[openssl-users] Using FIPS mode and modifying apps
jonetsu at teksavvy.com
Tue Jan 27 16:09:25 UTC 2015
"Steve Marquess" <marquess at openssl.com>wrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.
> Tom Francis nailed the answer to this one. We did design the FIPS module
> + "FIPS capable" OpenSSL combination to make it possible to have a
> system wide "FIPS mode" capability, but that presumes that the system
> maintainer (i.e. OS distribution maintainer) has done the review and
> modification of each application that uses cryptography to make sure it
> is compatible with the many restrictions of FIPS mode.
Yes, I understand the concern. Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ? I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()). Might have to do with your comment below.
> That is indeed the assumption: that commercial versions of RH and SuSE
> have modified all impacted OSS applications to operate in FIPS mode. If
> they haven't they are deceiving their customers and the U.S. government.
I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though.
> Please read the first two sentences on that web page, right at the top.
OK! Regarding the second sentence :) ... what is the current status ? Is OpenSSL transparently executing FIPS checks when in FIPS mode ? And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around.
More information about the openssl-users