On Mon, Dec 27, 2010 at 6:47 AM, Henrik Grindal Bakken wrote:
3) obtaining your own from-scratch validation starting with the
1.0.0 baseline. Good luck with that, you have a long row to hoe.
We're going for 3), but as I said, our crypto module is not OpenSSL,
it's the entire product, so the O
Jeff,
The fipscanister's integrity test must be called before main(), and that's why
fipsld does what it does. The process to load it and verify it is given (in
source form) in the fips-1.2.0 package, and those bits can be located as well
as the compiled bits of the canister itself.
I think
OPENSSL_FIPS=1 causes openssl to invoke FIPS_mode_set(1). Once that occurs,
MD5 is a prohibited algorithm unless it's explicitly limited to the TLSv1 PRF
(and that only because SHA is also used). If an MD5 operation completes
successfully, it's not a FIPS canister that's running the cryptogra
Export the environment variable OPENSSL_FIPS=1, and then try openssl md5?
-Kyle H
On Tue, Dec 21, 2010 at 1:04 PM, Zamora, Robert
wrote:
Is there a way to determine if OpenSSL binaries were compiled with the FIPS
"certified" module v1.2.x ? Compiling OpenSSL FIPS test module gives me the
s
On Mon, Nov 29, 2010 at 3:36 PM, Dr. Stephen Henson wrote:
If there were any extensions in the server certificate that wouldn't happen
but the command you create the server certificate with doesn't include any and
ends up creating the deprecated V1 certificate format.
Should this behavior b
On Wed, Oct 13, 2010 at 1:21 PM, Bill Durant wrote:
Here is the result with fipsld in debug mode:
[snip]
$ ldd foobar
linux-gate.so.1 => (0x003ab000)
--> libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x006e1000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00e8a000)
On Wed, Oct 13, 2010 at 5:32 PM, Bill Durant wrote:
That may not be sufficient, can ldfips be modified(?), it's certainly
needed to link
static to the fips canister. I'd put your energies into building a dylib
which would
give you a smidge more flexibility.
fipsld can be modified, as it is
If you generate multiple certs with the same serial number, Firefox (and anything built
with NSS) will absolutely refuse to have anything to do with those sites. There's no
"click 3 times to get access", it's a simple refusal to talk with a
non-standards-compliant server. (Of course, this put
Remember that you need to include -showcerts in the s_client line to get it to
dump certificates.
-Kyle H
On Mon, Sep 13, 2010 at 6:04 PM, Tim Hudson wrote:
> Also, gnutls-client works correctly and lists the entire CA chain, which
would also seem to indicate the server is supplying them.
C
On Tue, Aug 31, 2010 at 2:13 PM, David Woodhouse wrote:
In my VPN client I'd like to warn the user when their certificate is
almost out of date.
Is there a way to get the client certificate from the SSL_CTX after the
client cert has been loaded?
Apparently not directly. You can, though, cr
This is not an openssl question, nor even an Apache httpd question. It is more
appropriately a Firefox question, and the symptoms match the semantics of the "mixed
content error".
If any media included on the page (image, audio, video, flash applet, java
applet, etc) is served from any insecu
Title: Re:
openssl and PeopleSoft
The key that is sought in this
field is a symmetric key, not an asymmetric key. This means that RSA
is not
the correct type of key.
Randomly generate a value, or use a
particular passphrase and feed it into a key-derivation function for the
number of bits in
Use the '-issuer_checks' parameter to show exactly what it's looking for and
where it's looking for it.
At 'depth 1' (i.e., one step above the end-entity certificate), it's looking
for the issuer (which means it's looking for the USERTRUST root certificate).
-Kyle H
On Thu, Sep 2, 2010 at 9:3
In the case of a DNS attack, the only information that your users can rely upon
is information which comes out of the PKI. If your attackers can attack both
DNS and the PKI, then you're 0wned, game over.
Otherwise, if DNS is completely attacked but you can still have some trust in
the PKI, yo
On first glance, it's rather stupid, but Apache (partly due to baggage from the
underlying OpenSSL, but this baggage was unavoidable) requires the end-entity
certificate (the certificate which contains the public key for which you have
the private key) to be loaded separately from the chain tha
You're looking at a couple of issues here. (First, please be aware that this
is the OpenSSL users list, not necessary a mod_ssl support list; however, since
they're intertwined, we do have some knowledge of mod_ssl.)
What you need to do is change that from 'SSLCACertificateFile' to
'SSLCACert
A private key has (to the best of our knowledge -- we don't know everything
about mathematics) a precise 1 to 1 correspondence with a public key, and a 1
to 1 correspondence from a public key to a private key.
But I can't imagine why you'd want to present a different certificate to the
client
Run mmc.exe (Microsoft Management Console), add the "Certificates" snap-in, and
then export the certificate and private key to a PKCS#12 file. Then use openssl pkcs12
to parse it.
-Kyle H
On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu wrote:
Hi All,
I am trying to read Certificates and
Run mmc.exe (Microsoft Management Console), add the "Certificates" snap-in, and
then export the certificate and private key to a PKCS#12 file. Then use openssl pkcs12
to parse it.
-Kyle H
On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu wrote:
Hi All,
I am trying to read Certificates and
On Thu, Jun 17, 2010 at 8:10 PM, Dave Thompson wrote:
There should be no technical problem signing a child cert with
a different keylength, or algorithm. It's even fairly common for
a child cert to have a smaller/weaker key than the CA. It's
somewhat silly for the child to be larger/stronger,
Responses inline. :)
On Tue, Jan 12, 2010 at 3:12 AM, Steffen DETTMER
wrote:
Hi,
thank you too for the detailed explanation. But the impact on
the client certificates (and its correct validation etc) is not
clear to me (so I ask inline in the second half of this mail).
* Kyle Hamilton wrote
If a certificate does not have the standard keyUsage: signature, then that
certificate cannot sign any message, at all. No email, no client signature of
TLS authentication parameters, nothing.
-Kyle H
On Wed, Oct 28, 2009 at 9:10 AM, Mourad Cherfaoui (mcherfao)
wrote:
Thanks Steve,
Yes, t
CRYPTO_malloc is an internally-used function, to allocate memory. In any
event, though, do you do an earlier CRYPTO_malloc_init?
http://openssl.org/support/faq.html#PROG2
-Kyle H
On Thu, Oct 29, 2009 at 11:23 AM, Josue Andrade Gomes
wrote:
Hi,
Shortly: HP Insight Manager (a management too
On Wed, Oct 14, 2009 at 9:55 AM, Rij wrote:
Hello everyone,
I need a deeper understanding of SSL_read()/SSL_write() and was
wondering if someone could please provide some insight.
As far as I understand, OpenSSL has is a record-oriented protocol.
Lets say the record size is 16K. Let's say a
24 matches
Mail list logo