<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/15/2015 05:52 AM, Marcus Meissner wrote:<br>
<span style="white-space: pre;">> On Thu, Jan 15, 2015 at
05:46:22AM -0500, <a class="moz-txt-link-abbreviated" href="mailto:jonetsu@teksavvy.com">jonetsu@teksavvy.com</a><br>
> wrote:<br>
>> On Tue, 13 Jan 2015 21:33:49 -0500 <a class="moz-txt-link-rfc2396E" href="mailto:jonetsu@teksavvy.com">"jonetsu@teksavvy.com"</a><br>
>> <a class="moz-txt-link-rfc2396E" href="mailto:jonetsu@teksavvy.com"><jonetsu@teksavvy.com></a> wrote:<br>
>> <br>
>>> So basically every app that uses libssl will have to
be modified<br>
>>> to add a FIPS_mode_set() call near the beginning. Is
that right<br>
>>> ?<br>
>> <br>
>> Is there a way to automatically have the FIPS test
executed when<br>
>> an application loads the library, w/o the application
being<br>
>> modified ? Is such a way used at all ?<br>
> <br>
> This is actually mandated these days.</span><br>
<br>
For *new* validations only, older modules (such as #1747) validated<br>
before the new I.G. 9.10 interpretation remain valid.<br>
<br>
You can find an old but still relevant discussion here:<br>
<br>
<a class="moz-txt-link-freetext" href="http://openssl.com/fips/ig95.html">http://openssl.com/fips/ig95.html</a><br>
<br>
<span style="white-space: pre;">> On Linux usually triggered by
/proc/sys/crypto/fips_enabled<br>
> containing "1" or the environment variable
OPENSSL_FORCE_FIPS_MODE=1<br>
> (at least for the certs done by SUSE and Redhat, which do not
use the<br>
> container blob).</span><br>
<br>
That is (presumably) true for the proprietary RH and SUSE distros;
not<br>
so for the open source based OpenSSL FIPS Object Module or other
Linux<br>
distros.<br>
<br>
-Steve M.<br>
<br>
-- <br>
Steve Marquess<br>
OpenSSL Software Foundation, Inc.<br>
1829 Mount Ephraim Road<br>
Adamstown, MD 21710<br>
USA<br>
+1 877 673 6775 s/b<br>
+1 301 874 2571 direct<br>
<a class="moz-txt-link-abbreviated" href="mailto:marquess@opensslfoundation.com">marquess@opensslfoundation.com</a><br>
<a class="moz-txt-link-abbreviated" href="mailto:marquess@openssl.com">marquess@openssl.com</a><br>
gpg/pgp key: <a class="moz-txt-link-freetext" href="http://openssl.com/docs/0x6D1892F5.asc">http://openssl.com/docs/0x6D1892F5.asc</a><br>
<br>
<br>
<br>
<br>
</body>
</html>