[openssl-users] Using FIPS mode and modifying apps

Steve Marquess marquess at openssl.com
Fri Jan 16 15:16:48 UTC 2015


On 01/15/2015 05:52 AM, Marcus Meissner wrote:
> On Thu, Jan 15, 2015 at 05:46:22AM -0500, jonetsu at teksavvy.com
> wrote:
>> On Tue, 13 Jan 2015 21:33:49 -0500 "jonetsu at teksavvy.com"
>> <jonetsu at teksavvy.com> wrote:
>>
>>> So basically every app that uses libssl will have to be modified
>>> to add a FIPS_mode_set() call near the beginning.  Is that right
>>> ?
>>
>> Is there a way to automatically have the FIPS test executed when
>> an application loads the library, w/o the application being
>> modified ?  Is such a way used at all ?
>
> This is actually mandated these days.

For *new* validations only, older modules (such as #1747) validated
before the new I.G. 9.10 interpretation remain valid.

You can find an old but still relevant discussion here:

    http://openssl.com/fips/ig95.html

> On Linux usually triggered by /proc/sys/crypto/fips_enabled
> containing "1" or the environment variable OPENSSL_FORCE_FIPS_MODE=1
> (at least for the certs done by SUSE and Redhat, which do not use the
> container blob).

That is (presumably) true for the proprietary RH and SUSE distros; not
so for the open source based OpenSSL FIPS Object Module or other Linux
distros.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150116/15c1bb4f/attachment.html>


More information about the openssl-users mailing list