It has already been released. Pick up the openssl-fips-1.2.tar.gz distribution, and the openssl-0.9.8j.tar.gz distribution. Also be aware that you MUST configure the openssl-fips package *EXACTLY* as described in the Security Policy. I am not going to try to reiterate the rules here, nor the commands you have to type.
http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf There is also a User Guide available, but anything that it contains that conflicts with the Security Policy is wrong. http://openssl.org/docs/fips/UserGuide-1.2.pdf After you build and install the openssl-fips package, then you can configure openssl-0.9.8j. Use the 'fips' option to ./config. (If you're looking for absolutely every version of OpenSSL that's released to have FIPS validation, you're not going to get it. The process for validation is expensive, on the order of $200,000 for each validation; the OpenSSL team members are already donating their time to the project and most likely don't have the cash to donate to the cause. As well, the vendor (for validation purposes) is the Open Source Software Institute, which does not directly manage the OpenSSL programmers or development effort. As well, it's taken on average over a year for each validation. This is why there's a separate tarball just for the FIPS-validated module; when in FIPS mode, all cryptography done by the library is redirected to be performed by the code in the module.) -Kyle H On Mon, Jan 19, 2009 at 8:34 AM, joshi chandran <joshichandran...@gmail.com> wrote: > Hi All, > > Will the Openssl community will release all the openssl with fips support ie > next release of openssl will support fips capability? > > Thanks > > Joshi Chandran > > > > On Mon, Jan 12, 2009 at 7:23 PM, Steve Marquess <marqu...@oss-institute.org> > wrote: >> >> PGNet wrote: >>> >>> On Sun, Jan 11, 2009 at 3:42 PM, Steve Marquess >>> <marqu...@oss-institute.org> wrote: >>>> >>>> Long story short, OpenSSH really needs some source mods to >>>> gracefully invoke and run in FIPS mode. >>> >>> Hrm ... I'd have thought that openssh would be amoong the 1st/best @ >>> compliance. >> >> Me too. I embarked on this FIPS validation adventure some six years ago >> because my DoD client at the time wanted a FIPS validated OpenSSH. I >> wrote a patch several years ago but didn't push it at the time because >> the first OpenSSL FIPS Object Module validation was still pending, and >> encountering some significant opposition that took all my attention. >> Now the OpenSSH patch is not a priority for any of my clients and I >> don't have the spare time to pursue it. I'd love to see someone else >> follow it through. >> >> To my knowledge Stunnel is the first application to formally support the >> FIPS object Module. I've been told ProFTP has baselined support as >> well. I've heard privately from many people who have done local mods of >> various applications, but have been disappointed in how slowly this >> support is appearing publicly. >> >>>> Several people, myself included, have created patches to that end. >>> >>> Are those specific patches sourced in the openssl trees, the openssh >>> trees, or somewhere else? I'll google, but if you have URLs ... >> >> I could point you to my original very dated patch but I know there are >> some more recent updates. Check the OpenSSH mail archives. >> >>>> Of course, if you don't plan to actually run in FIPS mode and just >>>> need buzzword compliance (often the case) then what you plan should >>>> work. >>> >>> We've gotten a heads-up that a gov't client will require in the next >>> (soon, tho hasn't occurred just yet ...) contract that SSH/VPN/IPSec/etc >>> comms will be required. Of course, detailed spec, verification, etc is not >>> yet available. >>> >>> $10 says it's for _their_ buzzword compliance .... >> >> Very typical for DoD. The mandates for *procurement* of validated >> software are (increasingly) enforced, but there doesn't seem to be any >> effective push to actually *use* a runtime FIPS mode. That lack of >> pressure plus the interoperability issues that FIPS mode can cause means >> program managers have zero incentive to actually run anything in FIPS >> mode. It's a paper chase. >> >>> My goal is to get an all-ssh-in-fips-mode setup demo'd locally, then hand >>> it off to our tech folks so that we can then respond & document when the >>> demand occurs. >> >> Please consider posting your patches to the OpenSSH lists... >> >> -Steve M. >> >> -- >> Steve Marquess >> Open Source Software Institute >> marqu...@oss-institute.org >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > > > -- > Regards > Joshi Chandran > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
