Hi All:
I am working on a project to integrate the OpenSSL FIPS capable library into our product platform. (We will be doing our own FIPS 140-2 level 1 certification)
There are a large number of third party applications/ library (e.g. wget, libcurl, postfix, etc) run on our platform which use OpenSSL library, and based on the OpenSSL FIPS Library User Guide, it seems like the only way to make all these third party applications capable of running on FIPS mode will require modifying all these software to inject the FIPS_mode_set() API into the appropriate spots, so that FIPS mode can be explicitly enabled. This solution, however, may not be scalable since we would need to modify tens (if not hundreds) of different open source applications/ libraries in order to make them FIPS capable.
Another potential option I am investigating is, instead of having to invoke the FIPS_mode_set API from each application, maybe (or maybe not) it's feasible to make the FIPS_mode_set API to be invoked in an entry point of the OpenSSL library so that the library itself will always be operating on FIPS mode, and in that case we won't need to inject the FIPS_mode_set API into all these third party software in order to make them FIPS capable. Of course there will be something like OpenSSH which will still require a lot of changes in order to make it able to run on FIPS mode without issue, but I will assume most of the other third party software will probably require no changes if we can enable the FIPS mode in the library level?
Question 1: Is it even feasible to make the FIPS mode always enabled for the whole OpenSSL library (i.e. for both libcrypto and libssl), so that most the applications which dynamically linked to libcrypto and libssl will be automatically use OpenSSL FIPS mode without the need of changes to add the FIPS_mode_set invocation (with some exception such as OpenSSH which may still need some fixes). (Assuming from certification's perspective we are ok if we may these changes)
Question 2: If the above idea is feasible, where in the OpenSSL library will be the best entry to invoke FIPS_mode_set API, so that we can make the whole OpenSSL library always in FIPS mode? Any potebtial issues for this solution?
Any suggestions will be greatly appreciated.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users