On 7/19/2011 5:09 PM, Pierre Joye wrote:
On Wed, Jul 20, 2011 at 1:50 AM, Scott MacVicar<sc...@macvicar.net> wrote:
OpenSSL has been FIPS certified, your change has changed this contract and it's
calling back into a Windows API. Has it been reviewed for correctness?
And by the way, the CryptoAPI for the windows versions we support is
certified as well. Just in case you did not check yourself in the 1st
place.
Furter ref, http://technet.microsoft.com/en-us/library/cc750357.aspx
Cheers,
I'm jumping on this one rather late.
I have no idea if you can *mix* two different FIPS-validated crypto/SSL
libraries and still be able to claim FIPS validation of those libraries.
I'm pretty sure you would have to go through the whole FIPS validation
process with the combination of the two. To the best of my knowledge,
no one has ever done that before.
That all said, I have NEVER thought of PHP as a project that would ever
care about claiming FIPS compliance.
To use FIPS with OpenSSL, FIPS first has to be compiled into OpenSSL
using a special build process almost no one goes through. Then the
library has to be switched into "FIPS mode" within the application code
itself using either FIPS_mode_set() or a configuration file and then
checking for FIPS with a call to FIPS_mode() from within the
application. You're supposed to exit if you are expecting FIPS and it
failed to initialize for whatever reason.
--
Thomas Hruska
CubicleSoft President
Barebones CMS is a high-performance, open source content management
system for web developers operating in a team environment.
An open source CubicleSoft initiative.
Your choice of a MIT or LGPL license.
http://barebonescms.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
