[openssl-users] SSL keys and certificates for FIPS and non-FIPS mode

2016-01-27 Thread cloud force
Hi everyone, If I have a HTTPS client and server both using OpenSSL with FIPS modules, and supporting both FIPS and non-FIPS mode, will the SSL server and client keys and certificates need to be changed between operating on FIPS and non-FIPS mode? Thanks, Rich __

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

2016-01-27 Thread Salz, Rich
> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? No. For example, only the EVP interface to crypto. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL FIPS modules and APIs compatibility

2016-01-27 Thread Steve Marquess
On 01/27/2016 05:33 PM, cloud force wrote: > Hi everyone, > > Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? > i.e. If we use the OpenSSL FIPS modules, we don't need to make any API > invocation changes on our applications side (in addition to invoking the > FIPS_mode_set API). Is tha

[openssl-users] OpenSSL FIPS modules and APIs compatibility

2016-01-27 Thread cloud force
Hi everyone, Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? i.e. If we use the OpenSSL FIPS modules, we don't need to make any API invocation changes on our applications side (in addition to invoking the FIPS_mode_set API). Is that correct? Thanks, Rich __

Re: [openssl-users] SSL version status

2016-01-27 Thread Viktor Dukhovni
> On Jan 27, 2016, at 8:56 AM, Nulik Nol wrote: > > How much old browsers are out there that > still use older SSL versions? Because, Wikipedia says SSL 3.0 was > deprecated by Jun 2015 but if I only implement TLS, I may lose many > visitors with old browsers, right ? You do not have to enable

Re: [openssl-users] SSL version status

2016-01-27 Thread Nulik Nol
Thanks for the link! This says it all: " o Implementations MUST NOT negotiate SSL version 2. Rationale: Today, SSLv2 is considered insecure [RFC6176]. o Implementations MUST NOT negotiate SSL version 3. Rationale: SSLv3 [RFC6101] was an improvement over SSLv2 and plugged so

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Steve Marquess
On 01/27/2016 01:19 PM, Imran Ali wrote: > Thanks Steve - for the explanation. > > We are using these libraries for Windows 2012 R2 which is 6.3 and > certificate #1747 mentions Windows 7 which is 6.1. I am hoping based on below > that we are OK to use it under Windows 2012 R2 > > https://ms

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali
Thanks Steve - for the explanation. We are using these libraries for Windows 2012 R2 which is 6.3 and certificate #1747 mentions Windows 7 which is 6.1. I am hoping based on below that we are OK to use it under Windows 2012 R2 https://msdn.microsoft.com/en-gb/library/windows/desktop/ms724832

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Steve Marquess
On 01/27/2016 11:54 AM, Jakob Bohm wrote: > The unfortunate people who are legally required to use > FIPS-validated crypto are legally restricted to use > *only* the crypto sw/hw on the FIPS validated list and > *only* in the specific configurations (OS etc.) listed > for each on that list. Well,

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Salz, Rich
>Everybody else is better off not trying to use FIPS-restricted modes and >setups. Strongly agree!! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Steve Marquess
On 01/27/2016 11:34 AM, Imran Ali wrote: > I might be asking asking a very basic question so do apologies > upfront but I need to have a clear understanding on this. > > The platforms mentioned under #1747 and #2473 does not contain the > latest versions of Operating System e.g. Windows 2012 R2 a

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Jakob Bohm
The unfortunate people who are legally required to use FIPS-validated crypto are legally restricted to use *only* the crypto sw/hw on the FIPS validated list and *only* in the specific configurations (OS etc.) listed for each on that list. Everybody else is better off not trying to use FIPS- rest

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali
I might be asking asking a very basic question so do apologies upfront but I need to have a clear understanding on this. The platforms mentioned under #1747 and #2473 does not contain the latest versions of Operating System e.g. Windows 2012 R2 and Windows 10. Does this have any impact on the

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Jakob Bohm
On 27/01/2016 16:24, Imran Ali wrote: All, Looking at the website http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm There is a new date of 01/25/2016 under Validation against OpenSSL Software Foundation (2473). Does that mean that we now have a FIPS

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Steve Marquess
On 01/27/2016 10:24 AM, Imran Ali wrote: > All, > > > > Looking at the website > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm > > > > There is a new date of 01/25/2016 under Validation against OpenSSL > Software Foundation (2473). Does that mean

[openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali
All, Looking at the website http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm There is a new date of 01/25/2016 under Validation against OpenSSL Software Foundation (2473). Does that mean that we now have a FIPS compliant Open SSL again? Regards, Imran

[openssl-users] SSL version status

2016-01-27 Thread Nulik Nol
Hi, I have to implement SSL/TLS in a proprietary web server daemon. I am only familiar with SSL as a user, not as developer, so my question is. What versions of SSL should I support for best compatibility and optimal development time? How much old browsers are out there that still use older SSL ver