[openssl-users] Enforcing FIPS via Cipher Suites Declaration

Steve Marquess marquess at openssl.com
Thu Feb 4 16:29:05 UTC 2016

On 02/04/2016 10:13 AM, Lesley Kimmel wrote:
> All;
> I'm working with PosgreSQL in a DoD environment and am supposed to
> enforce FIPS operation. PostgreSQL doesn't perform a call to
> FIP_mode_set() but does provide a configuration item 'ssl_ciphers'. Is
> there more to FIPS_mode than I am aware of or would it be functionally
> equivalent to simply set my ciphers to something like 'FIPS:!aNULL:!eNULL'?
> As a semi-related question, would a non-FIPS OpenSSL installation still
> enforce the same cipher suites but just not be 'officially' validated?

Yes, there's a whole lot more to "FIPS 140-2 validated" than just choice
of algorithms/ciphers. There is "magical pixie dust" that won't make
much sense from a pure software engineering perspective. You can find
lots of info online; the Wikipedia article is as good a place as any to
start. Also note the OpenSSL FIPS User Guide,

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list