[openssl-dev] OpenSSL 1.1.0 and FIPS
Wall, Stephen
swall at redcom.com
Tue Feb 23 13:16:04 UTC 2016
Thanks for the feedback, I was deliberately ignoring the issue of not running non-FIPS algos, there are actually instances where it's desirable to have access to them in FIPS mode (RADIUS, eg). A generic way to handle that (aside from Richards dream proposal) would be to have a NO_INTERNAL_ALGORITHMS setting somewhere in the API. Possibly split into NO_INTERNAL_SYMMETRIC_ALGOS, ASYMMETRIC, HASHES, etc, for finer grained control. Or even a bit per specific algo to go to the extreme. Probably too late to get something like that in for a 1.1.0 release...?
As far as structure incompatibility, translation could be handled internally to the engine (though that would require a lot of near-duplicate structures). Feasible, maybe not practical.
More information about the openssl-dev
mailing list