Deepak
Just take note of the FIPS 140-2 sunset, and rise of FIPS 140-3
140-3 Takes Effect: 9/22/19
140-3 New Testing Begins: 9/22/20
140-2 Sunset: 9/21/21
140-3 Mandated: 9/22/21
And best of luck ;)
Also, on question b: No. You need to build a compatible version of openssl
as specified in the User Guide, and link that version. FIPS_mode_set()
tells the library to always and only use the implementations in the FIPS
canister; the canister does not replace the library entirely.
-Kyle H
On
Step a. needs to verified the digest with an existing FIPS 140-2 validated
cryptography implementation. Otherwise, to my understanding, this is the
correct sequence of events.
Do note that after building the fipscanister.lib, you will want to digest
it and print it on a certification letter that
On Jul 3, 2019, at 2:41 PM, Ken Goldman wrote:
> That link points to the X509_dup page. It doesn't explain how to
> build a DER sequence, does it?
The documentation is incomplete, and much RTFS is required, but it
and code pointers should get you started.
--
Viktor.
On 7/1/2019 6:03 PM, Viktor Dukhovni wrote:
On Mon, Jul 01, 2019 at 09:40:25PM +, Salz, Rich via openssl-users wrote:
I see those macros, but ... is there any documentation?
No.
There's a high-level overview at:
https://www.openssl.org/docs/manmaster/man3/X509_dup.html
On 7/1/2019 5:19 PM, Viktor Dukhovni wrote:
On Jun 25, 2019, at 10:59 AM, Ken Goldman wrote:
I have to build a DER byte stream for a sequence containing:
algorithm ID
issuer
validity
subject name
extensions
What is the general approach?
See for
Unless your product (application) is listed on the certificate, it is
not FIPS 140-2 certified.
Similarly, if you build your own car and drop in an OEM Ford engine,
your car does not become a Ford.
On Wed, 3 Jul 2019 at 13:35, Dipak B wrote:
>
> Hi,
>
> Thank you for the quick answer.
> Both
No, strictly speaking, you cannot. Just because you use a FIPS 140-2
certified cryptographic module doesn't mean that your application is
FIPS 140-2 certified. It means that your application includes (or
uses) a FIPS 140-2 certified cryptographic module. Or, as it is
sometimes called, "FIPS
Hi,
Thank you for the quick answer.
Both the questions have subtle difference. My apology they appear almost
same.
So, to clear my doubts, following is my understanding
a) An application is FIPS 140-2 certified if and only if it links directly
to 'fipscanister.lib'.
b) Application which links
Didn’t you just ask this question? :)
If you followed the Win32 build instructions *exactly* and you build your
application to turn on FIPS mode and link against the canister, then yes.
If you made changes to the process, then no.
Dear Experts,
Can you please help with the following questions?
All inputs are appreciated.
a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS
140-2 Certified in strict sense?
where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib)
I am seeking
Dear Experts,
Can you please help me with the following question?
My win32 desktop application uses 'libcurl' to interact with web service,
in order to get my application FIPS 140-2 certified, following is the plan
which I arrived at after going through the 'User Guide' and 'Security
Policy'
On 02/07/19 23:52, Dennis Clarke wrote:
On 7/2/19 12:12 PM, Karel de Henks wrote:
Hi,
I'm searching on the internet for an OpenSSL version 1.1.1. RPM package for
CentOS 7.
However, I cannot find this. Perhaps one of the users in the mailing list has
this package already available.
On
I installed openssl from source following the guidelines in
https://github.com/openssl/openssl/blob/master/INSTALL .
Now I need to remove this source installed version and use the
openssl-devel package instead, provided by my distro, Fedora.
How do I do a clean uninstall, such that even the
On 02/07/2019 22:13, Larry Jordan via openssl-users wrote:
I want to build an openssl-fips canister to force IANA cipher suite
compliance.
With the help of an openssl-iana mapping
(https://testssl.sh/openssl-iana.mapping.html) I can identify the
corresponding OpenSSL cipher suites.
Not
15 matches
Mail list logo
