[openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

Tue Jan 20 20:47:36 UTC 2015

> On Jan 20, 2015, at 3:00 PM, Nou Dadoun <ndadoun at teradici.com> wrote:
> 
> Thanks for the clarification, a couple of short questions - 
> 
> We already have a "shim" to index into the function table that gets loaded after run-time selecting from the 0.9.8 FIPS vs non-FIPS dll to use.  I imagined that we might have to "thicken" the shim  to accommodate selection between 0.9.8-FIPS and 1.0.1 non-FIPS (unorthodox I know but a potential short term step forward).   Couldn't they be made interchangeable with appropriate changes to the shim or is there some more fundamental incompatibility?

Probably, but I’d strongly recommend against what you’re doing.  You should instead link only ONE library, and call FIPS_mode_set() when you want to use FIPS Approved mode, and do not call that when you do not want to use FIPS Approved mode.  I’m not sure why you would do so much excess work for something that was provided for already with a single function call.  If it’s because you want to switch between use of FIPS or not within the same process, then you’ve misunderstood what FIPS 140 validation is for, and you’re doing it wrong.  Even with the strange (and loose) interpretations of FIPS 140 the government auditors approve. :)

> I looked at the  link you provided for OpenSSL FIPS Object Module v2.0, validation certificate #1747 (thanks very much for that); another interesting consideration but I was surprised to notice that omitted from the list of supported algorithms was any mention of SHA, is no variant of SHA supported at all?

That’s the reference to SHS — Secure Hashing Standard.  See http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm for more info if you’d like. :)

> Thanks again … N

TOM

> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Steve Marquess
> Sent: January-20-15 8:17 AM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)
> 
> On 01/19/2015 12:42 PM, Nou Dadoun wrote:
>> The scenario that we're contemplating is having FIPS based on 0.9.8??
>> coexist with 1.0.1?? so the remapping at runtime would have to account 
>> for api differences within the two.  This was really the upshot of my 
>> question.
> 
> The 1.2 FIPS module ("FIPS based on 0.9.8") is not compatible with OpenSSL 1.0.1. You need the 2.0 FIPS module for that.
> 
>> But I think I'm still a little confused about the FIPS-certification 
>> of OpenSSL 1.0.1??,...
> 
> It's "validation", not "certification".
> 
>> I remember reading that some of the FIPS power on self-test 
>> requirements precluded a general FIPS certification, is that the case? 
>> ...
> 
> I think you're conflating several issues here. What you're probably referring to is the fact that some new requirements for *new* FIPS 140-2 validations (IG 9.10 among them) mean that the source code for the 2.0 FIPS module can no longer be used as-is for new validations. Those new requirements have impacted those vendors desiring to pursue such "private label" or "copycat" validations, but has not affected the original 2.0 FIPS module that was used as the model for such private label validations.
> 
>> What is the status of FIPS OpenSSL certification?
>> (Is this written up anywhere?)
> 
> The OpenSSL FIPS Object Module v2.0, validation certificate #1747, remains available for use with (to date) 102 formally tested platforms:
> 
>  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
> 
> -Steve M.
> 
> --
> Steve Marquess
> OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at opensslfoundation.com
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 