Kyle Hamilton wrote:
On Mon, Mar 2, 2009 at 1:49 PM, Dr. Stephen Henson
<st...@openssl.org> wrote:
> ... The set of FIPS comparible ciphersuites is represented by the
> string "FIPS".
>
> In FIPS mode you cannot select any other ciphersuites: non FIPS
> ciphersuites are disabled.
Would it make any sense to allow an administrator to attempt to
ensure FIPS-compliant mode via the use of the "FIPS" protocol string,
making it an error if the library is not in FIPS mode?
Ummm, I'd say no. I've found the FIPS designation handy for checking to
see if applications work with FIPS compatible algorithms, without being
in FIPS mode or using validated software. Ironically I was doing that
very check on a DoD web server just as your message arrived.
Note that while procurement of FIPS validated software is formally
mandated in DoD, compliance is spotty. But even where non-validated
crypto is used the FIPS compatible algorithms should still be utilized.
Compliance in that regard is better, though still far from universal. I
configure all crypto I work on for my DoD clients to use only the FIPS
compatible algorithms. If nothing else that will ease an eventual
transition to validated software.
In FIPS mode, can specific FIPS-validated ciphers be enabled or
disabled after the "FIPS" protocol string is provided?
Yes, and I'd argue that is as it should be. The "FIPS" label in that
context is just shorthand for a set of algorithms.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
marqu...@veridicalsystems.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
