[openssl-users] Using FIPS mode and modifying apps
jonetsu at teksavvy.com
jonetsu at teksavvy.com
Wed Jan 28 13:33:51 UTC 2015
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis <thomas.francis.jr at pobox.com> wrote:
> This is a bad idea. It can generally be done, and it’s probably not
> even too hard (for some uses, anyway). But it’s a bad idea. Here’s
> why:
Thanks for the detailed comments. I understand the concerns, although
there's one thing I do not see clearly, that is:
> 2) Applications that don’t know they’re operating in FIPS
> mode may attempt to use algorithms that are disallowed in FIPS mode,
> but using an API that will actually succeed.
How could this happen ? Do you have a practical use case ? Wouldn't
OpenSSL in FIPS mode prevent the use of such algorithm in the first
place ?
Regards.
More information about the openssl-users
mailing list