[openssl-users] FIPS mode restrictions and DES
kevpfowler at gmail.com
Tue Apr 14 20:03:57 UTC 2015
Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto "libraries" to be FIPS-validated, perhaps as separate crypto
On Tue, Apr 14, 2015 at 8:51 AM, jonetsu <jonetsu at teksavvy.com> wrote:
> Salz, Rich wrote
> > As the old joke goes, "if you have to ask, you can't afford it."
> Well, exploration can be free. I noticed that Strongswan uses a plug-in
> architecture for crypto that seemingly allows the use of OpenSSL instead of
> the kernel for crypto operations, for use under FIPS. Does anyone have an
> idea of the order of magnitude in performance loss this could be for IPSec,
> to use crypto from OpenSSL instead of the kernel ?
> View this message in context:
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users