-dev. Workaround is to compile with no-ec: the EC algorithms are not > FIPS approved in OpenSSL 0.9.8 anyway. > 0.9.8zb is being released later today. So probably your best bet is to wait for that. Although this does beg the question why you need a FIPS build if you're going to be using non FIPS approved algorithms anyway? Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to compile openssl with -bindist option
Hi Matt, Is there any solution to compile openssl-0.9.8za without -no-ec option. Or do we have any patch available to fix the fips breakage issue. *Known issues in OpenSSL 0.9.8za:* - FIPS capable link failure with missing symbol BN_consttime_swap. Fixed in 0.9.8zb-dev. Workaround is to compile with no-ec: the EC algorithms are not FIPS approved in OpenSSL 0.9.8 anyway. Thanks, Gayathri Thanks, Gayathri On Wed, Aug 6, 2014 at 6:56 PM, Matt Caswell wrote: > On 6 August 2014 14:12, Gayathri Manoj wrote: > > Hi Matt, > > > > Thanks Matt. > > > > My actual issue is that I am not able to generate ecdsa keys after > upgrading > > openssl version from 0.9.8y to 0.9.8za. For making our openssl fips > > compliant we complied the same with -no-ec option that is recommended by > > openssl fourm. > > > > For this issueIi goggled and got this info - compile openssl witn > -bindist. > > > > Please let me is any other way to get ecdsa key > > ]# ssh-keygen -t ecdsa -b 1024 > > unknown key type ecdsa > > # > > > > Well you can't have it both ways! You can't disable EC and then expect > to generate EC keys! If you want ECDSA don't use -no-ec > > Matt > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: how to compile openssl with -bindist option
On 6 August 2014 14:12, Gayathri Manoj wrote: > Hi Matt, > > Thanks Matt. > > My actual issue is that I am not able to generate ecdsa keys after upgrading > openssl version from 0.9.8y to 0.9.8za. For making our openssl fips > compliant we complied the same with -no-ec option that is recommended by > openssl fourm. > > For this issueIi goggled and got this info - compile openssl witn -bindist. > > Please let me is any other way to get ecdsa key > ]# ssh-keygen -t ecdsa -b 1024 > unknown key type ecdsa > # > Well you can't have it both ways! You can't disable EC and then expect to generate EC keys! If you want ECDSA don't use -no-ec Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to compile openssl with -bindist option
Hi Matt, Thanks Matt. My actual issue is that I am not able to generate ecdsa keys after upgrading openssl version from 0.9.8y to 0.9.8za. For making our openssl fips compliant we complied the same with -no-ec option that is recommended by openssl fourm. For this issueIi goggled and got this info - compile openssl witn -bindist. Please let me is any other way to get ecdsa key ]# ssh-keygen -t ecdsa -b 1024 unknown key type ecdsa # Thanks, Gayathri On Wed, Aug 6, 2014 at 4:57 PM, Matt Caswell wrote: > On 6 August 2014 11:27, Gayathri Manoj wrote: > > Hi All, > > > > Please let me know how to compile openssl with -bindist option. > > > > I suspect you are asking this on the wrong forum as I think this is a > gentoo thing not an openssl thing. > > With the caveat that I know nothing about gentoo, a few minutes > googling turned up this page which might help: > > https://negativesum.net/tech/tools/munin-install-guide > > Matt > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: how to compile openssl with -bindist option
On 6 August 2014 11:27, Gayathri Manoj wrote: > Hi All, > > Please let me know how to compile openssl with -bindist option. > I suspect you are asking this on the wrong forum as I think this is a gentoo thing not an openssl thing. With the caveat that I know nothing about gentoo, a few minutes googling turned up this page which might help: https://negativesum.net/tech/tools/munin-install-guide Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org