[openssl-users] Enabling FIPS on an custom embedded system.

Scott Neugroschl scott_n at xypro.com
Wed Oct 26 22:22:36 UTC 2016

No.   You can check with the OpenSSH mailing list, but I’m pretty darned sure the answer is no.

Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Eric Tremblay
Sent: Wednesday, October 26, 2016 3:06 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Enabling FIPS on an custom embedded system.

Hi Steve,

Thanks for the quick reply.

That is what I had understand from my reading but wasn't sure.

My next question is about OpenSSH.  There is no official support in OpenSSH for FIPS at the moment right ?



On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess <marquess at openssl.com<mailto:marquess at openssl.com>> wrote:
On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> Hi all,____
> __ __
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.____
> __ __
> We need FIPS to be enabled « Platform wide » not just for one
> application.____
> __ __
> I have read the documentation and search on the web for answer but it
> seem that I would have ____
> to modify a package or write a small application just to enable FIPS.____
> __ __
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?____
> __ __
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.____
> __ __
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
> __ __
> Thanks____
> __ __
> Eric

Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775<tel:%2B1%20877%20673%206775> s/b
+1 301 874 2571<tel:%2B1%20301%20874%202571> direct
marquess at openssl.com<mailto:marquess at openssl.com>
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161026/31cfcea0/attachment-0001.html>

More information about the openssl-users mailing list