Hello,
I have 6 questions about making a host FIPS-140-2 compliant.
I was able to build both openssl-fips-1.2 and openssl-0.9.8j-dev (stable
snapshot)
on FreeBSD6.3 and combine the canister files, install on a server, and adjust
ldconfig
so apps use the new libs. Now lsof shows app executables like httpd, sshd,
postgres
and a custom daemon using the new shared libraries.
Now, how to go into fips_mode:
Q1. Can I make these executable go into fips_mode by a config or tune without
changing their source and without recompiling them?
Q2. If I have to recompile the apps, is it only a recompile, or does there need
to be a function call to FIPs_mode_set(...) or OPENSSL_config(...). In the
OPENSSL_config man page, NOTES, paragraph 2, there is some automatic way so
long as the preprocessor symbol OPENSSL_LOAD_CONF is #defined and the app
calls OPENSSL_add_all_algorithms().
Q3. If the above function call(s) needs to be added, how about other changes
like
looking for the return code for ciphers now blocked by fips_mode so the app
deals with it? Probably a good idea.
Q4. If source changes are required, are these publicly available as patches
somewhere?
Q5. To find every app executable on the host which links to libssl.so and
libcrypto.so,
I did a global host search with file path and grepped for some strings and
then ran
ldd on those looking for libssl|libcrypto and found about 85 in total. To
be
FIPS-140-2 compliant, does every one of these need to be able to go into
fips mode? Who determines which ones need to and don't need to?
Q6. Lastly, how can I prove externally of the app that it is in fips mode.
eg; can I ssh -v -c blowfish-cbc u...@host and verify that a fips_mode
sshd
will not allow it because blowfish is not supported in fips mode?
Sorry for so many questions, thanks in advance.
-->Pat
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
