On Thursday 21 December 2000 21:52, Scott Goodwin wrote: > Yes. FIPS 140-1 is a requirement for government servers running SSL, which > essentially means all government non-public web servers (FIPS 140-1 > actually covers most cases where you're encrypting info in government > systems). > > FIPS 140-1 means that the NSA has blessed the encryption codes as being > secure. There is a site where the list of FIPS 140-1 compliant encryption > libraries is listed. RSA's BSAFE 4.3 is one of them. You can find the list > of the "good" libraries at http://csrc.nist.gov/cryptval/140-1/1401val.htm. > At the bottom you'll find links to the list. > > You won't find OpenSSL on the list because: no one has paid for any version > of OpenSSL to be validated by the NSA/NIST, nor is it likely anyone will. > > So your only real option if you want to continue to use OpenSSL is to > compile the BSAFE Crypto-C library into OpenSSL instead of the encryption > codes that come with OpenSSL. Speaking of NSA FIPS compliancy stuff. I was reading the Linux-Kernel list and came across a thread "The NSA's Security-Enhanced Linux". It referenced this website: http://www.nsa.gov/selinux/index.html Maybe it offers something interesting for those auditors. > > > > I have information on compiling BSAFE 4.3 into OpenSSL so that OpenSSL is > then considered FIPS 140-1 compliant. You can then compile OpenSSL into > Apache or AOLserver. > > Go to http://scottg.net/aolserver and look down the right column for the > title "nsopenssl and BSAFE 4.x and 5.x". (Or read my article at > http://www.arsdigita.com/asj/aolserver-ssl#NSOPENSSL-BSAFE.) Part of that > page contains instructions on compiling BSAFE into OpenSSL. My site is a > bit out of date; you can find the latest patch to OpenSSL so that BSAFE can > be compiled with it at: http://www.lymeware.com/download_fw.html. You'll > have to use OpenSSL 0.9.5a though. > > Problem is, you have to have the BSAFE library to do the compilation. If > you can talk RSA into sending you the BSAFE SDK, great. Be prepared to > answer a lot of questions though. > > I am still harassing RSA into creating a ~$50-100 distribution of their > libes that would be payable via credit card and downloadable from their > site, but no luck yet. They are completely focused on the reseller -- > companies that want to use their product to build their application and > then sell it. They really don't see a market for the individual or small > company who wants to build their own application for internal use. In the > article mentioned above, I wrote: > > "I don't know what the market for an end-user license would be, but I would > gladly pay up to $100 one. If you'd like to bend Ken's ear you can call him > at (703) 288-9300 extension 313, or email him at > [EMAIL PROTECTED]" > > Anyway, we got ahold of the BSAFE SDK, and we purchased one copy of RedHat > Apache SSL for each web server we run (which gave us a license to run BSAFE > on one computer per copy). Then we compiled BSAFE into our webservers and > that was that. > > The End. > > Hope this helps. If not, send me a note. > > > /s. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of David Lang > Sent: Thursday, December 21, 2000 2:55 PM > To: [EMAIL PROTECTED] > Subject: FIPS 140-1 compliant? > > > I am being asked by auditors if all the software we run is FIPS 140-1 > compliant. currently I have no answer about openssl and products that use > it. can anyone give me pointers at the info? > > David Lang > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- -------- Robert B. Easter [EMAIL PROTECTED] --------- - CompTechNews Message Board http://www.comptechnews.com/ - - CompTechServ Tech Services http://www.comptechserv.com/ - ---------- http://www.comptechnews.com/~reaster/ ------------ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
