[openssl-users] Enforcing FIPS via Cipher Suites Declaration

Lesley Kimmel lesley.j.kimmel at gmail.com
Thu Feb 4 19:07:02 UTC 2016

Thanks for the input, all. Those are basically the responses I was
expecting, I just wanted to see it in writing as I couldn't find a clear
answer during a short internet search.

On Thu, Feb 4, 2016 at 10:57 AM, Dr. Stephen Henson <steve at openssl.org>

> On Thu, Feb 04, 2016, Thomas Francis, Jr. wrote:
> >
> > AFAIK, you could limit it to the appropriate cipher suites, but be aware
> > that FIPS 140 is all about proving that only certain known and tested
> > [implementations of] algorithms are used.  It???s unlikely that another
> > version of OpenSSL would use exactly the same implementations (after all,
> > fixes and performance enhancements have been added), and there???d still
> be
> > nothing to prove those are the approved algorithms, even if they were the
> > exact same.  So I can???t imagine any auditor approving such a setup.
> >
> That's correct: when you enter FIPS mode OpenSSL switches algorithm
> implementations to those in the validated FIPS module and changes several
> other things such as the use of DRBGs for random number generation instead
> of
> the usual OpenSSL PRNG. If you're not in FIPS mode this wont happen and you
> wont be using validated versions of algorithms.
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160204/3a7d3bf5/attachment.html>

More information about the openssl-users mailing list