[openssl-users] Enforcing FIPS via Cipher Suites Declaration

Steve Marquess marquess at openssl.com
Thu Feb 4 16:29:05 UTC 2016


On 02/04/2016 10:13 AM, Lesley Kimmel wrote:
> All;
> 
> I'm working with PosgreSQL in a DoD environment and am supposed to
> enforce FIPS operation. PostgreSQL doesn't perform a call to
> FIP_mode_set() but does provide a configuration item 'ssl_ciphers'. Is
> there more to FIPS_mode than I am aware of or would it be functionally
> equivalent to simply set my ciphers to something like 'FIPS:!aNULL:!eNULL'?
> 
> As a semi-related question, would a non-FIPS OpenSSL installation still
> enforce the same cipher suites but just not be 'officially' validated?

Yes, there's a whole lot more to "FIPS 140-2 validated" than just choice
of algorithms/ciphers. There is "magical pixie dust" that won't make
much sense from a pure software engineering perspective. You can find
lots of info online; the Wikipedia article is as good a place as any to
start. Also note the OpenSSL FIPS User Guide,
https://openssl.org/docs/fips/SecurityPolicy-2.0.pdf.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list