The term 'FIPS compliant' does not refer to the software capability, but to the implementation used to perform the cryptographic operations. If only one end of your connection is in FIPS mode then the full end to end path is not necessarily FIPS compliant. In fact, without some out-of-band mechanism there is no way to determine what implementation is being used on the other end since the wire protocol is the same. Otherwise the most you can say is that your end of the connection is FIPS compliant.
You can still utilize FIPS approved algorithms without guaranteeing FIPS compliance. .................................... Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of mclellan, dave Sent: Tuesday, November 13, 2012 4:26 PM To: openssl-users@openssl.org Subject: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I'd like to test out this set of assumptions (or maybe they are 'assertions') - In the context of OpenSSL, FIPS compliance is all about algorithm choice. In FIPS mode (FIPS_mode_set() returns success), weaker algorithms are disabled and OpenSSL returns an error if use of them is attempted in FIPS mode. - As long as one side of the connection insists that FIPS-approved algorithms be used, and as long as the other side is capable and agrees, then the two negotiate only a FIPS-approved algorithm. o Both sides might be implemented with OpenSSL, but only one of them has to be running in FIPS mode for the negotiation to choose a FIPS algorithm. o If one side is not implemented with OpenSSL, the same is still true: as long as it can negotiate a shared cipher with an process running in FIPS-mode, FIPS compliance is still achieved. - Technically the phrase 'FIPS compliant' refers to the software capability; it does not describe the quality of an end-to-end connection. That is, if a running program is 'FIPS-compliant' it will insure that a safe connection will be negotiated, where 'safe connection' means 'a connection using a FIPS-approved algorithm'. Having written these, they now seem like dumb questions, but I'd rather have affirmation of assertions and appear dumb than do the wrong thing based on a wrong assumption. Thanks for your advice (Steve...) +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+
