[openssl-users] Enable the FIPS mode in the library level
Alan Dean
alandean888 at gmail.com
Mon Mar 5 19:02:01 UTC 2018
On Mon, Mar 5, 2018 at 3:04 AM, Dr. Matthias St. Pierre <
Matthias.St.Pierre at ncp-e.com> wrote:
>
>
> On 05.03.2018 11:57, Dr. Matthias St. Pierre wrote:
> >
> > However, I am sceptical whether this approach will be accepted,
> > because there are (at least) two potential problems:
> >
> > * Normally, it is mandatory to check the result of FIPS_mode_set() or
> > FIPS_mode() to ensure that the FIPS initialization succeeded. However,
> > an application which is not FIPS-aware won't check the result.
> > * It can happen that applications which have their own configuration
> > and enable/disable FIPS mode explicitely, call FIPS_mode_set(0)
> > afterwards.
> >
> >
> > HTH,
> > Matthias
> >
>
> One more obstacle: In FIPS mode it is not allowed to use low level
> crypto algorithms, only the EVP interface is allowed. So most of your
> non-fips-aware applications will malfunction when forced into FIPS mode.
> The consequence is: it's probably not possible to do it.
>
Did you mean if an application uses the low level crypto algorithm
functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't
work under FIPS mode (and hence may cause unpredictable issues)?
>
> Matthias
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180305/8ed18e3e/attachment.html>
More information about the openssl-users
mailing list