-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: January-20-15 8:17 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS
(1.0.1)
On 01/19/2015 12:42 PM, Nou Dadoun wrote:
> The scenario
nssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: January-16-15 2:26 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS
(1.0.1)
On 01/16/2015 04:23 PM, Nou Dadoun wrote:
> We are currently using FIPS
We are currently using FIPS and non-FIPS builds of 0.9.8 where a configuration
setting can select FIPS or non-FIPS mode, loads the appropriate build and
populates a function table which is used by the code for OpenSSL functionality.
We would like to update the non-FIPS build to a later version
rsions of 1.0.0?
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Matt Caswell
Sent: October-20-14 4:08 PM
To: openssl-users@openssl.org
Subject: Re: TLSv1.1 and TLSv1.2
On 20/10/14 23:59, Nou Dadoun wrote:
> This should be a sho
This should be a short question (for a change), am I correct in assuming that
the earliest version of openssl which provided support for TLSv1.1 and TLSv1.2
is openssl 1.0.1?
i.e. there's no support for those in 0.9.8 (soon to be deprecated) or 1.0.0?
One of our products uses 0.9.8 for the FIP
: SSL_MODE_SEND_FALLBACK_SCSV option
On 20/10/14 21:10, Nou Dadoun wrote:
> Well I think I'm completely confused about this option now; "always when you
> fall back" seems to suggest that falling back is an application level
> operation (as opposed to openssl-implemented behaviour), is it? i.
jabber.me Twitter: RichSalz
> -Original Message-
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
> us...@openssl.org] On Behalf Of Nou Dadoun
> Sent: Monday, October 20, 2014 7:08 PM
> To: openssl-users@openssl.org
> Subject: RE: SSL_MODE_SEND_FALLBACK_SCSV
This is the first time I've seen this point of view expressed but it does make
evident sense - after all, the whole idea of falling back is to find a mutually
acceptable version. However it conflicts with some of the previous advice I've
seen on the list which recommended that SSL_MODE_SEND_FAL
Since this is the users list (as opposed to the dev list) I’m a little confused
about point 2 there; my understanding from the sketchy descriptions I’ve read
is that the fallback to a lower version is automatically done by openssl on
connect failure as opposed to something similar to the code sn
But my understanding is that it requires the same content to be submitted
repeatedly within a single session with manipulations to the padding to
incrementally decrypt the content; we use ssl to protect our session
establishment - think of a SIP call, SIP INVITE (offer) in one direction and
SIP
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since we’re
currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients and
servers.
We’ve already disabled the use of SSLv3 in both our client and server releases
mode is desired; it
wouldn't take much modification to delay loading the fips function pointers
until the POST is complete as long as the client code doesn't choke on a "not
ready yet" return code.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Mess
vely kill any future Openssl FIPS certifications
although it appears that our current certification remains valid.
Sorry if this has been discussed previously but is this the case? A pointer to
a previous discussion if one exists would be sufficient, thanks ... N
---
Nou Dadoun
ndad...@terad
io 2012 so having a
project to do this would be ideal since it would make the build and deploy
process much simpler. Anything like a VS project to build crypto only out
there anywhere?
Thanks .. N
---
Nou Dadoun
ndad...@teradici.com
60
for
cross-compilation), anyone know what that might be? Or even better, a list of
config options that I can use to tailor my build?
This seems like basic information that should be in a man page or readme file
somewhere, is it?
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message
ny general
comments? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated Li
Quick question: is there a simple openssl api call which will tell me if an
x509 certificate is self-signed? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http
on? (i.e. a windows " method that finds them
dynamically")
Thanks to Dave for the response ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
verify assumption is correct before trying to run down the windows stuff.
Anybody know offhand? Thanks .. N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project
reciate hearing about anyone else's experiences vis a vis Metro/openssl
etc .. N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of mar...@v.loewis.de
Sent: August 3, 20
erested in the technical questions at this point,
not the political ones.)
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Ma
ding is on the horizon but not
imminent) - is there any documentation anywhere on how this might be
accomplished?
Thanks again ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On
Thanks very much for your clearly laid out and informative note; most of this
matches my intuitive understanding of the differences but having it elucidated
backed with experience is invaluable, thanks again ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message
e ssl tunnel established? i.e. how do
you securely agree on a symmetric key for further secure communications?
(Which is how I assume things proceed.)
Any pointers?
N.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:
essentially the same).
Does anyone have experience with this? Any pointers or links to documentation
for how this might be done?
Thanks in advance N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
It passes "OK" with the usual verify utility but that's not surprising since it
passes verification if I'm not using FIPS, I don't imagine there's any way to
force the verify utility to use the FIPS routines; in any case, I'm happy to
send them to you
.
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: Nou Dadoun
Sent: June 18, 2012 11:06 AM
To: 'openssl-users@openssl.org'
Subject: RE: FIPS doesn't verify certificate with 1024-bit keys
Here's the certificate which is failing:
C
ef:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
Is it failing because of the (unapproved) md5 signature algorithm? ... N
---
Nou Dadoun
ndad...@teradici.com
604-628
ok==0 (when called with the non-fips library both oks are ==1) - why two
calls?
Why is it failing with the fips library and passing with the non-fips library -
does it have anything to do with the 1024 bit key? (i.e. 2048 and 4096-key
certs both work, and the ca cert has a 2048-bit k
topped me before).
But I thought I'd throw out a general query, is there any simple mechanism for
simply extracting the string (or strings) which define the x509 Subject
Alternative Names for simple string matching?
Thanks ... N
---
ck or something
like that.)
Thanks ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openss
You're right about it being non-obvious but I got it working, thanks! ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: May 10, 2012 3:47
...) provides a user argument which works
great.)
Any suggestions on how to get around this problem?
(Did I mention that I'm doing this in boost? That shouldn't have any bearing
on the solution though.)
---
Nou Dadoun
ndad...@
be usable for the certificate the client presents
in the case of mutual authentication?
(Pointers to documentation if any would be sufficient!)
Thanks N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project
e various algorithm deployments scenarios) so
it's still a little mysterious why the two would interfere with each other! It
would seem to be right down in the crypto algorithm code because that seems to
be all that they have in common. That's why a total scrub cleanup function
would b
r your own purposes which can be dangerous if you're not
careful.
3. I think I've answered that above N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dinh,
all is 1 and the
second is 0 with a "signature error" reported.
Why is it called twice and what's the difference? (I suspect the second is
signature checking and the first is everything else but I'm curious).
Thanks in advance ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
32 or so has some sample code you can probably modify.
Standard warnings apply N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Srihari, Gautam
Sent: April 10, 2012 3:
Sorry I knew I'd forget something, I've put the my_rsa_key declaration and
initialization in the right place marked / here / ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@o
I've tried reversing the encrypted buffer, all to no avail.
Am I missing something here? Thanks in advance N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
__
OpenSSL Project ht
ion of the windows cert store to look in for
the certificate that I want to use being selecting the actual certificate, and
it's not clear how I would do that, thanks again for your help ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: o
is doing - the ms docs
are woefully inadequate) but if anyone has pointers on information on how to
use the capi engine, I'd greatly appreciate it, thanks! ... N
---
Nou Dadoun
ndad...@teradici.com
604-628-1215
-Original Message-
From: owner-openssl-us...@openssl.org [mai
then have the engine use that
certificate for the ssl handshake to the peer.
I've read the O'Reilly section on Engines but it's pretty rudimentary and
doesn't touch the capi engine, do you have a pointer to any user documentation
that might have some examples on using the
x27;m experiencing can't be unique to my
setup. Anyone have any suggestions?
I can post code on request but thought I'd start with a high-level description
of the problem to avoid clouding the issue too much.
thanks in advance ... Nou
---
Nou Dadoun
n
44 matches
Mail list logo