[openssl-users] Using FIPS mode and modifying apps

[jonetsu at teksavvy.com]

On Tue, 27 Jan 2015 14:13:57 -0500
Steve Marquess <marquess at openssl.com> wrote:

> The user guide documents that correctly. For the OpenSSL FIPS Object
> Module 2.0 (#1747) the FIPS mode of operation is enabled with
> FIPS_mode_set(). There is no "library startup"; you keep confusing
> past validations with new ones.

OK.
 
> Note that we would update that existing module to comply with the new
> I.G. 9.10 guidance, but that falls in the class of changes that are
> not permitted under the "change letter" update process (similarly, we
> weren't allowed to update the module to address security
> vulnerabilities such as "Lucky 13").

Yes, FIPS is what it is.  I'm short of describing words now, and I
prefer not to search too long :-)

> We have not done any validations that satisfy the various new
> requirements introduced in late 2013 and early 2014. New validations
> are very expensive, in dollars, time, and grief, and we don't have the
> necessary financial backing.

Something I don't understand.  Does validation prevent any software
development ?  Eg.  why not develop a newer version that is not
validated (until further notice) but will include for instance the
automatic library load that would perform transparently all the FIPS
checks ?

In our case, our system as a whole will be validated.  And that
includes OpenSSL, as well as anything else that's relevant to FIPS,
including stickers on the units.  OpenSSL will be validated anyways.
We are looking at adding the automatic load hence the running of FIPS
tests at library load time.  But then, this might change depending on
the assessment of other FIPS-aware modifications to popular Open Source
packages.  Otherwise, if they (most) have already FIPS mode options,
then we would add the automatic hooks to OpenSSL.  And the unit will be
sent to the consultants who will run their SSL tests and others, and
then to the NIST labs, as such.

Regards.