On 08/04/2016 11:00 AM, o haya wrote: > Hi, > > I've been tasked to look into FIPS 140-2 "compliance" for our > systems, overall, and I know that there's a "FIPS 140-2 module" for > OpenSSL, that needs to be built from source and then integrated into > OpenSSL by building OpenSSL with the FIPS module. > > The User guide goes into how to integrate the resulting OpenSSL(+FIPS > module) with applications, and also has an example of doing that. > > What I was wondering is: Does that mean that EVERY application that > we want to have use the OpenSSL(+FIPS module) would have be > (slightly) modified and then rebuilt from source? Yes, unless that product already has support for the "FIPS capable" OpenSSL. > What about something like Apache? Would we have to modify the Apache > source and rebuild that together with the OpenSSL(+FIPS module)? Apache httpd is an example of a product that supports the OpenSSL FIPS module natively, if built using the right build-time options. Stunnel, socat are others. Probably quite a few more but I don't try to keep track. OpenSSH is an example of a product not easily adapted for (righteous) use of the OpenSSL FIPS module, as it contains in-lined cryptographic code. > > Finally, what about COTS products, e.g., WebLogic, for which we > cannot obtain the source? You'll need to talk to the vendor(s) of those products. As a general rule any product that is sold into the USG/DoD market will come in a FIPS 140 flavor. If you don't have source you'll not be able to tell if it's readily adaptable for FIPS 140 compliance. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
