Hello Patrick: I can't answer most of your questions, but have a question for you:
Why are you trying to make all applications FIPS? FIPS is usually only applied for a particular application (such as making a Web server that is part of a Registration Authority application handle it's keys in the FIPS required method, as required by a CP), and not for an entire host. I've never run into a situation where you'd have to have ALL applications on a host run in FIPS mode - I've seen hosts that are required to be run in CC EAL evaluated mode, but never have all apps run in FIPS mode. So I guess I'm just very confused about what you are trying to accomplish, and why you would ever need to do this (no-one WANTS to run in FIPS mode, it's just something that a policy MAKES us do :) My guess is that you only have to make a very small subset of all applications work in FIPS mode to accomplish what you are trying to do, and then set up the rest of the host according to the CC EAL profile that you are trying to run at. Have fun. Patrick. On December 17, 2008 10:47:35 am Patrick Rael wrote: > Hello, > I have 6 questions about making a host FIPS-140-2 compliant. > I was able to build both openssl-fips-1.2 and openssl-0.9.8j-dev (stable > snapshot) on FreeBSD6.3 and combine the canister files, install on a > server, and adjust ldconfig so apps use the new libs. Now lsof shows app > executables like httpd, sshd, postgres and a custom daemon using the new > shared libraries. > > Now, how to go into fips_mode: > > Q1. Can I make these executable go into fips_mode by a config or tune > without changing their source and without recompiling them? > > Q2. If I have to recompile the apps, is it only a recompile, or does there > need to be a function call to FIPs_mode_set(...) or OPENSSL_config(...). > In the OPENSSL_config man page, NOTES, paragraph 2, there is some automatic > way so long as the preprocessor symbol OPENSSL_LOAD_CONF is #defined and > the app calls OPENSSL_add_all_algorithms(). > > Q3. If the above function call(s) needs to be added, how about other > changes like looking for the return code for ciphers now blocked by > fips_mode so the app deals with it? Probably a good idea. > > Q4. If source changes are required, are these publicly available as patches > somewhere? > > Q5. To find every app executable on the host which links to libssl.so and > libcrypto.so, I did a global host search with file path and grepped for > some strings and then ran ldd on those looking for libssl|libcrypto and > found about 85 in total. To be FIPS-140-2 compliant, does every one of > these need to be able to go into fips mode? Who determines which ones > need to and don't need to? > > Q6. Lastly, how can I prove externally of the app that it is in fips mode. > eg; can I ssh -v -c blowfish-cbc u...@host and verify that a > fips_mode sshd will not allow it because blowfish is not supported in fips > mode? > > Sorry for so many questions, thanks in advance. > > -->Pat > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
