[openssl-users] Using FIPS mode and modifying apps

[jonetsu]

"Steve Marquess" <marquess at openssl.com>wrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.

> Tom Francis nailed the answer to this one. We did design the FIPS module
> + "FIPS capable" OpenSSL combination to make it possible to have a
> system wide "FIPS mode" capability, but that presumes that the system
> maintainer (i.e. OS distribution maintainer) has done the review and
> modification of each application that uses cryptography to make sure it
> is compatible with the many restrictions of FIPS mode.

Yes, I understand the concern.  Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ?  I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()).  Might have to do with your comment below.
 
> That is indeed the assumption: that commercial versions of RH and SuSE
> have modified all impacted OSS applications to operate in FIPS mode. If
> they haven't they are deceiving their customers and the U.S. government.

I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though.
 
> Please read the first two sentences on that web page, right at the top.

OK!  Regarding the second sentence :) ... what is the current status ?  Is OpenSSL transparently executing FIPS checks when in FIPS mode ?  And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around.

Regards.