> I have a general query regarding FIPS mode. > I am running an simple openssl https server based on openssl > that services https requests from window clients.
Is it in FIPS mode, yes or not? If not, then you cannot claim it is FIPS compliant. > I have the following setting in my windows XP "Use FIPS comliant > algorithms for encryption, hashing and signing set to 1" . This does exactly what it says. It forces XP system components to only use FIPS-compliant *algorithms*. Note that using FIPS-compliant algorithms is one requirement for FIPS compliance, but it is far from the only one. > Using IE on a windows xp client with the above setting i am able to > communicate with a openssl command line https server. I dont have > FIPS enabled on my opessl command line tool. Then how come i am able > to handle requests from a windows machine which has the FIPS setting to 1. The premise on which this question is based on simply completely incorrect. FIPS is not a remote interrogation protocol. It's a way of ensuring that cryptographic algorithms, as used in an endpoint, are secure and reliable. Everything is working because the Windows machines are certified secure and reliable and the server hasn't failed. That's all that's required for things to work. My bank can have the best security in the world, and I can write my ATM pin on my card and leave it at the local McDonald's. The bank can be super secure and can still interoperate with morons. > Now is it ok to say i am FIPS compliant on the server side becaause i > am handling FIPS requests from clients? No. A FIPS-compliant endpoint will not use non-FIPS-allowed algorithms. But there is much more to FIPS-compliance than simply using only permitted algorithms. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
