Team In the NIST list of FIPS 140-2 certified products & algorithms I do not see OpenSSL on that list. Are you embedding (hope) a certified product and/or algorithm that I am unaware of. This for us has become a hot item. Is it possible that I could get an answer from someone today or over the weekend? Any insight you can provide is greatly appreciated.
Steve Lovette -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Monday, March 09, 2009 7:23 AM To: openssl-users@openssl.org Subject: Re: FIPS Kyle Hamilton wrote: > On Mon, Mar 2, 2009 at 1:49 PM, Dr. Stephen Henson > <st...@openssl.org> wrote: > > ... The set of FIPS comparible ciphersuites is represented by the > > string "FIPS". > > > > In FIPS mode you cannot select any other ciphersuites: non FIPS > > ciphersuites are disabled. > > Would it make any sense to allow an administrator to attempt to > ensure FIPS-compliant mode via the use of the "FIPS" protocol string, > making it an error if the library is not in FIPS mode? Ummm, I'd say no. I've found the FIPS designation handy for checking to see if applications work with FIPS compatible algorithms, without being in FIPS mode or using validated software. Ironically I was doing that very check on a DoD web server just as your message arrived. Note that while procurement of FIPS validated software is formally mandated in DoD, compliance is spotty. But even where non-validated crypto is used the FIPS compatible algorithms should still be utilized. Compliance in that regard is better, though still far from universal. I configure all crypto I work on for my DoD clients to use only the FIPS compatible algorithms. If nothing else that will ease an eventual transition to validated software. > In FIPS mode, can specific FIPS-validated ciphers be enabled or > disabled after the "FIPS" protocol string is provided? Yes, and I'd argue that is as it should be. The "FIPS" label in that context is just shorthand for a set of algorithms. -Steve M. -- Steve Marquess Veridical Systems, Inc. marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
