[openssl-dev] FIPs mode and openssl

Marcus Meissner meissner at suse.de
Fri May 27 13:33:02 UTC 2016 

On Fri, May 27, 2016 at 09:50:47AM +0000, Mody, Darshan (Darshan) wrote:
> Thanks Steve,
> 
> My question here is do I need to put openssl in FIPS mode for my application, even when Kernel is in FIPS mode. I get FIPS_mode() returning true when I initialize openssl from my application.

You still need to ask Redhat.

But if I remember the code correctly, it will also put openssl into FIPS mode as it checks
/proc/sys/crypto/fips_enabled from the kernel and goes to FIPS mode.

Ciao, marcus
 
> Regards
> Darshan
> 
> ________________________________________
> From: openssl-dev [openssl-dev-bounces at openssl.org] on behalf of Steve Marquess [marquess at openssl.com]
> Sent: Friday, May 27, 2016 2:58 PM
> To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] FIPs mode and openssl
> 
> On 05/27/2016 05:11 AM, Mody, Darshan (Darshan) wrote:
> > Hi,
> >
> >
> >
> > I have a query with regards to FIPS mode and use of Openssl. I have put
> > my kernel image n FIPs mode using the documentation
> > (https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2DUS_Red-5FHat-5FEnterprise-5FLinux_6_html_Security-5FGuide_sect-2DSecurity-5FGuide-2DFederal-5FStandards-5FAnd-5FRegulations-2DFederal-5FInformation-5FProcessing-5FStandard.html&d=CwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=GTOvXwENarIDt6ceeifX3cwsUHwEPSoA5Nst5bYguXc&s=-Gf_V2cek9XebA8eKWhFeL2hXCtHLqwJauOD0IuopLU&e= )
> >
> >
> >
> > Do I need to put the openssl in FIPs mode using the API FIPS_mode_set(1)
> > or will by default the openssl will put itself in FIPS mode for my
> > application. There are couple of application on the server we use
> > openssl. Do I need to put each of the application openssl in FIPS mode
> > or will it put itself in FIPS since the kernel is in FIPS mode.
> >
> >
> >
> > Thanks
> >
> > Darshan
> >
> >
> >
> 
> 
> You are using the Red Hat FIPS module, not the OpenSSL one, so you'll
> need to ask that vendor.
> 
> -Steve M.
> 
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: https://urldefense.proofpoint.com/v2/url?u=http-3A__openssl.com_docs_0x6D1892F5.asc&d=CwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=GTOvXwENarIDt6ceeifX3cwsUHwEPSoA5Nst5bYguXc&s=pvfmLNV5wFtbE8TvbGtpQdBRmzZzuuCQF0UgxmaZW34&e=
> --
> openssl-dev mailing list
> To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=CwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=GTOvXwENarIDt6ceeifX3cwsUHwEPSoA5Nst5bYguXc&s=XQfgkJcZEf0I-0-rMIEw2wp4U7mgrCk8EPGFlSM461U&e=

> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner at suse.de>

More information about the openssl-dev mailing list