Re: openssl-fips 1.2 questions

Wed, 17 Dec 2008 15:58:46 -0800 

Victor Duchovni wrote:


FYI, on page 35, Example 5.2b and the text below it are somewhat garbled,
at least in the MacOSX PDF viewer...

- OPENSSL(config(...) instead of OPENSSL_config(...) in the example

  

Had several reports on that, fixing now.

- In the PDF view, the closing ")" of the OPENSSL_config(...) call
  is not visible. It is only visible when one uses copy/paste to
  yank the text.

  

Hmm, looks OK to me in XPDF on Linux. The source document is an ODF file 
and I have had some PDF rendering issues before which went away with OO 
upgrades.

- The 0.9.8i man page for OPENSSL_config, ...

I'll defer to the OpenSSL team but will try to put together some 
strawman documentation.


This likely will need to wait for Postfix 2.7 snapshots in the Spring of
'09, because 0.9.8j is not out yet to validate this approach, and the
documentation is rather incomplete...

The strategy for Postfix would likely be an optional load of an
administrator-specified XXXX_conf section (not performed if not explicitly
set in main.cf), via an administrator specified openssl.cnf file (default
system-wide openssl.cnf). This can enable FIPs mode provided fipscanister
is linked-in, which would be a build-time option. If the "exit on error"
language for OPENSSL_config() is correct, I can't use that, and have to
use CONF_modules_load_file(3) instead.

Does this sound about right?

  

Yes it does. Note also that fipscanister can be referenced via a shared 
library (provided automatically with the FIPS capable 0.9.8j+ OpenSSL). 
I'm checking with Steve Henson on the "exit on error" behavior. It's a 
tricky business disabling disallowed functionality in FIPS mode and the 
existing API doesn't always provide a means to indicate that new type of 
failure. I remember at one point he was pondering both "hard" and "soft" 
error handling. I'd like to encourage the use of OPENSSL_config() as the 
preferred method for enabling FIPS mode. Perhaps a subsequent API call 
to test if FIPS mode was configured but FIPS mode failed...? But IMHO 
the hard failure should still be the default, so we'd need a "Don't exit 
on me, I'll check for failure" call before invoking OPENSSL_config(). 
Hmmm...


-Steve M.

--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to