Patrick Patterson wrote:
Hello Patrick:
I can't answer most of your questions, but have a question for you:
Why are you trying to make all applications FIPS? FIPS is usually only applied
for a particular application (such as making a Web server that is part of a
Registration Authority application handle it's keys in the FIPS required
method, as required by a CP), and not for an entire host.
I've never run into a situation where you'd have to have ALL applications on a
host run in FIPS mode - I've seen hosts that are required to be run in CC EAL
evaluated mode, but never have all apps run in FIPS mode.
So I guess I'm just very confused about what you are trying to accomplish, and
why you would ever need to do this (no-one WANTS to run in FIPS mode, it's
just something that a policy MAKES us do :)
My guess is that you only have to make a very small subset of all applications
work in FIPS mode to accomplish what you are trying to do, and then set up
the rest of the host according to the CC EAL profile that you are trying to
run at.
A quick response now and I'll circle back to Patrick's questions later
as time permits.
Ground zero for FIPS 140-2 CMVP is the U.S. Federal government and the
DoD where procurement of FIPS validated cryptography is (nominally)
mandated *everywhere* (NSTISSIP #11 and other policy scripture). I say
"nominally" because much non-validated crypto is still used in that
environment in violation of that mandate. But time is running out for
non-compliant applications and my DoD clients are seeing ever increasing
pressure to comply.
So a means of globally enabling FIPS mode for all crypto on a host is
indeed highly desirable for program managers, procurement officers,
vendors, etc. in the federal government and DoD arena.
To that end Dr. Steve Henson has added a FIPS option to the
OPENSSL_config function and openssl_conf configuration file. Using that
mechanism an O/S distribution vendor could in principle ship one product
to all customers, and those customers required to use FIPS mode could
globally enable it in one swell foop without having to diddle dozens of
separate configuration files.
However in practice most OpenSSL based applications will require some
source code tweaks to run with FIPS mode enabled and claim compliance
with the validation requirements. So far (to my knowledge) only Stunnel
supports a FIPS mode off the shelf, though patches for mod_ssl and
OpenSSH are in circulation. It's my hope that in time such support will
be widespread and the global openssl_conf FIPS switch will be usable.
-Steve M.
--
Steve Marquess
Open Source Software Institute
marqu...@oss-institute.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
