Thanks Steve. So, that means, I don't need to add FIPS_rand_* function. For DH key exchange algorithm, do I need to explicitly disable calling of DH function in my code if it is in FIPS? Or is there any DH algorithms loading issue in openssl-fips-1.2 that I am consuming?
Thanks, ~Vimol On Mon, Jan 23, 2012 at 10:21 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Mon, Jan 23, 2012, Vimol Kshetrimayum wrote: > > > Hi, > > > > > > I have an application which uses RSA or Diffie Hellman (DH) algorithms > for > > key exchange and RAND_seed and RAND_bytes to generate pseudo random > number. > > > > > > Now, I have added FIPS_mode_set(1) to enable FIPS. As per openSSL-fips > > security policy document, my expectation is DH and RAND_seed and > > RAND_bytesfunction should not be loaded in FIPS mode. However, these > > functions are > > loaded and still working fine even in FIPS mode. > > > > > > Is this expected behaviour? > > > > > > If I want to disable all the non FIPS approved algorithms what is the > best > > practice? > > > > > > I am consuming openSSL-fips-1.2.0 and openSSL-9.8r. > > > > When FIPS mode is enabled the RAND functions are redirected to an FIPS > approved PRNG. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
