[openssl-users] FIPS mode restrictions and DES

Kevin Fowler kevpfowler at gmail.com
Tue Apr 14 20:03:57 UTC 2015


Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto "libraries" to be FIPS-validated, perhaps as separate crypto
modules.

Kevin

On Tue, Apr 14, 2015 at 8:51 AM, jonetsu <jonetsu at teksavvy.com> wrote:

> Salz, Rich wrote
> > As the old joke goes, "if you have to ask, you can't afford it."
>
> Well, exploration can be free.  I noticed that Strongswan uses a plug-in
> architecture for crypto that seemingly allows the use of OpenSSL instead of
> the kernel for crypto operations, for use under FIPS.  Does anyone have an
> idea of the order of magnitude in performance loss this could be for IPSec,
> to use crypto from OpenSSL instead of the kernel ?
>
> Regards.
>
>
>
>
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150414/8aed4853/attachment-0001.html>


More information about the openssl-users mailing list