Hi,
can anyone please tell, how to check the list of tls versions supported in
openssl build ( version 1.1.1)?
--
*With Best Regards*
*Shivakumar S*
On 27/02/2020 18:30, Phani 2004 wrote:
> Thanks for the reply.
>
> In ssl_get_evp_cipher api when etm flag is enabled the
> aesni_cbc_hmac_sha1_cipher is not used. In this cipher only it
> implements mte. This part is not clear to me? Support I implement one
> cipher func which needs to handle
On 27/02/2020 20:37, Jason Schultz wrote:
> Thanks for all of the responses. This question has led to other related
> topics, so I have another one. According to this blog:
>
> https://keypair.us/2019/12/rip-fips-186-2/
>
> The OpenSSL FIPS Object Module will be moved to the CMVP historical li
>Per section Supported Groups in RFC 8446 [1], FFDHE groups could be supported.
I was wrong, sorry for the distraction.
As others have pointed out, it will be in the next (3.0) release.
On Thu, Feb 27, 2020 at 9:27 PM Salz, Rich wrote:
>
>- Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
>
>
>
> TLS 1.3 doesn’t have those groups.
>
Per section Supported Groups in RFC 8446 [1], FFDHE groups could be
supported.
enum {
/* Elliptic Curve Groups (ECDHE)
CMVP historical list
> as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS
> Module will be after that sometime, where does this leave 1.0.2 users who
> need a FIPS validated object module past that date?
>
> Without their free lunch?
That's fair. So the only option is to use another module? Extended 1.0.2
support does not resolve this either, correct?
From: Salz, Rich
Sent: Thursday, February 27, 2020 8:49 PM
To: Jason Schultz ; openssl-users@openssl.org
Subject: Re: OpenSSL 3.0
* The
None of those choices address what happens in the 1.0.2 module goes to historic
on Sept 1. See
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
for details.
For option 2, we have a support contract in place. But does this actually help
us as far as the FIPS Object Module?
From: openssl-users on behalf of Neptune
Sent: Thursday, February 27, 2020 8:56 PM
To: openssl-users@openssl.org
Subject: Re: OpenSSL 3.0
You
* That's fair. So the only option is to use another module? Extended 1.0.2
support does not resolve this either, correct?
I do not think that is the only option. For example, you might be able to use
3.0 and say it’s “in evaluation.” There might be other options, that was all I
could think
You essentially have three choices:
1. Stay on the 1.0.2 branch to continue FIPS compliance, but go the entire
year without support or security patches.
2. Pay OpenSSL for a premium support contract ($50,000 per year) to continue
to receive patches on 1.0.2 for the remainder of the year.
3. Pay Saf
* The OpenSSL FIPS Object Module will be moved to the CMVP historical list
as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS Module
will be after that sometime, where does this leave 1.0.2 users who need a FIPS
validated object module past that date?
Without their free
Thanks for all of the responses. This question has led to other related topics,
so I have another one. According to this blog:
https://keypair.us/2019/12/rip-fips-186-2/
The OpenSSL FIPS Object Module will be moved to the CMVP historical list as of
9/1/2020. Since there is no OpenSSL 3.0 until
Hi All,
The TPM 2.0 PKCS11 project has been attempting to get the TPM working with
EAP-TLS WiFi.
We've run into an issue where the TPM spec specifies that for RSA PSS signing
keys, the random salt length will be the largest size allowed by the key size
and message digest size.
Server side, in SS
Thanks for the reply.
In ssl_get_evp_cipher api when etm flag is enabled the
aesni_cbc_hmac_sha1_cipher is not used. In this cipher only it implements
mte. This part is not clear to me? Support I implement one cipher func
which needs to handle both etm as well as mte, at the cipher api level how
d
>It would probably be a good idea for us to pull together a "Getting
Started" guide on the Wiki with some basic information on how to get
things going, with some links to the various man pages etc where more
detailed information is required.
This needs to be real user documentat
* Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
TLS 1.3 doesn’t have those groups.
FFDHE arrived quite late so it missed the window for being included in the
1.1.1 release and won't be added to it in a patch release as it is a new
feature.
FFDHE support is available in master so it will be part of the upcoming 3.0
release and it is already possible to test it using a development
I would have highlighted that OpenSSL 1.1.1d was being used in my testing.
On Thu, Feb 27, 2020 at 5:13 PM John Jiang wrote:
> Hi,
> It sounds FFDHE groups are already supported [1]
> But the tools, like s_client, also support them.
> Run the command: openssl s_client -tls1_3 -groups ffdhe2048 h
Hi,
It sounds FFDHE groups are already supported [1]
But the tools, like s_client, also support them.
Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
it just raised the issue: Error with command: "-groups ffdhe2048"
If using P-256 or X25519, it worked fine.
I also tried optio
20 matches
Mail list logo