Roger No-Spam wrote: > When building openssl in FIPS 140-2 mode, the MD5 algorithm is > not available for use. There are, however, several RFCs that mandate > the use of MD5. Would it be possible to partition a system into a > FIPS 140-2 part (more security critical parts, e.g SSL) and one other > part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 > checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 > validate such a system? What would the requirements be regarding the > partitioning?
Simply disable all those things in FIPS mode. There is no requirement that your system be useful in FIPS mode, only that it be secure. That is what everyone else does. For example, the first Windows versions to support high-security modes disabled all networking devices and all removable media devices. Linux requires you to remove the power cord. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
