Hi Steve, Thanks for the quick reply. That is what I had understand from my reading but wasn't sure. My next question is about OpenSSH. There is no official support in OpenSSH for FIPS at the moment right ? Thanks Eric On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess <marquess at openssl.com> wrote: > On 10/26/2016 04:37 PM, Eric Tremblay wrote: > > Hi all,____ > > > > __ __ > > > > I have built the FIPS module into our Platform but I am stuck at the > > point to enable it.____ > > > > __ __ > > > > We need FIPS to be enabled ? Platform wide ? not just for one > > application.____ > > > > __ __ > > > > I have read the documentation and search on the web for answer but it > > seem that I would have ____ > > > > to modify a package or write a small application just to enable FIPS.____ > > > > __ __ > > > > Is there another way to enable it on startup of Linux ? or maybe > > something in OpenSSH ?____ > > > > __ __ > > > > I also read about the OPENSSL_Config in the User Guide but I?m not sure > > if/who and how it is called.____ > > > > __ __ > > > > I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____ > > > > __ __ > > > > Thanks____ > > > > __ __ > > > > Eric > > > > > > > > > Hmmm ... where to start. > > First there is really no such thing as "enabling FIPS" for a platform. > The FIPS module is executable code that runs in the context of a > process, and to be righteous FIPS-wise each process (that uses > cryptography) must invoke the FIPS_mode_set() call that performs the > mandatory POST (Power Up Self Test). Note that is true even when the > FIPS module is embedded in a shared library (the "FIPS enabled" > OpenSSL), as each process using said shared library maps writable data > into its own private address space. > > So to make the sweeping claim that a "platform" is FIPS enabled, you > must make sure that *every* process for that platform enables FIPS mode > via a FIPS_mode_set() call (whether directly or indirectly). Note that > for your typical general purpose (e.g. Windows or Linux-like) operating > system that is an essentially unachievable goal, as not all of the many > crypto-using applications are readily converted to use the FIPS enabled > OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise > kernel-mode crypto can't be addressed with the OpenSSL FIPS module. > > For that reason the wise and prudent vendor does not attempt to "enable > FIPS" for an entire platform (for Level 1 validations), but rather only > makes claims about specific individual applications running on that > platform. > > In the case where all processes of interest are compatible with the FIPS > capable OpenSSL (specifically, not referencing any other crypto > implementations, or non-approved cryptographic operations), then > OPENSSL_config() can in principle be used to indirectly call > FIPS_mode_set() for each such application. That is only *after* every > such application/process has *first* been modified for compatibility > with the FIPS capable OpenSSL. Very few applications not already > designed to support the OpenSSL FIPS module will be compatible without > some degree of modification. > > -Steve M. > > -- > Steve Marquess > OpenSSL Validation Services, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marquess at openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161026/67311bf5/attachment.html>
