On Wed, Sep 29, 2010, anmajumd wrote: > We are trying to generate the hash of the subject name in certificates in > fips mode by using the ³openssl x509 hash² command. Apparently this utility > uses md5 algorithm to calculate the hash of the subject name and therefore > this operation is not allowed in FIPS mode. >
The way MD5 is used for certificate hashes is not cryptographic: it is just used a a way of generating a 32 bit value from a DN and a full comparison is used later so weakness of the hash is not a security concern. As a result it is allowed in FIPS mode: we did specifically ask about this issue. > My question is , is there any flag that can be set in the environment or the > OpenSSL config file that would allow subject name hash operation in FIPS > mode? I know there is a flag that can be used programatically - > EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW). But I am > concerned about using the OpenSSL binary and allow the hash operation by it > in FIPS mode. What would be the way to achieve that? > The function X509_NAME_hash() sets that flag so it should work in FIPS mode already. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
