[openssl-users] Question about OpenSSL and FIPS 140-2 module
Steve Marquess
marquess at openssl.com
Thu Aug 4 15:48:35 UTC 2016
On 08/04/2016 11:00 AM, o haya wrote:
> Hi,
>
> I've been tasked to look into FIPS 140-2 "compliance" for our
> systems, overall, and I know that there's a "FIPS 140-2 module" for
> OpenSSL, that needs to be built from source and then integrated into
> OpenSSL by building OpenSSL with the FIPS module.
>
> The User guide goes into how to integrate the resulting OpenSSL(+FIPS
> module) with applications, and also has an example of doing that.
>
> What I was wondering is: Does that mean that EVERY application that
> we want to have use the OpenSSL(+FIPS module) would have be
> (slightly) modified and then rebuilt from source?
Yes, unless that product already has support for the "FIPS capable" OpenSSL.
> What about something like Apache? Would we have to modify the Apache
> source and rebuild that together with the OpenSSL(+FIPS module)?
Apache httpd is an example of a product that supports the OpenSSL FIPS
module natively, if built using the right build-time options. Stunnel,
socat are others. Probably quite a few more but I don't try to keep track.
OpenSSH is an example of a product not easily adapted for (righteous)
use of the OpenSSL FIPS module, as it contains in-lined cryptographic code.
>
> Finally, what about COTS products, e.g., WebLogic, for which we
> cannot obtain the source?
You'll need to talk to the vendor(s) of those products. As a general
rule any product that is sold into the USG/DoD market will come in a
FIPS 140 flavor. If you don't have source you'll not be able to tell if
it's readily adaptable for FIPS 140 compliance.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users
mailing list