Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Salz, Rich via openssl-users > Sent: Saturday, December 02, 2017 11:42 > > >My personal priority list for OpenSSL is bug fixes and code cleanup > > (static > > and dynamic analysis of the 1.1.x codebase would be

Re: [openssl-users] FIPS certification for openssl

On 12/2/2017 6:35 AM, Michael Wojcik wrote: > My personal priority list for OpenSSL is bug fixes and code cleanup > (static and dynamic analysis of the 1.1.x codebase would be good, and > one of these days I'll get around to doing it myself), and continuing > the TLSv1.3 implementation until that

Re: [openssl-users] FIPS certification for openssl

>My personal priority list for OpenSSL is bug fixes and code cleanup > (static and dynamic analysis of the 1.1.x codebase would be good, and one of > these days I'll get around to doing it myself), We do run coverity weekly, and anyone can sign up to see the results BTW -- openssl-users

Re: [openssl-users] FIPS certification for openssl

> From: Jordan Brown [mailto:open...@jordan.maileater.net] > Sent: Friday, December 01, 2017 19:48 > On 12/1/2017 2:57 PM, Michael Wojcik wrote: > > Of course, anyone's free to write their own API on top of what OpenSSL > > provides, and even make a pull request to > > contribute it to the

Re: [openssl-users] FIPS certification for openssl

Hi there, long time lurker .. This sort of thing is a Remarkably Unique Occasion ... Personally, I do subscribe here for genuine, up to date, informative and even humorous (on occasion) information. I do not expect this to be the sole source of my knowledge. But .. I did learn of the

Re: [openssl-users] FIPS certification for openssl

On 12/1/2017 2:57 PM, Michael Wojcik wrote: >> Yes, compatibility is a concern.  So make the "default to secure" options be >> new functions. > That's certainly better than what you proposed in your previous messages. Sorry, I wasn't trying to propose any particular concrete interfaces.  I was

Re: [openssl-users] FIPS certification for openssl

> From: Jordan Brown [mailto:open...@jordan.maileater.net] > Sent: Friday, December 01, 2017 17:18 > On 11/30/2017 5:41 AM, Michael Wojcik wrote: > > There are a great many OpenSSL consumers. Making radical changes to the > > default behavior of the API would break > > many applications - and

Re: [openssl-users] FIPS certification for openssl

On 11/30/2017 5:41 AM, Michael Wojcik wrote: > There are a great many OpenSSL consumers. Making radical changes to the > default behavior of the API would break many applications - and so it's > likely those applications would stop updating their OpenSSL builds. Yes, compatibility is a concern. 

Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jordan Brown > Sent: Thursday, November 30, 2017 00:34 > On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote: > > I agree with you, but a problem is that “safe and secure” changes over time > > when new 

Re: [openssl-users] FIPS certification for openssl

On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote: > I agree with you, but a problem is that “safe and secure” changes over > time when new  crypto and other new features are added. And then users > get upset when their connections no longer work. Agreed, that's a tough trade-off. Still,

Re: [openssl-users] FIPS certification for openssl

> My number one complaint is that it seems like the defaults are generally set > up to do the wrong things, and the application has to either explicitly set > "yes, you should be secure" options or do stuff on its own. This seems to > have been getting better - gaining hostname validation, for

Re: [openssl-users] FIPS certification for openssl

On 11/29/2017 8:53 AM, Salz, Rich via openssl-users wrote: > I am biased, but I believe the project is better, by almost any > metric, then it used to be. If you have specific suggestions for how > you think it could be improved, it would be great to see them. My number one complaint is that it

Re: [openssl-users] FIPS certification for openssl

➢ It probably wouldn't hurt to post something to the lists when there's a blog post with news like this - items that subscribers would likely feel is important. Blog posts like the recent "OpenSSL in China" series probably don't need to be mentioned on the lists. But it's subjective, and I

Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Salz, Rich via openssl-users > Sent: Wednesday, November 29, 2017 11:54 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] FIPS certification for openssl > [I wrote:] > > Tha

Re: [openssl-users] FIPS certification for openssl

If you need a FIPS resource for the OpenSSL FIPS Object Module -- my business partner (Steve Weymann) and I worked with Steve Marquess when we were at a FIPS Testing Lab to achieve the FIPS 140-2 Cert. #1747 for the OpenSSL FIPS Object Module. We are now helping technology companies that need

Re: [openssl-users] FIPS certification for openssl

> That said, it wouldn't hurt for the OMC to post a message to the list stating > that business will continue as planned, since two very key figures have left > the project. I have two reactions, just my personal view. First, it’s premature to say anything, we’re still figuring things out.

Re: [openssl-users] FIPS certification for openssl

On 29/11/2017 14:58, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Sandeep Umesh Sent: Wednesday, November 29, 2017 07:30 To: openssl-users@openssl.org; i...@openssl.org As per this blog:

Re: [openssl-users] FIPS certification for openssl

7 at 7:30 AM To: openssl-users <openssl-users@openssl.org>, "i...@openssl.org" <i...@openssl.org> Subject: [openssl-users] FIPS certification for openssl Hello As per this blog: https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/<https://url

Re: [openssl-users] FIPS certification for openssl

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Sandeep Umesh > Sent: Wednesday, November 29, 2017 07:30 > To: openssl-users@openssl.org; i...@openssl.org > As per this blog: > https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Thanks for pointing that

[openssl-users] FIPS certification for openssl

Hello As per this blog: https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Steve who is instrumental in handling FIPS certification for openssl object module is no more associated with OSF. How can we proceed for future FIPS certification ? Is there any other contact person to perform

Re: [openssl-users] FIPS Certification

On 01/27/2016 10:24 AM, Imran Ali wrote: > All, > > > > Looking at the website > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm > > > > There is a new date of 01/25/2016 under Validation against OpenSSL > Software Foundation (2473). Does that mean

Re: [openssl-users] FIPS Certification

on the certification or these libraries can now be used on any OS. Regards, Imran -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: 27 January 2016 15:54 To: openssl-users@openssl.org Subject: Re: [openssl-users] FIPS Certification

Re: [openssl-users] FIPS Certification

On 01/27/2016 11:34 AM, Imran Ali wrote: > I might be asking asking a very basic question so do apologies > upfront but I need to have a clear understanding on this. > > The platforms mentioned under #1747 and #2473 does not contain the > latest versions of Operating System e.g. Windows 2012 R2

[openssl-users] FIPS Certification

All, Looking at the website http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm There is a new date of 01/25/2016 under Validation against OpenSSL Software Foundation (2473). Does that mean that we now have a FIPS compliant Open SSL again? Regards, Imran

Re: [openssl-users] FIPS Certification

On 27/01/2016 16:24, Imran Ali wrote: All, Looking at the website http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm There is a new date of 01/25/2016 under Validation against OpenSSL Software Foundation (2473). Does that mean that we now have a FIPS

Re: [openssl-users] FIPS Certification

>Everybody else is better off not trying to use FIPS-restricted modes and >setups. Strongly agree!! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

/ms724832(v=vs.85).aspx Regards, Imran -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Steve Marquess Sent: 27 January 2016 16:55 To: openssl-users@openssl.org Subject: Re: [openssl-users] FIPS Certification On 01/27/2016 11:34 AM, Imran Ali wrote

Re: [openssl-users] FIPS Certification

On 01/27/2016 11:54 AM, Jakob Bohm wrote: > The unfortunate people who are legally required to use > FIPS-validated crypto are legally restricted to use > *only* the crypto sw/hw on the FIPS validated list and > *only* in the specific configurations (OS etc.) listed > for each on that list. Well,

Re: [openssl-users] FIPS Certification

On 01/27/2016 01:19 PM, Imran Ali wrote: > Thanks Steve - for the explanation. > > We are using these libraries for Windows 2012 R2 which is 6.3 and > certificate #1747 mentions Windows 7 which is 6.1. I am hoping based on below > that we are OK to use it under Windows 2012 R2 > >

Re: [openssl-users] FIPS certification for AES GCM mode algorithm

To answer my own question: Use 512, 1024 and 504, 1016 in both cases ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS certification for AES GCM mode algorithm

Hi all, We are using the OpenSSL FIPS module v2.0 and are in the process of certifying the algorithms for our implementation. As part of this process there are different types of questionnaires about the algorithms. The questionnaire for AES GCM mode asks: : : Input Data Lengths (0 to 65536