Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto
Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto
In the Simple PKI example, step 5.4 View PKCS#7 bundle, the -in option
points to ca directory, but the bundle was created in step 4.3 Create
PKCS#7 bundle in the certs directory. I.e.:
Step 4.3:
openssl crl2pkcs7 -nocrl \
-certfile ca/signing-ca.crt \
-certfile ca/root-ca.crt \
-out
When the validation is obtained for FIPS Object Module v2.0, and that
version is officially released, will there also be an update to OpenSSL? Or
are those two now independent as long as v1.0.1 is used with the FIPS
module?
Thanks,
Kevin
On Tue, Feb 21, 2012 at 1:11 PM, Andy Polyakov ap...@openssl.org wrote:
Though in FIPS 2.0 there is new option that might work in this case.
Besides switching to another compiler that is. Introduced to rectify
situation with rodata segments not being position-independent on Win64,
defining
On Tue, Feb 21, 2012 at 3:51 PM, Andy Polyakov ap...@openssl.org wrote:
Another option (but shoot it down if its bogus :-): I noticed that if I
compile
fipscanister.o without -fPIC, then the const variables do get placed in
the (really readonly) .rodata section as desired. I thought maybe if
On Mon, Feb 20, 2012 at 5:18 AM, Andy Polyakov ap...@openssl.org wrote:
Though in FIPS 2.0 there is new option that might work in this case.
Besides switching to another compiler that is. Introduced to rectify
situation with rodata segments not being position-independent on Win64,
On Sat, Feb 18, 2012 at 6:13 PM, Andy Polyakov ap...@openssl.org wrote:
The key thing I realized is that the incore script that comes with the
FIPS
Object Module v2.0 tarball
handles both native AND cross-compile scenarios.
Even though FIPS 2.0 util/incore is capable of handling
On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:
After I had gotten the extra -f options from Harvey for this platform
(BSD-powerpc),
Using -f[data|function]-sections options is inappropriate as they
undermine the idea of capturing fipscanister code and rodata
On Sun, Feb 19, 2012 at 3:50 PM, Kevin Fowler kevpfow...@gmail.com wrote:
On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:
After I had gotten the extra -f options from Harvey for this
platform
(BSD-powerpc),
Using -f[data|function]-sections options
On Fri, Feb 17, 2012 at 10:25 PM, Dr. Stephen Henson st...@openssl.orgwrote:
On Fri, Feb 17, 2012, Kevin Fowler wrote:
Thanks Harvey,
This seems to have worked as far as getting the .rodata section used.
This
is what I see now:
001b5740 g O .rodata0010
Thanks Harvey,
This seems to have worked as far as getting the .rodata section used. This
is what I see now:
001b5740 g O .rodata0010 FIPS_rodata_start
001b5750 l O .rodata0011 FIPS_hmac_key
001b57bc g O .rodata0036 FIPS_bn_version
001c1e08 g O
Using FIPS module and FIPS capable OpenSSL (2.0/1.0.1) on a NetBSD platform.
I build FIPS module by hand to follow the build instructions, and copy it
into a tips sub-directory in openssl directory. I would like to build the
libcrypto.so library as part of the NetBSD cross-compile build (i.e.,
When I build the FIPS module and install, it populates a
fips-2.0/include/openssl directory with a set of header files.
When I build the FIPS-capable OpenSSL library libcrypto, it has the
fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS
include directory has a subset of the
I'm asking here about the header files with the same name in both
directories. I see that there are three fips-specific header files in the
fips-2.0 include directory - which I would guess is what is getting picked
up by the last -I in CFLAGS...
On Sun, Jan 29, 2012 at 2:19 PM, Kevin Fowler
I think I know the answer to this but I'm hoping I am wrong.
I am building the FIPS Object Module v2.0 (a recent snapshot) on an
x86-linux2 host for an embedded PowerPC target running NetBSD. There is a
well-established and intricate build process already in place for the
product, and I am trying
...
Kevin
On Wed, Nov 30, 2011 at 12:01 PM, Kevin Fowler kevpfow...@gmail.com wrote:
I think I know the answer to this but I'm hoping I am wrong.
I am building the FIPS Object Module v2.0 (a recent snapshot) on an
x86-linux2 host for an embedded PowerPC target running NetBSD. There is a
well
I noticed that for the FIPS Object module for ./config no-asm the endian
flag is removed from CFLAGS.
But in openssl, this is not the case. So, e.g. for linux-ppc, openssl build
has -DB_ENDIAN flag, but fips build has no such flag.
I'm guessing that the powerpc gcc may default to big-endian, so
Thanks Steve, I have a follow-up below - just checking I have it straight.
On Mon, Nov 21, 2011 at 10:11 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Fri, Nov 18, 2011, Kevin Fowler wrote:
Let me first say I have read the User Guide and Security Policy
repeatedly, as well as the Incore
Let me first say I have read the User Guide and Security Policy
repeatedly, as well as the Incore Tutorial, looked through this users
group, and read anything else I could find - so I'm not being lazy,
although my questions may be pedestrian... Please correct any
misunderstandings along the way.
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I then build openssl 1.0.1 (2010):
./config fips shared
make
which all seems to go ok
Then I do:
make test
and eventually get this error:
...
Testing key
Thank you - that was my problem
On Tue, Nov 15, 2011 at 9:43 AM, Dr. Stephen Henson st...@openssl.org wrote:
On Mon, Nov 14, 2011, Kevin Fowler wrote:
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I then build openssl 1.0.1 (2010):
./config fips shared
make
which all seems to go ok
Then I do:
make test
and eventually get this error:
...
Testing key
23 matches
Mail list logo