n
>>>> Windows, which would mean you can't actually compile the FIPS
>>>> canister on
>>>> Windows and meet the security policy.
>>>>...
>
>> As documented in Appendix A of the Security Policy, for Windows the
>> required canonical b
On 19/04/2016 16:31, Steve Marquess wrote:
On 04/19/2016 09:16 AM, Jakob Bohm wrote:
On 19/04/2016 13:44, Leaky wrote:
Thanks, but I am still scratching my head as to if that is even
possible on
Windows, which would mean you can't actually compile the FIPS canister on
Windows and meet
e ways to accomplish each step (such as unzipping
>>> the tarball). You are also specifically required to begin with the
>>> official tarball. Per the Security Policy, you *must* do:
>>>
>>> gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -
>>>
>>> and
required to begin with the
official tarball. Per the Security Policy, you *must* do:
gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -
and *not* any functionally equivalent alternative such as:
tar -zxf openssl-fips-2.0.12.tar.gz
Thanks, but I am still scratching my head as to if that is even
red to begin with the
> official tarball. Per the Security Policy, you *must* do:
>
> gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -
>
> and *not* any functionally equivalent alternative such as:
>
>tar -zxf openssl-fips-2.0.12.tar.gz
>
Thanks, but I am still scratching my
On 04/18/2016 08:25 PM, Jakob Bohm wrote:
> On 19/04/2016 01:51, Steve Marquess wrote:
>> On 04/18/2016 04:05 PM, Leaky wrote:
>>>>> plus you're constrained by the
>>>>> requirements of the Security Policy to build the module with precisely
>>>>&
On 19/04/2016 01:51, Steve Marquess wrote:
On 04/18/2016 04:05 PM, Leaky wrote:
plus you're constrained by the
requirements of the Security Policy to build the module with precisely
the commands:
gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
cd openssl-fips-2.0.12
./config
make
On 04/18/2016 04:05 PM, Leaky wrote:
>>> plus you're constrained by the
>>> requirements of the Security Policy to build the module with precisely
>>> the commands:
>>>
>>> gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
>>> cd openssl-f
>> plus you're constrained by the
>> requirements of the Security Policy to build the module with precisely
>> the commands:
>>
>> gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
>> cd openssl-fips-2.0.12
>> ./config
>> make
Silly quest
On 04/18/2016 11:01 AM, Tristan Leask wrote:
> Hi All,
>
> I am currently trying to setup an automated build process for a
> cloned copy of the code. ...
>
> In the link mentioned, it is talked about modifying the perl script
> to change how STDOUT works, however when you a
pe to disk fast
enough before the ml compiler tries to pick the ASM file up.
In the link mentioned, it is talked about modifying the perl script to change
how STDOUT works, however when you are compiling FIPS you aren't meant to
modify the code shipped in the tarball, so how does one w
Hi,
I'm trying to dig through a problem where building the FIPS capable version
of OpenSSL-1.0.1r is not generating the correct code.
I have done the following:
Created the fips canister according to the instructions in the User Guide, and
installed it.
Then in the openssl source, I use
If you neither know nor care what FIPS 140-2 is, this is your lucky day.
Avert your eyes and move on, nothing to see here.
The entry for the ancestral OpenSSL FIPS Object Module v2.0 validation,
#1747, on the NIST CMVP web site appears to be the victim of some sort
of clerical error:
http
All,
Apologies in advance if this is the wrong mailing list to send this to.
Looking for some guidance on correctly setting the openSSL cipherstring for TLS
operation in FIPS mode.
The openSSL wiki page "FIPS mode and TLS" and the cipherstring configuration
for openSSL appear
I have a question on compiling Openssl-fips object module as 64 bit static
library in win 8.1.
I am using following versions of source and compile instruction.
openssl-fips-2.0.12
1. cd openssl-fips-2.0.12
2. SET FIPSDIR=C:\tools\fips\opensslfips
3. ms\do_fips no-asm
This turns out the build
Hello,
Does OpenSSL allows TLS 1.0 when running in FIPS mode ?
Thanks.
--
View this message in context:
http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
--
openssl-users mailing list
To unsubscribe: https
Thank you very much, Viktor. It works.
Regards,
Aaron
--
View this message in context:
http://openssl.6102.n7.nabble.com/OpenSSL-FIPS-test-failure-starting-from-version-1-0-2g-tp65320p65325.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
--
openssl-users mailing list
> On Mar 28, 2016, at 10:24 PM, Aaron <wang...@alumni.nus.edu.sg> wrote:
>
> It is very stratforward to repro the issue. Take platform linux_x86-64 as an
> example, the repro steps are as follows.
>
> cd openssl-1.0.2g
> make clean
> ./Configure no-idea no
no-idea no-mdc2 no-rc5 no-ec2m fips -m64 no-asm linux-x86_64
make depend
make
make test<--- Hit the issue here.
Error message:
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
NONE
46912496310224:error:140A9129:
; I'll check on that. Certainly no engines
>
> I can check back in the dump and see where we are in the code in each method
> call
>
What would be useful is tracing what happens in EVP_DigestInit_ex() during
the X509_digest() call. For example does it detect FIPS mode properly and if
in the dump and see where we are in the code in each method
call
Sent from my iPhone
> On Mar 26, 2016, at 5:30 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
>
>> On Thu, Mar 24, 2016, Glen Matthews wrote:
>>
>> Hi
>>
>> Yes it's a standard build. FIPS 2.
On Thu, Mar 24, 2016, Glen Matthews wrote:
> Hi
>
> Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
> the dialog box was displayed, and that's how I got the call stack.
>
> if (x->ex_flags & EXFLAG_SET)
> retu
When FIPS is enabled: missed that. We enable it when we load the modules -
we're in a mode where we only have the FIPS libraries installed, and when we
load them, we enable FIPS. In searching for a temporary work-around, I put
different code at that place in x509v3_cache_extensions
Hi
Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when
the dialog box was displayed, and that's how I got the call stack.
if (x->ex_flags & EXFLAG_SET)
return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
I
ve been reading, the code should not be calling with EVP_sha1().
>
Is this a standard OpenSSL build or has it been modified in some way?
At what point do you enter FIPS mode?
The above call should be routed through to the SHA1 implementation in the
validated module. It's not clear why not at this point.
Steve.
--
rrell
Sent: Wednesday, March 23, 2016 3:48 PM
To: openssl-users@openssl.org
Cc: openssl-...@openssl.org
Subject: Re: [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS
mode - within openssl code
This is a question about using the OpenSSL libraries; should be in
openssl-use
(128):
OpenSSL internal error, assertion failed: Low level API call to digest
SHA1 forbidden in FIPS mode!
I notice the assertion message mentions a header from what looks like a
1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no
idea if this is relevant to the problem
he answer to that mostly concerns the historical origins of the OpenSSL
FIPS Object Module. The text you are quoting dates from the time we were
beginning work on the most recent module (which is now confusingly
covered by three validations, #1747, #2398, #2473).
As the only source code based module -- on
https://www.openssl.org/docs/fipsnotes.html mentions the following:
As a result of the POST performance issue we revisited the KAT (Known
Answer Test) requirements in the POST process that were burning up most of
those cycle. In consultation with a CMVP test lab we determined that it
I'm building today's 1.0.1s release with FIPS 2.0.8 and "make test" is failing
at the test_ssl step, it correctly says "test ssl3 is forbidden in FIPS mode"
but then stops testing with the output
47323521796064:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in
Building today's 1.0.1s release with FIPS 2.0.8 failed tests for me at the
test_ssl step with a not-surprising "test ssl2 is forbidden in FIPS mode".
Tests ran fine for 1.0.1r a couple of weeks ago.
Is there a simple way for me to fix this?
Andrew
--
openssl-users mailing list
To u
As always, if you don't know or care what FIPS 140-2 is then rejoice at
your good fortune and move on.
The "red letter" message for the #1747 validation listing noted in my
E-mail last Monday was confirmed as an error by the CMVP and has now
been removed from the web site entr
On Wed, Feb 24, 2016, Neptune wrote:
> Using:
> FIPS Object Module 2.0.9
> OpenSSL 1.0.1l
>
> When I call RSA_generate_key:
> if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL))
>
> I get the following error string:
> (OPENSSL error:04081078:rsa routines:RSA_
Using:
FIPS Object Module 2.0.9
OpenSSL 1.0.1l
When I call RSA_generate_key:
if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL))
I get the following error string:
(OPENSSL error:04081078:rsa routines:RSA_BUILTIN_KEYGEN:key size too small)
As I understand, RSA Key size must be 2048
As always, if you don't know or care what FIPS 140-2 is then rejoice at
your good fortune and move on.
I'm getting queries about "red letter" text in the listing of the #1747
validation on the NIT CMVP web site:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
using the PKCS7_decrypt( )
> function. The error string is:
>
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
>
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was hoping
:PKCS7 routines:PKCS7_decrypt:decrypt error
This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
to glean any specified error that would verify this suspicion. I was hoping
someone would be nice enough to inspect this file and verify if there is any
non-FIPS-iness. I don'
My problem was solved by adding -Wl,-Bsymbolic to the list of compiler
flags. I found this from an old post on this mailing list. It's still not
clear why this flag is needed though.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ere anything else
> that I may be missing? The Wiki page covers building executables, but I
> didn???t think there was much difference between the two.
>
What commands are you using to build the FIPS module, OpenSSL and to link your
application?
Steve.
--
Dr Stephen N. Henson. OpenSSL
-FIPS-OpenSSL-to-shared-library-application-tp63763p63770.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hello,
I’m trying to statically link OpenSSL to my C++ shared library application
on Linux. I’ve followed the instructions outlined in the Fipsld and C++
Wiki page and everything builds fine. However I’m getting a fingerprint
mismatch when calling FIPS_mode_set. If I change my shared library to
On 2/12/2016 2:03 PM, Steve Marquess wrote:
> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>> I'm not seeing anything about openssl-fips-2.0.11 in
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
>> , so I'm not quite certain what its validati
On 02/13/2016 04:58 AM, Kyle Hamilton wrote:
>
> On 2/12/2016 2:03 PM, Steve Marquess wrote:
>> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>>> I'm not seeing anything about openssl-fips-2.0.11 in
>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.h
I'm not seeing anything about openssl-fips-2.0.11 in
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
, so I'm not quite certain what its validation/certificate status is?
Also, is a new Security Policy in the works integrating the new HMAC
digests for the new versions
On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
> I'm not seeing anything about openssl-fips-2.0.11 in
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
> , so I'm not quite certain what its validation/certificate status is?
Ok, this is complex, insanely so.
The
On 12/02/2016 03:45, cloud force wrote:
Hi,
I built the FIPS capable OpenSSL library on Ubuntu 12.04.
When I run the command "OPENSSL_FIPS=1 openssl ciphers", I saw the
following error:
140073969415840:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:finger
Hi Jakob,
This is the most severe FIPS error code, it means one of
> 3 things:
>
> 1. (official reason for this error code): Someone illegally
> modified the FIPS validated crypto code after it was
> compiled, do not use this computer until the cause has
> been thoro
Hi,
I built the FIPS capable OpenSSL library on Ubuntu 12.04.
When I run the command "OPENSSL_FIPS=1 openssl ciphers", I saw the
following error:
140073969415840:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint
does not match:fips.c:232:
I tried few other openss
I think you can run 'OPENSSL_FIPS=1 openssl ciphers -v'. I believe that if,
FIPS is compiled in properly you should get output. Otherwise an error
should occur.
On Wed, Feb 10, 2016 at 1:41 PM, cloud force <cloud.force...@gmail.com>
wrote:
> Hi everyone,
>
> I built and ins
Hi everyone,
I built and installed the FIPS capable OpenSSL lib on my system, and I was
wondering what's the easiest way to find out whether my OpenSSL is really
FIPS capable or not.
e.g. is there any way to run some openssl commands to find out, such as
"openssl ciphers -v", and w
On 02/10/2016 02:56 PM, Lesley Kimmel wrote:
> Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
> have no affect against a non-FIPS enabled OpenSSL. According to some
> posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an
> error as md5 is no
Thanks Lesley and Steve for the answers.
Rich
On Wed, Feb 10, 2016 at 12:02 PM, Steve Marquess <marqu...@openssl.com>
wrote:
> On 02/10/2016 02:56 PM, Lesley Kimmel wrote:
> > Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
> > have no affect again
Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
have no affect against a non-FIPS enabled OpenSSL. According to some posts
you can do 'OPENSSL_FIPS=1 openssl md5' which should return an error as md5
is not an enabled cipher in FIPS mode.
On Wed, Feb 10, 2016 at 1:49 PM
Some good news for a change, but if you neither know nor care what FIPS
120-2 is you're not missing anything.
The final "X9.31 RNG transition" change letter update for the third
validation (#2398) of the OpenSSL FIPS Object Module v2.0 trilogy
(#1747/#2398/#2747) was approved
On 02/09/2016 03:19 PM, cloud force wrote:
> Hello everyone,
>
> Would the FIPS Object Module v2.0 supposed to only work with the vanilla
> openssl library? If I apply the security patches to the openssl library,
> should the FIPS Object Module v2.0 still work without problems?
Y
On 02/08/2016 10:11 PM, Yang Hong wrote:
> Hello Steve.
>
> Thank you very much for your quick response.
>
> I have tried different approaches to build FIPS module, according to the
> testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for
> all the FIPS
On 2/9/2016 12:29 PM, Steve Marquess wrote:
> On 02/09/2016 03:19 PM, cloud force wrote:
>> Hello everyone,
>>
>> Would the FIPS Object Module v2.0 supposed to only work with the vanilla
>> openssl library? If I apply the security patches to the openssl library,
>&
Hello everyone,
Would the FIPS Object Module v2.0 supposed to only work with the vanilla
openssl library? If I apply the security patches to the openssl library,
should the FIPS Object Module v2.0 still work without problems?
Thanks,
Rich
--
openssl-users mailing list
To unsubscribe: https
Hello Steve.
Thank you very much for your quick response.
I have tried different approaches to build FIPS module, according to the
testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for all
the FIPS packages for iOS >= 7, i.e., openssl-fips-2.0.8.tar,
openssl-fips-2.0.9.
I'm getting private queries about the status of the OpenSSL FIPS Object
Module v2.0 (the "OpenSSL FIPS module") which I'll answer here for everyone.
As always, if you don't know or care what I'm talking about then run for
high ground lest you trip and fall down the rabbit hole...
T
On 02/04/2016 05:31 PM, Steve Marquess wrote:
> On 02/04/2016 03:19 PM, Yang Hong wrote:
>> Hello folks.
>>
>>
>> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
>> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Supp
On 02/04/2016 03:19 PM, Yang Hong wrote:
> Hello folks.
>
>
> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Support /*page
> 131)
>
>
> https://www.openssl.org/docs/fips/UserGuid
All;
I'm working with PosgreSQL in a DoD environment and am supposed to enforce
FIPS operation. PostgreSQL doesn't perform a call to FIP_mode_set() but
does provide a configuration item 'ssl_ciphers'. Is there more to FIPS_mode
than I am aware of or would it be functionally equivalent to simply
On Thu, Feb 04, 2016, Thomas Francis, Jr. wrote:
>
> AFAIK, you could limit it to the appropriate cipher suites, but be aware
> that FIPS 140 is all about proving that only certain known and tested
> [implementations of] algorithms are used. It???s unlikely that another
> ver
On 02/04/2016 10:13 AM, Lesley Kimmel wrote:
> All;
>
> I'm working with PosgreSQL in a DoD environment and am supposed to
> enforce FIPS operation. PostgreSQL doesn't perform a call to
> FIP_mode_set() but does provide a configuration item 'ssl_ciphers'. Is
> there more to F
> On Feb 4, 2016, at 10:13 AM, Lesley Kimmel <lesley.j.kim...@gmail.com> wrote:
>
> All;
>
> I'm working with PosgreSQL in a DoD environment and am supposed to enforce
> FIPS operation. PostgreSQL doesn't perform a call to FIP_mode_set() but does
> provide a conf
s Francis, Jr. wrote:
>
> >
> > AFAIK, you could limit it to the appropriate cipher suites, but be aware
> > that FIPS 140 is all about proving that only certain known and tested
> > [implementations of] algorithms are used. It???s unlikely that another
> > ver
Hello folks.
I follow the latest User Guide 2.0 to build iOS the FIPS Object Module and
FIPS Capable library for iOS devices (*E.2 Apple iOS Support *page 131)
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
I got two errors below
On 02/02/2016 20:03, Dr. Stephen Henson wrote:
On Tue, Feb 02, 2016, Neptune wrote:
FIPS Object Module 2.0.9
OpenSSL 1.0.1l
Platform: Win32
I am attempting to statically link a FIPS-capable library into a .dll. The
.dll is built without errors and by viewing the .dll in a hex editor I can
see
On Tue, Feb 02, 2016, Neptune wrote:
> FIPS Object Module 2.0.9
> OpenSSL 1.0.1l
> Platform: Win32
>
> I am attempting to statically link a FIPS-capable library into a .dll. The
> .dll is built without errors and by viewing the .dll in a hex editor I can
> see the cor
FIPS Object Module 2.0.9
OpenSSL 1.0.1l
Platform: Win32
I am attempting to statically link a FIPS-capable library into a .dll. The
.dll is built without errors and by viewing the .dll in a hex editor I can
see the correct HMAC is embedded within and correct, but the self test is
failing
an address
that is very unlikely to be used.
Is there a strategy that the folks here employ to avoid address clashes?
Thanks,
Paul
--
View this message in context:
http://openssl.6102.n7.nabble.com/FIPS-Static-Library-linked-into-Win32-Dll-builds-but-fails-self-test-tp63011p63018.html
Sent from
Thanks Steve.
I think the way to use OPENSSL_config() and openssl.conf to enable FIPS
mode basically still requires each application to explicitly invoke
OPENSSL_config() API in order to truly enable the FIPS mode, is that
correct?
If that's the case, then basically there's no way to really
Hi All:
Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the
OpenSSL FIPS modules run a the necessary self-tests.
I was wondering does the OPENSSL_config() API also run the self-tests?
Your suggestions are greatly appreciated.
Thanks.
On Mon, Feb 1, 2016 at 1:37 PM, security
On Tue, Feb 02, 2016, security veteran wrote:
> Hi All:
>
> Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the
> OpenSSL FIPS modules run a the necessary self-tests.
>
> I was wondering does the OPENSSL_config() API also run the self-tests?
>
Short
Thanks Steve.
I think the way to use OPENSSL_config() and openssl.conf basically still
requires each application to explicitly invoke OPENSSL_config() API in
order to truly enable the FIPS mode, is that correct?
If that's the case, then basically there's no way to really globally enable
the FIPS
Hi All:
Based on the OpenSSL FIPS user guide, the FIPS_mode_set API from the
OpenSSL FIPS modules run a the necessary self-tests.
I was wondering does the OPENSSL_config() API also run the self-tests?
Thanks.
___
openssl-users mailing list
On 01/28/2016 07:11 PM, security veteran wrote:
> Hi All:
>
> Is there a way to enable FIPS mode globally, instead of having to
> explicitly invoke the FIPS_mode_set() API from each application, for
> enabling the FIPS mode?
>
> ...
Kinda-sorta, via OPENSSL_config()
Hi All:
Is there a way to enable FIPS mode globally, instead of having to
explicitly invoke the FIPS_mode_set() API from each application, for
enabling the FIPS mode?
The reason I ask is, it will be much easier to enable FIPS mode if there're
many applications which rely on OpenSSL for crypto
Hi everyone,
If I have a HTTPS client and server both using OpenSSL with FIPS modules,
and supporting both FIPS and non-FIPS mode, will the SSL server and client
keys and certificates need to be changed between operating on FIPS and
non-FIPS mode?
Thanks,
Rich
> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact?
No. For example, only the EVP interface to crypto.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi everyone,
Does OpenSSL FIPS modules keep all the OpenSSL APIs intact?
i.e. If we use the OpenSSL FIPS modules, we don't need to make any API
invocation changes on our applications side (in addition to invoking the
FIPS_mode_set API). Is that correct?
Thanks,
Rich
On 01/27/2016 05:33 PM, cloud force wrote:
> Hi everyone,
>
> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact?
> i.e. If we use the OpenSSL FIPS modules, we don't need to make any API
> invocation changes on our applications side (in addition to invoking the
>
openssl.com/> (2473). Does that mean that we
> now have a FIPS compliant Open SSL again?**
You missed my post yesterday:
https://mta.openssl.org/pipermail/openssl-users/2016-January/002858.html
Note it's not a simple yes/no kind of answer.
-Steve M.
--
Steve Marquess
OpenSSL S
on the certification or these libraries can now be used on any
OS.
Regards,
Imran
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: 27 January 2016 15:54
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS Certification
Windows 2012 R2 and Windows
> 10. Does this have any impact on the certification or these libraries
> can now be used on any OS.
That's actually a rather tricky question.
First off, the one OpenSSL FIPS module (for a significant overlap of
revisions) is covered by three validations; #1
All,
Looking at the website
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
There is a new date of 01/25/2016 under Validation against OpenSSL Software
Foundation<http://openssl.com/> (2473). Does that mean that we now have a FIPS
compliant Open SSL again?
Regards,
On 27/01/2016 16:24, Imran Ali wrote:
All,
Looking at the website
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
There is a new date of 01/25/2016 under Validation against OpenSSL
Software Foundation <http://openssl.com/> (2473). Does that mean that
we now have
>Everybody else is better off not trying to use FIPS-restricted modes and
>setups.
Strongly agree!!
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
/ms724832(v=vs.85).aspx
Regards,
Imran
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Steve Marquess
Sent: 27 January 2016 16:55
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS Certification
On 01/27/2016 11:34 AM, Imran Ali wrote
On 01/27/2016 11:54 AM, Jakob Bohm wrote:
> The unfortunate people who are legally required to use
> FIPS-validated crypto are legally restricted to use
> *only* the crypto sw/hw on the FIPS validated list and
> *only* in the specific configurations (OS etc.) listed
> for each on t
R2
>
> https://msdn.microsoft.com/en-gb/library/windows/desktop/ms724832(v=vs.85).aspx
"Windows 2012 R2" and "Windows 7" are different OEs in FIPS-land. The
CMVP goes by nominal OS branding and doesn't pay any attention to the
actual underlying software. For instance, if
If you don't know or care what FIPS 140-2 is then bail out now. Here be
dragons.
The CMVP has approved the mandated "X9.31 RNG transition"[1] update for
two-thirds of the OpenSSL FIPS Object Module v2.0. That "transition"
consists of editorial changes to the Security Policy
Hi All,
What type of license does OpenSSL FIPS modules have? Is it the same as the
OpenSSL license, or is it a different license?
Thanks.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 01/22/2016 04:28 PM, security veteran wrote:
> Hi All,
>
> What type of license does OpenSSL FIPS modules have? Is it the same as
> the OpenSSL license, or is it a different license?
>
> Thanks.
Same license.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829
-users] Apache (2.x) server and OpenSSL FIPS modules
Hi,
We will be using OpenSSL FIPS modules on our Linux server and was wondering if
we need to do any work on the Apache server in order to make it working
seamlessly with OpenSSL when the FIPS mode is enabled.
My questions are:
1) How to make
On 01/20/2016 05:07 PM, Imran Ali wrote:
> Hi Steve,
>
>
>
> Is there any update on the submissions for the OpenSSL FIPS Object
> Module v2.0, validation(s) #1747/#2398/#2474
>
Still waiting on the CMVP. The paperwork for all three validations was
submitted on December 2
Hi Steve,
Is there any update on the submissions for the OpenSSL FIPS Object Module v2.0,
validation(s) #1747/#2398/#2474
Regards,
Imran
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 01/20/2016 02:00 AM, cloud force wrote:
> Hi everyone,
>
> From the openssl tips doc it said the power-on self-tests need to be run
> when the system comes up.
>
> If I have multiple applications which uses the openssl crypto functions
> (under fips mode), does each of
Hi,
I am trying to build a system with both the non-FIPS OpenSSL and the
OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules
actually only affect libcrypto.so?
Thanks.
___
openssl-users mailing list
To unsubscribe: https
501 - 600 of 2806 matches
Mail list logo