On 01/27/2015 11:09 AM, jonetsu wrote: > "Steve Marquess" <marquess at openssl.com>wrote on 01/27/15 09:18: Thank > you (and Tom) for your comments - much appreciated. > >> Tom Francis nailed the answer to this one. We did design the FIPS >> module + "FIPS capable" OpenSSL combination to make it possible to >> have a system wide "FIPS mode" capability, but that presumes that >> the system maintainer (i.e. OS distribution maintainer) has done >> the review and modification of each application that uses >> cryptography to make sure it is compatible with the many >> restrictions of FIPS mode. > > Yes, I understand the concern. Does this mean that the FIPS checks > will be done today on OpenSSL library startup w/o the need for an > application to use FIPS_mode_set() ? I'm asking since the OpenSSL > FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and > FIPS_selftest()). Might have to do with your comment below. The user guide documents that correctly. For the OpenSSL FIPS Object Module 2.0 (#1747) the FIPS mode of operation is enabled with FIPS_mode_set(). There is no "library startup"; you keep confusing past validations with new ones. Note that we would update that existing module to comply with the new I.G. 9.10 guidance, but that falls in the class of changes that are not permitted under the "change letter" update process (similarly, we weren't allowed to update the module to address security vulnerabilities such as "Lucky 13"). >> That is indeed the assumption: that commercial versions of RH and >> SuSE have modified all impacted OSS applications to operate in FIPS >> mode. If they haven't they are deceiving their customers and the >> U.S. government. > > I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, > though. > >> Please read the first two sentences on that web page, right at the >> top. > > OK! Regarding the second sentence :) ... what is the current status > ? We have not done any validations that satisfy the various new requirements introduced in late 2013 and early 2014. New validations are very expensive, in dollars, time, and grief, and we don't have the necessary financial backing. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
