Victor Duchovni wrote:
On Wed, Dec 17, 2008 at 11:20:08AM -0500, Steve Marquess wrote:
However in practice most OpenSSL based applications will require
some source code tweaks to run with FIPS mode enabled and claim
compliance with the validation requirements. So far (to my
knowledge) only Stunnel supports a FIPS mode off the shelf, though
patches for mod_ssl and OpenSSH are in circulation. It's my hope
that in time such support will be widespread and the global
openssl_conf FIPS switch will be usable.
Can you elaborate on what these "tweaks" may be? I'll certainly
consider facilitating a site selected FIPS mode in Postfix, ...
I'd be thrilled if you could do that. I tried to cover that topic in
chapter five of the User Guide,
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf. The unusual link
step for static linking is the tricky part, the rest is basically making
sure *all* crypto is done via the FIPS-capable OpenSSL and illegal
crypto operations don't crash or embarrass your app. Please give it a
read and let me know if you have any questions. I'll respond as soon as
I can (am on-site with a client now).
... if this is not disruptive to non-FIPS users.
We put a lot of effort into developing FIPS support that could be
enabled at runtime or not for the same binary code, with the FIPS-isms
invisible until enabled. One build, runtime selectable behavior.
-Steve M.
--
Steve Marquess
Open Source Software Institute
marqu...@oss-institute.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
