On 01/26/2015 06:21 PM, jonetsu at teksavvy.com wrote: > On Fri, 16 Jan 2015 10:16:48 -0500 > Steve Marquess <marquess at openssl.com> wrote: > >> On 01/15/2015 05:52 AM, Marcus Meissner wrote: > >>> On Linux usually triggered by /proc/sys/crypto/fips_enabled >>> containing "1" or the environment variable >>> OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs done by SUSE and >>> Redhat, which do not use the container blob). > >> That is (presumably) true for the proprietary RH and SUSE distros, >> not so for the open source based OpenSSL FIPS Object Module or other >> Linux distros. > > I'm afraid it does not come across clear to me. So, maybe the > following pondering is relevant - or not. Basically, I'm looking at > how to integrate a FIPS-enabled OpenSSL that will be used by some > common Open Sources applications, as well as a 3rd party application > (with source code provided). Tom Francis nailed the answer to this one. We did design the FIPS module + "FIPS capable" OpenSSL combination to make it possible to have a system wide "FIPS mode" capability, but that presumes that the system maintainer (i.e. OS distribution maintainer) has done the review and modification of each application that uses cryptography to make sure it is compatible with the many restrictions of FIPS mode. > So, does your comment mean that the paying versions of Red > Hat and SuSE (proprietary) have open source applications modified to at > least include the FIPS_mode_set() call ? Why would these releases be > different in FIPS SSL 'power-up' POST checks when compared to regular > free releases ? That is indeed the assumption: that commercial versions of RH and SuSE have modified all impacted OSS applications to operate in FIPS mode. If they haven't they are deceiving their customers and the U.S. government. Note that such modifications are non-trivial for some applications, for instance OpenSSH. > If I compare with GnuTLS that our product also uses, and with which it > will also go to certification, its FIPS mode is completly transparent, > with FIPS checks done on library load. Can't help you there as I know nothing of GnuTLS. But, applications using GnuTLS will face exactly the same problem; if they were not designed or modified to operate in FIPS mode you're probably going to have undesirable outcomes. > Based on the discussion in 'The I.G. 9.5 Issue', I took a look at > 'Implementation Guidance for FIPS PUB 140-2 and the Cryptographic > Module Validation Program', January 15 2015 release. In section 9.10 > it states:... Please read the first two sentences on that web page, right at the top. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
