Thank you for the information, Steve. Could you please further clarify the state of FIPS support, especially ANSI X9.31 PRNG, in OpenSSL 0.9.8? Does the fact that "fips" directory disappeared from 0.9.8 mean it was scratched? If it was, is there any plan on putting it back? Or must we keep using 0.9.7 to use such functionality?
Thanks, On 7/22/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Fri, Jul 22, 2005, Thomas J. Hruska wrote: > > > Naomaru Itoi wrote: > > >Hello, > > > > > >Please excuse me for the cross post between the ML and the news group. > > > > > >I am interested in using FIPS recommended functionality in OpenSSL, > > >e.g., ANSI X9.31 pseudo random number generator. In OpenSSL 0.9.7g, I > > >can see a directory "fips" at the top of the source tree and FIPS > > >related functions there. However, in OpenSSL 0.9.8, I see neither > > >"fips" directory nor X9.31 function in crypto/rand. > > > > > >Are X9.31, and maybe other FIPS related functionality, scratched from > > >0.9.8? Must I use 0.9.7g to get such functionality? Or it is located > > >in somewhere but I am just not finding it? > > > > > > > I'm also interested in knowing the OpenSSL team's stance on FIPS mode. > > I know it is an annoyance to maintain, but at a conference I attended > > just this past week, I ran into someone who uses a different > > cryptography package because they claimed that OpenSSL in FIPS mode > > "doesn't work". They didn't give me details (I didn't ask - sorry), but > > if some package is working in FIPS mode and OpenSSL doesn't in some > > regard, even though the docs claim it does, I see this as bad > > word-of-mouth press for OpenSSL - however, that doesn't mean it can't be > > turned to our advantage by making some changes to the core package. > > > > I'm curious: Do we know how many people use FIPS mode crypto packages > > (not just OpenSSL)? What is the general demographic for someone who > > wants to use FIPS mode OpenSSL? That is, do they tend to run Windows or > > *NIX builds? > > > > The FIPS validation for OpenSSL is still pending so it isn't FIPS certified at > present. > > It is quite possible that some packages will not work without modification in > FIPS mode. The certification for example prohibits the cryptographic use of > certain algorithms such as MD5 and RC4 so any package relying on those > algorithms will fail. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
