Step a. needs to verified the digest with an existing FIPS 140-2 validated
cryptography implementation. Otherwise, to my understanding, this is the
correct sequence of events.
Do note that after building the fipscanister.lib, you will want to digest
it and print it on a certification letter that
Unless your product (application) is listed on the certificate, it is
not FIPS 140-2 certified.
Similarly, if you build your own car and drop in an OEM Ford engine,
your car does not become a Ford.
On Wed, 3 Jul 2019 at 13:35, Dipak B wrote:
>
> Hi,
>
> Thank you for the quick an
No, strictly speaking, you cannot. Just because you use a FIPS 140-2
certified cryptographic module doesn't mean that your application is
FIPS 140-2 certified. It means that your application includes (or
uses) a FIPS 140-2 certified cryptographic module. Or, as it is
sometimes called, "F
Hi,
Thank you for the quick answer.
Both the questions have subtle difference. My apology they appear almost
same.
So, to clear my doubts, following is my understanding
a) An application is FIPS 140-2 certified if and only if it links directly
to 'fipscanister.lib'.
b) Application w
Didn’t you just ask this question? :)
If you followed the Win32 build instructions *exactly* and you build your
application to turn on FIPS mode and link against the canister, then yes.
If you made changes to the process, then no.
Dear Experts,
Can you please help with the following questions?
All inputs are appreciated.
a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS
140-2 Certified in strict sense?
where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib)
I am seeking
Dear Experts,
Can you please help me with the following question?
My win32 desktop application uses 'libcurl' to interact with web service,
in order to get my application FIPS 140-2 certified, following is the plan
which I arrived at after going through the 'User Guide'
On 02/07/2019 22:13, Larry Jordan via openssl-users wrote:
I want to build an openssl-fips canister to force IANA cipher suite
compliance.
With the help of an openssl-iana mapping
(https://testssl.sh/openssl-iana.mapping.html) I can identify the
corresponding OpenSSL cipher suites.
Not
Hi
I have two queries. I am new to FIPS validation.
The first query is
1. We have a system which is using Arm Cortex-A9 on ThreadX.
If I cross compile FIPS module 2.0.16 for Threadx ( Arm Cortex-A9 ) and use
openssl 1.0.2s. Can we claim that our product is FIPS compliant ?
The second query is
2
I want to build an openssl-fips canister to force IANA cipher suite compliance.
With the help of an openssl-iana mapping
(https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding
OpenSSL cipher suites.
IANA
Hi all,
Need help in resolving an error or understanding the flow.
Openssl library we are using is FIPS capabled.
Openssl version is 1.0.2n with fips-2.0.16
Platform: Linux version 3.10.38-ltsi-WR6.0.0.11_standard (gcc version 4.8.1)
We have an application which uses libssl and libcrypto for its
986> for Windows 10
From: openssl-users on behalf of Yi tiger
Sent: Wednesday, June 12, 2019 11:31:37 PM
To: openssl-users@openssl.org
Subject: RSA public and private key encrypt with fips issue
Hi guys,
I have download openssl 1.0.2s and fips 2.0.16 and
Hi guys,
I have download openssl 1.0.2s and fips 2.0.16 and build successfully on
windows and then I try to write a simple app encrypted with public key and
decrypt with private key. But It failed decrypted with private key when fips
mode is turned on, decrypt will be success if fips is turned
On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <
openssl-users@openssl.org> wrote:
> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
Assuming your OpenSSL library is already FIPS capable you need to build and
link with the FIPS container library enable the integrity check in your app.
Details are in section C.1 of the FIPS user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
On Thu, Jun 6, 2019 at 2:34 PM Larry
Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force
OpenSSL into FIPS mode, without requiring a “module operator” to directly
initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor
In answer to the second question: there will *never* be a FIPS module for any
1.1.1 OpenSSL version.
The next version of OpenSSL will be 3.0.0 and it will support FIPS.
There will be a gap in FIPS support between the end of life of 1.0.2 and the
validation of 3.0.0.
Pauli
--
Dr Paul Dale
On 5/16/19 12:14 PM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
shiva kumar
Sent: Thursday, May 16, 2019 04:30
1) If I upgrade to 1.1.1b will it cause any problem to other applications? which
uses openssl for communications. ( say apache
temporary protocols and algorithms.
Since there have been many versions of Apache, and it offers a multitude of
configurations, it's impossible to guess whether you'd have interoperability
issues with it.
> 2) can I expect FIPS module for 1.1.1b as well ?
No. This has been discussed
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Jakob Bohm via openssl-users
> Sent: Thursday, May 16, 2019 02:21
>
> On 16/05/2019 02:11, Paul Dale wrote:
> > Just noting that any module built in this manner is *not* FIPS compliant.
> >
Hi,
I wanted to move from OpenSSL 1.0.2r to 1.1.1b. I have some doubts they are
1) If I upgrade to 1.1.1b will it cause any problem to other applications?
which uses openssl for communications. ( say apache http server ).
2) can I expect FIPS module for 1.1.1b as well ?
3) since OpenSSL 1.1.1b
On 16/05/2019 02:11, Paul Dale wrote:
Just noting that any module built in this manner is *not* FIPS compliant.
The distribution must be unmodified and build exactly as per the documentation.
Any change to the files or the build process renders the result invalid from a
FIPS perspective
Just noting that any module built in this manner is *not* FIPS compliant.
The distribution must be unmodified and build exactly as per the documentation.
Any change to the files or the build process renders the result invalid from a
FIPS perspective.
Pauli
--
Oracle
Dr Paul Dale
I was able to generate FIPS Object Module - fipscanister.o
fipscanister.o.sha1 fips_premain.c fips_premain.c.sha1 successfully but
now struck in generating Build the FIPS capable library.
followed below steps:
$ . ./setenv-android.sh
$ cd openssl-1.0.1e/
Next, fix the makefile and run
Hi,
I am trying to build the FIPS object module using the fips library
openssl-fips-2.0.16 on Ubuntu 18.04 for x86 arch.
I am following the steps in
https://wiki.openssl.org/index.php/FIPS_Library_and_Android
below steps are followed to Build the FIPS Object Module:
$ . ./setenv-android.sh
$ cd
There is no confirmed timeline for FIPS availability for OpenSSL 3.0. There
will never be a FIPS 1.1.1 version.
It is almost certain that there will be a gap between the end of support of
1.0.2 (end of this year) and a FIPS validated 3.0 release. If FIPS is vital
for you then there is an
Hi
Can you please tell me what is the plan for fips certification for
openssl1.1.1, when the fips version will be available ?
Regards
Manish
was argued that this was invalid use from a FIPS
> perspective. Now, we can't actually stop any application from doing
> this, sure! But...
>
> No, it's not illegal -- FIPS code being used for all FIPS operations.
>
> > If the EVP API does the digesting w
> There are two options. First, the application does the digest and
> sign as two separate things.
My memory is a foggy surrounding that scenario, so I might be wrong,
but I think it was argued that this was invalid use from a FIPS
perspective. Now, we can'
>From https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
I got these lines
"OpenSSL provides mechanisms for interfacing with external cryptographic
devices, such as
accelerator cards, via “ENGINES.” This mechanism is not disabled in FIPS
mode. In general, if a
FIPS validated crypt
rithms may come from different
> providers or the same one. In the case of the FIPS module the
> algorithms must both come from the same FIPS module provider. The
> operation will fail if an attempt is made to do otherwise.
>
> Ref:
> https://www.openssl.org/docs/OpenS
On Thu, 28 Feb 2019 00:51:24 +0100,
Dr. Matthias St. Pierre wrote:
>
>
> > Uhm, I'm confused. I thought we were talking about 3.0?
>
> Well, the original post started at FIPS 2.0:
>
> > I am using openssl-fips-2.0.16 and openssl-1.0.2e.
> https://mta.
involves two algorithms: a signing algorithm, and a digest
> algorithm. In general those two algorithms may come from different
> providers or the same one. In the case of the FIPS module the
> algorithms must both come from the same FIPS module provider. The
>
> Uhm, I'm confused. I thought we were talking about 3.0?
Well, the original post started at FIPS 2.0:
> I am using openssl-fips-2.0.16 and openssl-1.0.2e.
https://mta.openssl.org/pipermail/openssl-users/2019-February/009919.html
But it seems like the discussion in the thread ha
general those two algorithms may come from different
providers or the same one. In the case of the FIPS module the
algorithms must both come from the same FIPS module provider. The
operation will fail if an attempt is made to do otherwise.
There are two options. First, th
Uhm, I'm confused. I thought we were talking about 3.0?
"Dr. Matthias St. Pierre" skrev: (27 februari
2019 23:34:23 CET)
>
>> -Ursprüngliche Nachricht-
>> > >I always understood "FIPS-capable OpenSSL" to refer
>specifically to
> -Ursprüngliche Nachricht-
> > >I always understood "FIPS-capable OpenSSL" to refer specifically to an
> > OpenSSL compiled with the options to incorporate the FIPS canister
> > module, not just any OpenSSL build that might be used in FIPS
On Wed, 27 Feb 2019 22:54:41 +0100,
Salz, Rich via openssl-users wrote:
>
> >I always understood "FIPS-capable OpenSSL" to refer specifically to an
> OpenSSL compiled with the options to incorporate the FIPS canister
> module, not just any OpenSSL build t
>I always understood "FIPS-capable OpenSSL" to refer specifically to an
OpenSSL compiled with the options to incorporate the FIPS canister
module, not just any OpenSSL build that might be used in FIPS compliant
applications (as that would be any OpenSSL at all).
validation.
I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:
- OpenSSL FIPS Module provides FIPS validated software implementations of
all/most of the permitted algorithms.
- Engine provides FIPS validated (hardware?) implementations of one or
more
t;
>
> I believe the context here is one I also mentioned in my comment on
> the 3.0 draft spec:
>
> - OpenSSL FIPS Module provides FIPS validated software implementations of
> all/most of the permitted algorithms.
> - Engine provides FIPS validated (hardware?) implementation
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:
- OpenSSL FIPS
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
No.
The OpenSSL FIPS Module is not written that way. It should not be permitting
any non-FIPS implementations (see Rich's email regarding a bug).
You could write your own engine, get that FIPS certified, and run it with
plain, vanilla OpenSSL.
There's a design spec out for OpenSSL
The requirement here is, to offload my "engine supported fips-compliant
methods" to engine and other "fips-complaint" functions to openssl
dynamically. Here I need to use openssl-fips module I guess.
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Thanks for the reply.
With non-fips openssl, it is possible to write my own fips-module. I
understood.
But, is it possible for me to write a fips-compliant/fips validated "dynamic
engine" with openssl-fips? Which allows me to offload "fips-compilant"
functions to my
To clarify here, using the OpenSSL FIPS implementation does not allow you to
claim “FIPS Validated”, rather this would be “FIPS Compliant”. If you want to
claim “FIPS Validated”, you must get your own validation for your
implementation regardless of what you are using, OpenSSL FIPS module or
* Which means in fips mode ciphers never gets offloaded to engine?
* All other functions (digest, RSA etc) , it first updates to fips
function, and then engine function. Why only ciphers has this different
behaviour?
That seems like a bug. In FIPS mode you can only use the FIPS
Hi,
I am unable to use AES-cipher offload to my engine even though it was
registered with the proper flag (EVP_CIPH_FLAG_FIPS). I was able to use
RSA, digests, and ECDSA to the engine with corresponding flags.
I am using openssl-fips-2.0.16 and openssl-1.0.2e.
OPENSSL_FIPS is set.
I come
On Sat, 23 Feb 2019 21:47:00 +0100,
Dmitry Belyavsky wrote:
>
>
> Dear Richard,
>
> On Sat, Feb 23, 2019 at 8:47 AM Richard Levitte wrote:
>
> Since our RAND API is separate from the EVP API, I'm unsure how we
> plan on getting custom RAND_methods from providers.
>
> Please no
On Mon, 25 Feb 2019 00:40:51 +0100,
Michael Richardson wrote:
> I think that the #define/enum of NIDs should be made internal-only,
> available as optimization to internal code only.
Having asked around a bit on this, that was the original intention...
However, in an old era of having everything i
Dear Dr Paul,
I think this change is somewhere in a gray zone.
On Mon, Feb 25, 2019 at 1:37 PM Dr Paul Dale wrote:
> I don’t think that that new OIDs or NIDs are considering breaking.
> Changing existing ones definitely is, but that’s an entirely different
> proposition.
>
>
> Pauli
> --
> Dr P
I don’t think that that new OIDs or NIDs are considering breaking. Changing
existing ones definitely is, but that’s an entirely different proposition.
Pauli
--
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
> On 25 Feb 2019, at 5:02 pm,
Dear Michael,
On Mon, Feb 25, 2019 at 2:41 AM Michael Richardson wrote:
>
> Not sure who Matt quoted, wrote:
> >> 2. Can we do something with a bunch of hard-linked non-extendable
> >> lists of internal NIDs?
> >>
> >> For example, providing GOST algorithms always requires a patc
On Sun, Feb 24, 2019 at 11:31 PM Viktor Dukhovni
wrote:
> On Thu, Feb 21, 2019 at 04:20:53PM +, Matt Caswell wrote:
>
> > > 2. Can we do something with a bunch of hard-linked non-extendable
> lists of
> > > internal NIDs?
> >
> > > For example, providing GOST algorithms always requires a patc
Not sure who Matt quoted, wrote:
>> 2. Can we do something with a bunch of hard-linked non-extendable
>> lists of internal NIDs?
>>
>> For example, providing GOST algorithms always requires a patch to
>> extend 3-5
>> internal lists.
>> If it could be done dynamically,
On Thu, Feb 21, 2019 at 04:20:53PM +, Matt Caswell wrote:
> > 2. Can we do something with a bunch of hard-linked non-extendable lists of
> > internal NIDs?
>
> > For example, providing GOST algorithms always requires a patch to extend 3-5
> > internal lists.
> > If it could be done dynamically
019 at 9:30 PM Matt Caswell > > <mailto:m...@openssl.org>> wrote:
> > >
> > > Please see my blog post for an OpenSSL 3.0 and FIPS Update:
> > >
> > > https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
> > >
> > >
>
On Thu, 21 Feb 2019 17:20:53 +0100,
Matt Caswell wrote:
> On 21/02/2019 15:02, Dmitry Belyavsky wrote:
> > Dear Matt
> >
> >
> >
> > On Wed, Feb 13, 2019 at 9:30 PM Matt Caswell > <mailto:m...@openssl.org>> wrote:
> >
> > P
On 21/02/2019 15:02, Dmitry Belyavsky wrote:
> Dear Matt
>
>
>
> On Wed, Feb 13, 2019 at 9:30 PM Matt Caswell <mailto:m...@openssl.org>> wrote:
>
> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>
> https://www.openssl.
Dear Matt
On Wed, Feb 13, 2019 at 9:30 PM Matt Caswell wrote:
> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>
> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
After reading the proposed architecture description, I have some questions
that are very impo
Thanks for the speculation on validated platforms, Mark. Please be careful
about using this resource as a medium for self-promotion.
- Walt
Walter Paley
w...@safelogic.com
SafeLogic - FIPS 140-2 Simplified
On 15/02/2019 19:03, Sam Roberts wrote:
> I don't see a FIPS repo in https://github.com/openssl, or a FIPS
> branch in https://github.com/openssl/openssl/branches/all
>> Has coding started? If so, is it visible anywhere? If not, where
> should we watch for when it does?
On Fri, 15 Feb 2019 20:03:33 +0100,
Sam Roberts wrote:
>
> I don't see a FIPS repo in https://github.com/openssl, or a FIPS
> branch in https://github.com/openssl/openssl/branches/all
>
> Has coding started? If so, is it visible anywhere? If not, where
> should we watch fo
I don't see a FIPS repo in https://github.com/openssl, or a FIPS
branch in https://github.com/openssl/openssl/branches/all
Has coding started? If so, is it visible anywhere? If not, where
should we watch for when it does?
The FIPS design doc looks like lots of thought has gone into it, whi
Responding to some earlier questions:
> Can you give any guidance on which platforms will be validated with the
OpenSSL FIPS 3.0 module? My recollection is that it will only be a handful
of platforms.
I would expect the number of platforms to be small. The wonderful 5
sponsors of the F
se since there's
only one runtime that works with the one FIPS module.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
e full tarball?
I do not believe this has been discussed within the FIPS sponsors.
>(If there are answers in the FIPS 3.0.0 draft spec, they need repeating).
Or a more careful reading. :)
>So right now, FIPS-validated users are left hanging, with no date to
get a 3.0.0
Can you give any guidance on which platforms will be validated with the OpenSSL
FIPS 3.0 module? My recollection is that it will only be a handful of
platforms. It would be helpful to have an idea which platforms will and will
not be included. Any additional information about how other
anks,
Mark Ludwig
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm via openssl-users
Sent: Thursday, February 14, 2019 10:34 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL 3.0 and FIPS Update
On 13/02/2019 2
On 14/02/2019 16:34, Jakob Bohm via openssl-users wrote:
> On 13/02/2019 20:12, Matt Caswell wrote:
>>
>> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
>>> On 13/02/2019 12:26, Matt Caswell wrote:
>>>> Please see my blog post for an OpenSSL
On 13/02/2019 20:12, Matt Caswell wrote:
On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement, a
On 13/02/2019 20:28, Michael Richardson wrote:
>
> Matt Caswell wrote:
> > Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>
> > https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
>
> Thank you, it is very useful to have these plans ma
Matt Caswell wrote:
> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Thank you, it is very useful to have these plans made up front.
I think your posts should probably explain what happened to 2.x, and i
On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
> On 13/02/2019 12:26, Matt Caswell wrote:
>> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>>
>> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
>>
>> Matt
>
> Given t
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement, a few questions arise:
- How will a FIPS provider in the main tarball ensure compliance
with the
On 13/02/2019 14:00, Jason Schultz wrote:
> Thanks for your response. A follow up question based on Matt Caswell's blog
> post: Does the blog post imply that the next FIPS module will be based on
> OpenSSL 3.0? Or is 3.0 a longer term thing and the next FIPS module will be
&
Thanks for your response. A follow up question based on Matt Caswell's blog
post: Does the blog post imply that the next FIPS module will be based on
OpenSSL 3.0? Or is 3.0 a longer term thing and the next FIPS module will be for
OpenSSL 1.1.1?
Thanks.
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Experts,
Looking for some assistance. I’ve compiled one of the App in FIPs mode and
while running the App. I’m getting fingerprint mismatch error. I’ve followed
the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But
not sure what part is missing.
:~$ openssl
February 2019 9:39 AM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS Module for OpenSSL 1.1.1
Just wondering if there is a time frame for the availability of the FIPS Module
for OpenSSL 1.1.1? Q3 2019? Q4?
I realize this has been asked before, but the most recent answer I
Just wondering if there is a time frame for the availability of the FIPS Module
for OpenSSL 1.1.1? Q3 2019? Q4?
I realize this has been asked before, but the most recent answer I found was
from several months ago, so I thought there might be new information.
Thanks in advance.
--
openssl
o this problem, so if this is a question that has been asked &
>> answered, please feel free to point me at the relevant location to read
>> about what I'm doing incorrectly. =)
>>
>> I'm not at all familiar with Windows & compiling Open Source project
point me at the relevant location to read about
> what I'm doing incorrectly. =)
>
> I'm not at all familiar with Windows & compiling Open Source projects, but I
> am having no trouble on Linux with OpenSSL + FIPS. On Windows, with Visual
> Studio 2017 (Community Editio
familiar with Windows & compiling Open Source projects, but I am
having no trouble on Linux with OpenSSL + FIPS. On Windows, with Visual Studio
2017 (Community Edition), I am able to compile the FIPS 2.0.16 module and
OpenSSL 1.0.2q (NO FIPS) without issue.
When I try to compile OpenSSL with the
| Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
From: Alibek Jorajev via openssl-users [mailto:openssl-users@openssl.org]
Sent: Tuesday, 18 December 2018 8:10 PM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS module v3
Hi everyone,
I have been following Ope
via openssl-users [mailto:openssl-users@openssl.org]
Sent: Tuesday, 18 December 2018 8:10 PM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS module v3
Hi everyone,
I have been following OpenSSL blog and know that work on new OpenSSL FIPS
module has started. Current FIPS module (v.2) has
Hi everyone,
I have been following OpenSSL blog and know that work on new OpenSSL FIPS
module has started. Current FIPS module (v.2) has end of life (December 2019)
and I assume that new FIPS module will be by that time. but can someone tell
me - is there are approximate dates - will it be
* I want to use fips certify crypto libs. Is it possible to use crypto lib
from Openssl-fips 2.0.16 and ssl lib from Openssl1.1.1?
No, it is not possible. The current FIPS code only works with 1.0.2. The
project is working on a new FIPS module. You can find some details at the
blog
Hi
I want to use fips certify crypto libs. Is it possible to use crypto lib
from Openssl-fips 2.0.16 and ssl lib from Openssl1.1.1?
If yes, how we can use, pleas provide details?
Regards
Manish
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
It is early in the FIPS process. Design and planning stages. At this point,
we do not know for certain:
1. which algorithms will be validated;
2. what platforms they will be validated on or
3. when the formal validation will begin.
The decision making processes take time and while I&#
Dear Reader:
I know that it may be early in the FIPS process, so the answer may not be
ready. Could you provide us with more details as to the objectives for the
FIPS Object Module 3.0? In particular, my company would like to know the
estimated timetable for it to get certified, and whether
On Mon Sep 10 11:26:25 UTC 2018, Hubert Kario wrote:
> On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote:
>> I'm running Windows 10.
>> I downloaded the FIPS module sources
>> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the
>
hi all,
I set the fips mode and call the RAND_pseudo_bytes for more than 1<<24 times to
trigger the reseed process, but I found RAND_Poll() still cannot be called in
the reseed process.
if (!initialized) {
RAND_poll();
initialized = 1;
}
the initialized cannot be c
In FIPS mode, the default entropy gathering is not performed. You, the user,
must supply all entropy to the module.
See section 6.1.1 of the OpenSSL FIPS User Guide
(https://www.openssl.org/docs/fips/UserGuide-2.0.pdf).
Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security
Hello,
We have a custom hardware system running Linux Debian OS having openssl
1.0.2l compiled with FIPS module 2.0. We are trying for FIPS 140-2
certification.
By default it looks like openssl RAND_poll() uses /dev/urandom for entropy.
We are told this may not be acceptable for FIPS 140-2 Level
Noticing that my earlier attempts to compile Apache were not FIPS compliant,
I set off to correct my error. I found the wiki, that provides the steps
for building Apache with FIPS. Every time that it attempts to compile the
SSL module, it dies.
"mod_ssl.c", line 41: warning: sy
On Friday, 7 September 2018 20:18:38 CEST Alessandro Gherardi wrote:
> I'm running Windows 10.
> I downloaded the FIPS module sources
> from https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz and the
> OpenSSL sources from https://www.openssl.org/source/openssl-1.0.2p.t
On Friday, 7 September 2018 16:18:48 CEST Alessandro Gherardi wrote:
> Thank you for your reply.
> Looking at the OpenSSL FIPS Security
> Policy https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-valid
> ation-program/documents/security-policies/140sp1747.pdf, I see t
On Thursday, 6 September 2018 04:18:38 CEST Alessandro Gherardi via openssl-
users wrote:
> I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS
> mode (FIPS_mode_set(1)) if the FIPS registry
> entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Fips
201 - 300 of 2862 matches
Mail list logo
