On Wed, Jul 22, 2009, David Schwartz wrote:
>
> Michael Kurecka wrote:
>
> > Thank you for your help that is definitely a point in the right
> > direction; however, it leaves me more baffled. I found the only
> > SSL_CTX_new function that is in the code and it is being passed
> > the TLSv1_metho
Thanks for help. I do not have yet a HSM.
At 19:38 22/07/2009, you wrote:
I haven't tried, but it's easy to know. Please post a CSR in base64 that you
produce in HSM and I will compare, posting both cases in text (one CSR made
in HSM and another made in openssl).
Or if you prefer I post one
Hi,
Is it possible to use openssl to do ecdsa encryption/decryption and if
so how? Or can someone recommend a linux command line tool that would?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
___
David Schwartz wrote:
>Most likely, you're getting a connection from a non-FIPS endpoint that's
>forcing you to use a protocol that's not FIPS compliant. I'm not sure why
>you're seeing what you're seeing though -- it should just have reported
that
>it was unable to negotiate compatible protocols
Bram Cymet wrote:
Hi,
Is it possible to use openssl to do ecdsa encryption/decryption and if
so how? Or can someone recommend a linux command line tool that would?
Thanks,
I think it is possible to use elliptic keys for encryption. I'm not sure
about a command
line tool, but you should be
Hi,
I want to create certificate chain and upload on mozilla and my own server.
Even I have created that certificate chain with all other required
certificates like root.pem, client.pem, root.p12, server.pem
and server_chain.crt with depth 10.
but when i have install server_chain.crt then using o
Dr. Steve:
How do I enable debug? I want to make sure I have it set right
as it takes a while to rebuild.
If you look at the Configure script you will see different debug options
that the developers have setup. Search the Configure file for lines
with 'debug-' in them. You can adjust the Configure script to setup
your own as well, just follow the pattern. There are quite a few
different configs avai
Dr Henson wrote:
>No that wont bypass the MD5 check. You can use EVP and set the flag
>EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
can't find the EVP_MD_CTX_NON_FIPS_ALLOW flag anywhere. Where is the flag
and h
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Dr Henson wrote:
>
> >No that wont bypass the MD5 check. You can use EVP and set the flag
> >EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that...
>
> I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I
> can't find the EVP_
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Steve:
>
> How do I enable debug? I want to make sure I have it set right as it takes a
> while to rebuild.
I'd recommend using OpenSSL 0.9.8k throughout for that you should be able to
use:
./config -d fipscanisterbuild
BLOODY BIG SODDING E
Just to be clear
my current config is:
./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config fips (in the 0.9.8k directory)
make
I attempted:
./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
make
./config -d fips (in the 0.9.8k directory)
make
but it said th
> After the regular BIO stuff you should be able to get the fd
> (BIO_get_fd(BIO *bio, int *fd)) and just set the flag with fcntl. You
> might want to have a look at BIO_set_flags first.
> __
> OpenSSL Project
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of David Schwartz
> Sent: 22 July 2009 00:03
> To: openssl-users@openssl.org
> Subject: RE: setting FD_CLOEXEC on BIO sockets
>
> You should not issue a 'close' unless you wa
On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote:
> Yes in FIPS mode non-compliant ciphersuites are disabled and so should never
> be seen. If there is some way to use them which is triggering this in
> unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which
>
On Thu, Jul 23, 2009, Michael Kurecka wrote:
> Just to be clear
>
> my current config is:
> ./config fipscanisterbuild no-asm (in the FIPS 1.2 directory)
> make
> ./config fips (in the 0.9.8k directory)
> make
>
> I attempted:
> ./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory)
>
Jouni,
I have no problem what I have so far. It is a stripped down version with
openssl FIPS. Where shall I send it?
Dr. Henson:
I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
mentioned and that worked OK but I got the following error when I ran make.
#make
if [ -n "l
Hopefully, someone has more clue than I on this; I couldn't find
anything in the list archives...
Using a recent version of openssl:
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
I find that it claims knowledge of 'RC2-CBC-MD5':
# openssl ciphers -v RC2-CBC-MD5
RC2-CBC-MD5
On Thu, Jul 23, 2009, Michael Kurecka wrote:
>
> Dr. Henson:
>
> I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you
> mentioned and that worked OK but I got the following error when I ran make.
>
Argh... don't have a debug configuration for that platform. Try
deleting the
Hello,
I have a simple client operating in blocking mode. When I try to
connect to the server, I get the error:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Anybody aware of this error? I had previously written both a blocking
and non-blocking client with help of people fro
Hi,
The application use the following functions for non-secure communication:
intBIO_write(BIO *b, const void *data, int len);
intBIO_read(BIO *b, void *data, int len);
calling them one by one.
The issue is that BIO_write() succeeds and returns the proper value of the data
written. The
21 matches
Mail list logo
