Okay. Let's see if I can piece together everything I've learned about
the FIPS experience so far...
FIPS-1.1.2 only generates a static fipscanister, which can only be
used to generate a static library. (except on Windows, where it can
be built into a shared library.) This version will only
On Wed, Oct 08, 2008, Andrej Podzimek wrote:
Are any intermediate CA certificates involved?
No. The CA is home-made, created using OpenSSL. It has a self-signed
certificate.
This command will dump all certificates received:
openssl s_client -connect hostname:portnum -showcerts
Is this means windows can generate shared library of openssl 9.7m with
openssl fips 1.1.2 but i was not able to make the shared library of openssl
9.7m when i am compiled with openssl fips 1.1.2 object module in Unix(AIX)
system .Does it means the coming fips version 1.2 will allow shared library
Kyle Hamilton wrote:
Okay. Let's see if I can piece together everything I've learned about
the FIPS experience so far...
FIPS-1.1.2 only generates a static fipscanister, which can only be
used to generate a static library. (except on Windows, where it can
be built into a shared library.)
Hmmm Is that the right port for SSL/TLS if it is it looks like it isn't
just a a case of connecting to the right port to get an SSL/TLS connection.
Might be some STARTTLS equivalent but I'm not sure what it is for that
application.
PostgreSQL always listens on one port. This is the only
I am having trouble installing the current openssl on an older
slackware 10.2 linux distribution. As indicated below it came
with a /lib/libcrypt-2.3.5.so dated 2005-09-10
I downloaded and tried to install openssl-0.9.8i.tar.gz
As indicated by the directory listings below only part of it seems
On Thu, Oct 09, 2008 at 04:39:06PM +0200, Andrej Podzimek wrote:
I only have one directory and one CA certificate. That makes the task
simple.
On the client:
[EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text
| grep Not
Not Before: Mar 25
You would probably need a FIPS_mode_set(1) somewhere after the openssl
library initialization, and it would be a good thing to never keep any
keys in the clear. As well, it would need to statically link to
openssl 0.9.7m built with the fipscanister module. (If it uses
features specific to
Hi All,
I am using openssl-0.9.8i with curl. When I try to access a secure site
(https) my app dies with the error:
TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable
I should also say that I am using pthreads and have implemented the
necessary callback functions for
On Thu October 9 2008, [EMAIL PROTECTED] wrote:
I am having trouble installing the current openssl on an older
slackware 10.2 linux distribution. As indicated below it came
with a /lib/libcrypt-2.3.5.so dated 2005-09-10
I downloaded and tried to install openssl-0.9.8i.tar.gz
As indicated by
Hi All,
I am trying to make openssh compatible with the fips enabled openssl . can
anybody tell me what all changes i have make in openssh
Please help
Thanks
Joshi
problem was solved by updating openssl to the latest release 0.9.8i
(the one I used was 0.9.8a.) But I still don't know the
[EMAIL PROTECTED] wrote:
I am having trouble installing the current openssl on an older
slackware 10.2 linux distribution. As indicated below it came
with a /lib/libcrypt-2.3.5.so dated 2005-09-10
I downloaded and tried to install openssl-0.9.8i.tar.gz
As indicated by the directory listings
Ok, so I did a openssl ciphers -v on the the installed version (0.9.7a -
CentOS4) and the version I compiled (0.9.8i - CeontOS4) and the list of
ciphers on 0.9.8i is much smaller than 0.9.7a.
Can someone point me to a document that describes how to compile with
all the ciphers?
Thanks
On Thu, Oct 09, 2008 at 04:39:06PM +0200, Andrej Podzimek wrote:
I only have one directory and one CA certificate. That makes the task
simple.
On the client:
[EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text
| grep Not
Not Before: Mar 25 12:00:00
Mike:
If its inappropriate to reply directly, I apologize!
But I couldn't resist inquiring if you really think some things
have changed since 2005? Just because the entire banking system
has failed is no reason to think linux would change :-)
Truthfully that kernel and distribution has done
On Thu October 9 2008, [EMAIL PROTECTED] wrote:
Mike:
If its inappropriate to reply directly, I apologize!
But I couldn't resist inquiring if you really think some things
have changed since 2005? Just because the entire banking system
has failed is no reason to think linux would change :-)
I'm getting the following error after following the steps in the FIPS users
guide to compile on Windows at this link:
http://openssl.org/docs/fips/UserGuide-1.1.1.pdf. I'm using FIPS 1.1.2
with OpenSSL 0.9.7m. I do ms\do_ms (tried with ms\do_nasm as well), then
nmake -f ms\ntdll.mak. The
On Thu, Oct 09, 2008 at 05:43:15PM +0200, Andrej Podzimek wrote:
When a PEM file holds multiple certificates (a chain), this command
only shows the first one. You need to break each of the .crt files
into separate files for each certificate, and look at those.
The root.crt file holds
On Thu, Oct 09, 2008, Andrej Podzimek wrote:
Hmmm Is that the right port for SSL/TLS if it is it looks like it
isn't
just a a case of connecting to the right port to get an SSL/TLS
connection. Might be some STARTTLS equivalent but I'm not sure what it is
for that
application.
Then I suggest you run the following command on those systems too:
openssl verify -CAfile root.crt other.crt
Where other.crt is the EE certificate, server.crt or posgresql.crt
Says OK on both machines.
In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need.
Around the
hello
It seems that sect163k1 public keys can have two formats
The first with a key lentgh of 43 bytes which seems to be the standard,
the second used by openssl with length 64 bytes.
Can anyone tell me where I can find informations on that and what it the
impact on signature.
I used a
I suspect that the smaller one is using Certicom's patented point compression
representation of the public key.
Not sure on the signature part of your question.
Bill
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno Vétel
Sent: October 9, 2008 4:35
On Thu, Oct 09, 2008, Andrej Podzimek wrote:
Then I suggest you run the following command on those systems too:
openssl verify -CAfile root.crt other.crt
Where other.crt is the EE certificate, server.crt or posgresql.crt
Says OK on both machines.
In crypto/x509/x509_vfy.c the function
On Thu, Oct 09, 2008 at 10:19:58PM +0200, Andrej Podzimek wrote:
if (i 0)
{
+ FILE * f;
+ f = fopen( /tmp/CERTDUMP_EXPIRED, w );
+ PEM_write_X509( f, x );
+ fclose( f );
On Thu, 2008-10-09 at 14:51 -0600, Bill Colvin wrote:
I suspect that the smaller one is using Certicom's patented point compression
representation of the public key.
Hello Bill
Thanks for your answer but I
don't think so. Following this url,
http://tls.secg.org/index1.php?action=certificate
-Original Message-
From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier
Sent: Wednesday, 08 October, 2008 08:14
I've a problem with validating self-signed certificates.
In my use case it's possible (but unlikely) to have multiple self-signed
certificates with the same
-Original Message-
From: [EMAIL PROTECTED] On Behalf Of Andrej Podzimek
Sent: Thursday, 09 October, 2008 10:39
Might be some STARTTLS equivalent but I'm not sure what it is for that
application.
PostgreSQL always listens on one port. This is the only port I
ever used for
pbirk wrote:
I'm getting the following error after following the steps in the FIPS users
guide to compile on Windows at this link:
http://openssl.org/docs/fips/UserGuide-1.1.1.pdf. I'm using FIPS 1.1.2
with OpenSSL 0.9.7m. I do ms\do_ms (tried with ms\do_nasm as well), then
nmake -f
28 matches
Mail list logo
