Software
 » 
Encryption and Cryptography
 » 
OpenSSL
 » 
OpenSSL - User

upgrading openssl 0.9.8b to openssl-fips-1.1.1

View: New views
9 Messages — Rating Filter:   Alert me  

upgrading openssl 0.9.8b to openssl-fips-1.1.1

by rabail javed :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi ,

I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For  doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf

By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please  tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b.


--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316

RE: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by Bill Colvin :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

Rabail:  openssl-fips-1.1.1 is a 0.9.7 based version of openssl.  Therefore, you will be downgrading your 0.9.8b version if you choose to do this.

 

Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1 as it has fixed a minor problem with the earlier version.  You may want to consider working with the snapshot version openssl-fips-test-1.2.0 which is the 0.9.8 based version that is currently undergoing FIPS examination.

 

With regard to the process, you have to first build the fips canisters as described in the docs.  You then end up with the fips pieces in /usr/local.

 

Then you build a fips capable version of openssl to reside in the target directories of your choice.  If you are using openssl-fips-1.1.1 then you would do this with openssl-0.9.7m

 

Bill

 

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 26, 2008 4:23 PM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Hi ,

I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For  doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf

By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please  tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b.


--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316


Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by rabail javed :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Thanx a lot Bill, but if i would install openssl-fips-1.1.2 , do i need 0.9.7m with it.

On Thu, Jun 26, 2008 at 5:00 PM, Bill Colvin <Bill.Colvin@...> wrote:

Rabail:  openssl-fips-1.1.1 is a 0.9.7 based version of openssl.  Therefore, you will be downgrading your 0.9.8b version if you choose to do this.

 

Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1 as it has fixed a minor problem with the earlier version.  You may want to consider working with the snapshot version openssl-fips-test-1.2.0 which is the 0.9.8 based version that is currently undergoing FIPS examination.

 

With regard to the process, you have to first build the fips canisters as described in the docs.  You then end up with the fips pieces in /usr/local.

 

Then you build a fips capable version of openssl to reside in the target directories of your choice.  If you are using openssl-fips-1.1.1 then you would do this with openssl-0.9.7m

 

Bill

 

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 26, 2008 4:23 PM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Hi ,

I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For  doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf

By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please  tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b.


--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316




--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316

RE: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by Bill Colvin :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

Rabail:  In addition to the Security Policy  http://www.openssl.org/docs/fips/SecurityPolicy-1.1.2.pdf  take a look at section 4.2 of the User Guide http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf  In particular in section 4.2.3 when it is talking about building a FIPS-capable OpenSSL, you use 0.9.7m at that point

 

The steps you would use would go something like this:

 

cd /usr/src

tar -xvf openssl-fips-1.1.2.tar.gz

cd openssl-fips-1.1.2

./config fips

make

make install

cd ..

rm -rf openssl-fips-1.1.2

 

tar -xvf openssl-0.9.7m.tar.gz

cd openssl-0.9.7m

./config fips --openssldir=/etc/ssl --prefix=/usr zlib-dynamic <other options except shared>

make depend

make MANDIR=/usr/share/man

make MANDIR=/usr/share/man install

 

 

The “make depend” is only required if options selected during config require it.  A message will appear at the end of the config if it is needed.

 

Bill

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 27, 2008 9:53 AM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Thanx a lot Bill, but if i would install openssl-fips-1.1.2 , do i need 0.9.7m with it.

On Thu, Jun 26, 2008 at 5:00 PM, Bill Colvin <Bill.Colvin@...> wrote:

Rabail:  openssl-fips-1.1.1 is a 0.9.7 based version of openssl.  Therefore, you will be downgrading your 0.9.8b version if you choose to do this.

 

Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1 as it has fixed a minor problem with the earlier version.  You may want to consider working with the snapshot version openssl-fips-test-1.2.0 which is the 0.9.8 based version that is currently undergoing FIPS examination.

 

With regard to the process, you have to first build the fips canisters as described in the docs.  You then end up with the fips pieces in /usr/local.

 

Then you build a fips capable version of openssl to reside in the target directories of your choice.  If you are using openssl-fips-1.1.1 then you would do this with openssl-0.9.7m

 

Bill

 

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 26, 2008 4:23 PM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Hi ,

I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For  doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf

By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please  tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b.


--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316




--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316


Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by Dr. Stephen Henson :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Fri, Jul 18, 2008, rabail javed wrote:

> Hi Bill,
> I have installed the openssl-fips-test-1.2.0 using the following commands
>
> ./config fipscanisterbuild
> make
> make install
>
>
> and the libraray is installed in the /usr/local/ssl and i have generated
> tehe fipscanister.o, fipscanister.o.sha1, fips_premain.c,
> fips_premian.c.sha1, lipcrypto.so
>
> now i have download openssl-0.9.8b-stable-SNAP but i am unable to compile
> it.
> I did
> ./config fips shared --with-fipslibdir=/usr/local/ssl/fips-1.0/lib/
> --prefix=/usr/openssl-0.9.8b-SNAP
>
> make depend
>
> but i am getting the error "make: *** No rule to make target `depend`. Stop"
>
>
>
> if a use make instead of make depend
> then it says "make: *** No targets specified and nomake file found. Stop."
>
> Could you please tell me how to compile it ???
>

You can't: the 0.9.8 source tree is not (currently) FIPS capable. Instead you
need to use the fips test snapshots such as:

ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-20080718.tar.gz

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by rabail javed :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.
Hi Bill,
I have installed the openssl-fips-test-1.2.0 using the following commands
 
./config fipscanisterbuild
make
make install
 
 
and the libraray is installed in the /usr/local/ssl and i have generated tehe fipscanister.o, fipscanister.o.sha1, fips_premain.c, fips_premian.c.sha1, lipcrypto.so
 
now i have download openssl-0.9.8b-stable-SNAP but i am unable to compile it.
I did
./config fips shared --with-fipslibdir=/usr/local/ssl/fips-1.0/lib/ --prefix=/usr/openssl-0.9.8b-SNAP
 
make depend
 
but i am getting the error "make: *** No rule to make target `depend`. Stop"
 
 
 
if a use make instead of make depend
then it says "make: *** No targets specified and nomake file found. Stop."
 
Could you please tell me how to compile it ???
 


 
On 6/27/08, Bill Colvin <Bill.Colvin@...> wrote:

Rabail:  In addition to the Security Policy  http://www.openssl.org/docs/fips/SecurityPolicy-1.1.2.pdf  take a look at section 4.2 of the User Guide http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf  In particular in section 4.2.3 when it is talking about building a FIPS-capable OpenSSL, you use 0.9.7m at that point

 

The steps you would use would go something like this:

 

cd /usr/src

tar -xvf openssl-fips-1.1.2.tar.gz

cd openssl-fips-1.1.2

./config fips

make

make install

cd ..

rm -rf openssl-fips-1.1.2

 

tar -xvf openssl-0.9.7m.tar.gz

cd openssl-0.9.7m

./config fips --openssldir=/etc/ssl --prefix=/usr zlib-dynamic <other options except shared>

make depend

make MANDIR=/usr/share/man

make MANDIR=/usr/share/man install

 

 

The "make depend" is only required if options selected during config require it.  A message will appear at the end of the config if it is needed.

 

Bill

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 27, 2008 9:53 AM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Thanx a lot Bill, but if i would install openssl-fips-1.1.2 , do i need 0.9.7m with it.

On Thu, Jun 26, 2008 at 5:00 PM, Bill Colvin <Bill.Colvin@...> wrote:

Rabail:  openssl-fips-1.1.1 is a 0.9.7 based version of openssl.  Therefore, you will be downgrading your 0.9.8b version if you choose to do this.

 

Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1 as it has fixed a minor problem with the earlier version.  You may want to consider working with the snapshot version openssl-fips-test-1.2.0 which is the 0.9.8 based version that is currently undergoing FIPS examination.

 

With regard to the process, you have to first build the fips canisters as described in the docs.  You then end up with the fips pieces in /usr/local.

 

Then you build a fips capable version of openssl to reside in the target directories of your choice.  If you are using openssl-fips-1.1.1 then you would do this with openssl-0.9.7m

 

Bill

 

From: owner-openssl-users@... [mailto:owner-openssl-users@...] On Behalf Of rabail javed
Sent: June 26, 2008 4:23 PM
To: openssl-users@...
Cc: James Erskine; Rifaat Shekh-Yusef
Subject: upgrading openssl 0.9.8b to openssl-fips-1.1.1

 

Hi ,

I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For  doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf

By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please  tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b.


--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316




--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316




--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316

Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by rabail javed :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

thanx a lot and it worked ....but when i generated the HMAC-SHA-1 hash its different from the one given in the security policy document .....actually i have installed the openssl-fips-test-1.2.0 and the security policy document "OPENSSL FIPS 140-2 Secuirty Policy versin 1.1.2" Appendix B shows value of the HMAC-SHA1 digest for the fips module 1.1.2.


Could you please send me the HMAC-SHA-1 digest for the openssl-fips-test-1.2.0.tar.gz so that i could compare it with my HMAC-SHA-1 digest.

Thanx again.

On Fri, Jul 18, 2008 at 10:40 AM, Dr. Stephen Henson <steve@...> wrote:
On Fri, Jul 18, 2008, rabail javed wrote:

> Hi Bill,
> I have installed the openssl-fips-test-1.2.0 using the following commands
>
> ./config fipscanisterbuild
> make
> make install
>
>
> and the libraray is installed in the /usr/local/ssl and i have generated
> tehe fipscanister.o, fipscanister.o.sha1, fips_premain.c,
> fips_premian.c.sha1, lipcrypto.so
>
> now i have download openssl-0.9.8b-stable-SNAP but i am unable to compile
> it.
> I did
> ./config fips shared --with-fipslibdir=/usr/local/ssl/fips-1.0/lib/
> --prefix=/usr/openssl-0.9.8b-SNAP
>
> make depend
>
> but i am getting the error "make: *** No rule to make target `depend`. Stop"
>
>
>
> if a use make instead of make depend
> then it says "make: *** No targets specified and nomake file found. Stop."
>
> Could you please tell me how to compile it ???
>

You can't: the 0.9.8 source tree is not (currently) FIPS capable. Instead you
need to use the fips test snapshots such as:

ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-20080718.tar.gz

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...



--
Regards,
Rabail Javed

Telecommunications Software Designer
NORTEL NETWORKS CORPORATION
Canada
cell: 1-613-242-1316

Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by wolfoftheair :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

The 1.2.0-test tarball IS NOT FIPS VALIDATED.  You cannot make a
FIPS-validated module from it.

When the 1.2.0 validation occurs, it will be announced here, the
certificate will be posted on the NIST's website, the full validated
tarball will be made available, and the certificate's Administration
and User manuals will be released, including the correct HMAC for the
validated tarball.

Until then, you have to wait -- just like everyone else.

This is likely a Nortel-internal political debate, so I'm going to
make it absolutely clear:  The module is not available at this time,
because it is still in the validation process.  If you have an
application that requires FIPS validation that is designed to link
with OpenSSL, you must wait to release it until the validated module
is released.

The 1.2.0-test tarball can be used to test the functionality of the
fully-validated 1.2.0 module, thus making it possible to build and
test and debug your application -- but the final FIPS-validated RTM
build cannot be built at this time.

We do not know how long it's going to take for the validation to
occur.  When it is complete and fully-validated, Steve Marquess of the
Open Source Software Institute will post the announcement here.

-Kyle H


On Fri, Jul 18, 2008 at 12:46 PM, rabail javed <rabail.javed@...> wrote:

> thanx a lot and it worked ....but when i generated the HMAC-SHA-1 hash its
> different from the one given in the security policy document .....actually i
> have installed the openssl-fips-test-1.2.0 and the security policy document
> "OPENSSL FIPS 140-2 Secuirty Policy versin 1.1.2" Appendix B shows value of
> the HMAC-SHA1 digest for the fips module 1.1.2.
>
>
> Could you please send me the HMAC-SHA-1 digest for the
> openssl-fips-test-1.2.0.tar.gz so that i could compare it with my HMAC-SHA-1
> digest.
>
> Thanx again.
>
> On Fri, Jul 18, 2008 at 10:40 AM, Dr. Stephen Henson <steve@...>
> wrote:
>>
>> On Fri, Jul 18, 2008, rabail javed wrote:
>>
>> > Hi Bill,
>> > I have installed the openssl-fips-test-1.2.0 using the following
>> > commands
>> >
>> > ./config fipscanisterbuild
>> > make
>> > make install
>> >
>> >
>> > and the libraray is installed in the /usr/local/ssl and i have generated
>> > tehe fipscanister.o, fipscanister.o.sha1, fips_premain.c,
>> > fips_premian.c.sha1, lipcrypto.so
>> >
>> > now i have download openssl-0.9.8b-stable-SNAP but i am unable to
>> > compile
>> > it.
>> > I did
>> > ./config fips shared --with-fipslibdir=/usr/local/ssl/fips-1.0/lib/
>> > --prefix=/usr/openssl-0.9.8b-SNAP
>> >
>> > make depend
>> >
>> > but i am getting the error "make: *** No rule to make target `depend`.
>> > Stop"
>> >
>> >
>> >
>> > if a use make instead of make depend
>> > then it says "make: *** No targets specified and nomake file found.
>> > Stop."
>> >
>> > Could you please tell me how to compile it ???
>> >
>>
>> You can't: the 0.9.8 source tree is not (currently) FIPS capable. Instead
>> you
>> need to use the fips test snapshots such as:
>>
>>
>> ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-20080718.tar.gz
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>> OpenSSL project core developer and freelance consultant.
>> Homepage: http://www.drh-consultancy.demon.co.uk
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@...
>> Automated List Manager                           majordomo@...
>
>
>
> --
> Regards,
> Rabail Javed
>
> Telecommunications Software Designer
> NORTEL NETWORKS CORPORATION
> Canada
> cell: 1-613-242-1316
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1

by Steve Marquess :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Kyle Hamilton wrote:

> The 1.2.0-test tarball IS NOT FIPS VALIDATED.  You cannot make a
> FIPS-validated module from it.
>
> ...
>
> The 1.2.0-test tarball can be used to test the functionality of the
> fully-validated 1.2.0 module, thus making it possible to build and
> test and debug your application -- but the final FIPS-validated RTM
> build cannot be built at this time.
>
> We do not know how long it's going to take for the validation to
> occur.  When it is complete and fully-validated, Steve Marquess of the
> Open Source Software Institute will post the announcement here.
>
>  
Well put.

Based on my current reading of the tea leaves I'm guessing the v1.2
validation will likely be forthcoming in the next 2-3 weeks.  No
guarantees, though, I've been way wrong before.

Not only is the currently available openssl-fips-test-1.2.0.tar.gz
tarball not validated, it won't have the official final SHA-1 HMAC
digest because we've already made some (minor cosmetic) changes during
the course of the validation process.  For prior validations I've had to
made such changes at (almost literally) the last minute, so IMHO there
isn't any point in trying to continually update the test tarball.  It is
provided only for prospective testing and evaluation.

As Kyle noted you can with reasonable expectation of technical accuracy
use the test tarball now for functional testing and for rehearsal of the
build process to be used for production software.  But, you will need to
repeat that drill with the final One True Tarball *after* the validation
is formally awarded *before* you can represent the result as FIPS validated.

-Steve M.

--
Steve Marquess
Open Source Software institute
marquess@...

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...
LightInTheBox - Buy quality products at wholesale price
Free Forum Powered by Nabble Forum Help