<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Try the query string: "?provider=myprov". This is prefer your
provider over other implementations.<br>
<br>
<br>
Pauli<br>
<br>
<div class="moz-cite-prefix">On 2/2/23 08:29, Afshin Pir wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SY2PR01MB27784B550C7DFCB58791AE3694D19@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Let’s assume that I have a custom provider
that supports only RSA signature/verification and I want to
use it in an SSL/TLS connection. But Since SSL/TLS needs other
cryptography operation such as symmetric encryption/decryption
and key exchange too, I want to fall-back on FIPS(or default)
module for these operations.<o:p></o:p></p>
<p class="MsoNormal">I have used a code like this to load my
provider and fall-back provider and connect them to SSL
context:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">lib = OSSL_LIB_CTX_new();<o:p></o:p></p>
<p class="MsoNormal">defctxnull = OSSL_PROVIDER_load(NULL,
"null");<o:p></o:p></p>
<p class="MsoNormal">OSSL_LIB_CTX_load_config(lib, "prov.cnf");<o:p></o:p></p>
<p class="MsoNormal">SSL_CTX *ctx = SSL_CTX_new_ex(lib, NULL,
method);<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From the logs inside my provider, I have
noticed that my code works as I want. Signature is done by my
provider and rest of operations by my fall-back provider. But
the problem is that I don’t understand how the fetching of
signature algorithm happens here. How is it guaranteed that my
provider’s signature/verification is used rather than
signature/verification that is surely available in fall-back
provider too? I cannot resolve it by query string because if I
use a query string like this:<o:p></o:p></p>
<p class="MsoNormal">SSL_CTX *ctx = SSL_CTX_new_ex(lib,
“provider=myprov”, method);<o:p></o:p></p>
<p class="MsoNormal">openssl will not match algorithms from
fall-back module and since my provider does not implement
everything, I will not be able to use SSL/TLS.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any idea how I can guarantee that only
signature/verification of SSL/TLS happens from my provider?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
</div>
<hr>
This email is confidential and may contain information subject to
legal privilege. If you are not the intended recipient please
advise us of our error by return e-mail then delete this email and
any attached files. You may not copy, disclose or use the contents
in any way. The views expressed in this email may not be those of
Gallagher Group Ltd or subsidiary companies thereof.
<hr>
</blockquote>
<br>
</body>
</html>