Title: RE: Disabling for FIPS mode, take 2
I had
heard that there were issues with the X9.31 implementation. As I said we
have got certs for both X9.31 and 186-2 so if you need anything let me
know. We could contribute the routines to OpenSSL if that would
help.
Chris
-Original
Title: RE: Disabling for FIPS mode, take 2
Chris Brook wrote:
>As far as I understand it, FIPS 140-2 requires that you use a FIPS approved
>RNG for generating keys (if that's what you meant below). This includes
>ANSI X9.31 and FIPS 186-2, neither of which of course ar
On Wed, Jul 07, 2004, Marquess, Steve Mr JMLFDC wrote:
> On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
>
> >> So you're saying just have PEM_write_bio_PrivateKey drop through to
> >> PEM_write_bio_PKCS8PrivateKey in FIPS mode? That could work. I suppose I
> >> could do the same substituti
Title: RE: Disabling for FIPS mode, take 2
On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
>> So you're saying just have PEM_write_bio_PrivateKey drop through to
>> PEM_write_bio_PKCS8PrivateKey in FIPS mode? That could work. I suppose I
>> could do the s
Title: RE: Disabling for FIPS mode, take 2
On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
>> I was able to convert OpenSSH PEM format keys to PKCS#8 easily enough using
>> openssl pkcs8, but how do I convert the PKCS#8 back to the original format?
>>
>
>Wel
On Tue, Jul 06, 2004, Marquess, Steve Mr JMLFDC wrote:
> On Friday, July 02, 2004 4:52 PM Dr. Stephen Henson wrote:
>
> >OpenSSL already supports various private key formats which only use FIPS
> >approved algorithms, for example PKCS#8 with PKCS#5 v2.0. That means that one
> >solution is to just
: Disabling for FIPS mode, take 2
On Fri, Jul 02, 2004, Jack Lloyd wrote:
> On Fri, Jul 02, 2004 at 10:51:52PM +0200, Dr. Stephen Henson wrote:
>
> [...]
> > OpenSSL already supports various private key formats which only use FIPS
> > approved algorithms, for example PKCS#8 w
Title: RE: Disabling for FIPS mode, take 2
On Friday, July 02, 2004 4:52 PM Dr. Stephen Henson wrote:
>> Two related patches I posted earlier are for a FIPS specific default
>> ciphersuite (ssl_ciph.c) and SHA1 instead of MD5 for PEM passphrases
>> (pem_lib.c). Any addi
On Fri, Jul 02, 2004, Jack Lloyd wrote:
> On Fri, Jul 02, 2004 at 10:51:52PM +0200, Dr. Stephen Henson wrote:
>
> [...]
> > OpenSSL already supports various private key formats which only use FIPS
> > approved algorithms, for example PKCS#8 with PKCS#5 v2.0. That means that one
> > solution is to
On Fri, Jul 02, 2004 at 10:51:52PM +0200, Dr. Stephen Henson wrote:
[...]
> OpenSSL already supports various private key formats which only use FIPS
> approved algorithms, for example PKCS#8 with PKCS#5 v2.0. That means that one
> solution is to just change the behaviour of PEM_write_PrivateKey()
On Fri, Jul 02, 2004, Marquess, Steve Mr JMLFDC wrote:
>
> Two related patches I posted earlier are for a FIPS specific default
> ciphersuite (ssl_ciph.c) and SHA1 instead of MD5 for PEM passphrases
> (pem_lib.c). Any additional feedback on those would also be greatly
> appreciated; so far I've
Title: Disabling for FIPS mode, take 2
Based on the feedback from several of you, Steve Henson in particular,
I've had another try at a mechanism for disabling non-FIPS algorithms
in FIPS mode. Flag bits in the EVP_CIPHER and EVP_MD structures
indicate the suitability of the algorit
12 matches
Mail list logo
