"Steve Marquess" <marquess at openssl.com>wrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated. > Tom Francis nailed the answer to this one. We did design the FIPS module > + "FIPS capable" OpenSSL combination to make it possible to have a > system wide "FIPS mode" capability, but that presumes that the system > maintainer (i.e. OS distribution maintainer) has done the review and > modification of each application that uses cryptography to make sure it > is compatible with the many restrictions of FIPS mode. Yes, I understand the concern.? Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ?? I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()).? Might have to do with your comment below. ? > That is indeed the assumption: that commercial versions of RH and SuSE > have modified all impacted OSS applications to operate in FIPS mode. If > they haven't they are deceiving their customers and the U.S. government. I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though. ? > Please read the first two sentences on that web page, right at the top. OK!? Regarding the second sentence :) ... what is the current status ?? Is OpenSSL transparently executing FIPS checks when in FIPS mode ?? And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around. Regards.
