<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
The FIPS module will explicitly deny any attempt to use unapproved
algorithms when it's in FIPS mode. It's only when it's not in FIPS
mode that you might be able to use the unapproved algorithms,
because the generated library will use the original code and not the
FIPS canister.<br>
<br>
So, if you want to disable the use of rc4 even when it's not in FIPS
mode, pass no-rc4. FIPS mode will disable it as a matter of course.<br>
<br>
-Kyle H<br>
<br>
<div class="moz-cite-prefix">On 2/10/2016 1:08 PM, cloud force
wrote:<br>
</div>
<blockquote
cite="mid:CAEsYawxwZ1L=OCgpYH9EtmEfxZo+_JMo++xQiA_d4_H5pZ0OkA@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks Kyle. So basically I can just use Configure
for building FIPS capable OpenSSL library, as long as I pass the
right parameters to it right?
<div><br>
</div>
<div>Also if I use Configure, do I need to explicitly turn off
the non-FIPS approved algorithms, like passing "no-rc4" as a
parameter to the Configure command?</div>
<div><br>
</div>
<div>I understand it's not necessary do that if I use config
script.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Rich</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 10, 2016 at 12:57 PM, Kyle
Hamilton <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aerowolf@gmail.com" target="_blank">aerowolf@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> ./config autodetects
the platform and such, passing various parameters to
Configure. So, after you've built the canister, you can do
as you want.<br>
<br>
So, to do this, figure out from ./config what parameters
it passes to Configure in the presence of the 'fips'
argument, then modify the command line the packaging
script invokes accordingly.<br>
<br>
-Kyle H
<div>
<div class="h5"><br>
<br>
<div>On 2/10/2016 12:47 PM, cloud force wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks Kyle.
<div><br>
</div>
<div>Yes, for building FIPS canister I did exactly
the same thing as it mentioned in the security
policy doc.</div>
<div><br>
</div>
<div>My questions above were mainly regarding
building the OpenSSL library itself with the
fipscanister.o modules.</div>
<div><br>
</div>
<div>In the doc it said we should just do "<i><b>config
fips</b></i>", and since the Ubuntu OpenSSL
packaging script does not run <i><b>config</b></i>
script and it run <i><b>Configure</b></i>
script instead, I was wondering should I still
run "./config tips" before run the Configure
script, or should I just run "Configure fips"
instead?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Rich</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 10, 2016 at
12:37 PM, Kyle Hamilton <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aerowolf@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:aerowolf@gmail.com">aerowolf@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> My
understanding is, you must follow the steps
given in the Security Guide *exactly*, with
no deviation, in order to produce a
validated binary of the FIPS canister. In
other words, you *must not* try to use
Configure when attempting to build the FIPS
canister because it does not match the steps
given in the Security Guide.<br>
<br>
Once you have the FIPS canister, you can
build a version of OpenSSL that uses it
pretty much indiscriminately (as long as you
ensure that all the things that fipsld does
actually happen when it comes time to link).<br>
<br>
(I apologize if my knowledge is out of date,
I haven't been following the FIPS
development for a couple of years.)<br>
<br>
-Kyle H
<div>
<div><br>
<br>
<div>On 2/10/2016 12:23 PM, cloud force
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Everyone,
<div><br>
</div>
<div>I am trying to build FIPS
capable OpenSSL as an Ubuntu 12.04
package.</div>
<div><br>
</div>
<div>From the OpenSSL doc it
mentioned we need to do ./config
fips in order to build openssl
under tips mode. I tried that and
it worked well.</div>
<div><br>
</div>
<div>Now I am building the OpenSSL
FIPS as a Ubuntu package. I
noticed the package manager meta
script use the Configure (instead
of config script) under the
openssl source folder.</div>
<div><br>
</div>
<div>I was wondering should I also
do "Configure fips", if I use the
Configure script to configure the
source tree? What's the
relationship between config and
Configure scripts?</div>
<div><br>
</div>
<div>Or should I just run ./config
fips first and then let the
package manager script to run
Configure?</div>
<div><br>
</div>
<div>Thanks.</div>
<div>Rich</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a moz-do-not-send="true"
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a moz-do-not-send="true"
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>