On Wed, Jan 28, 2015, Tom Francis wrote:
>
> Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where
> OpenSSL would prevent disallowed algorithms from being used, but only if you
> used the EVP interfaces. You could, for example, invoke MD5 directly. Did
> that change with 2.x
> On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson wrote:
>
> On Wed, Jan 28, 2015, jone...@teksavvy.com wrote:
>
>> On Mon, 26 Jan 2015 22:35:12 -0500
>> Tom Francis wrote:
>>
>> Thanks for the detailed comments. I understand the concerns, although
>> there's one thing I do not see clearly,
On 01/28/2015 08:31 AM, jone...@teksavvy.com wrote:
> ...
>
>> We have not done any validations that satisfy the various new
>> requirements introduced in late 2013 and early 2014. New validations
>> are very expensive, in dollars, time, and grief, and we don't have the
>> necessary financial back
On Wed, Jan 28, 2015, jone...@teksavvy.com wrote:
> On Mon, 26 Jan 2015 22:35:12 -0500
> Tom Francis wrote:
>
> Thanks for the detailed comments. I understand the concerns, although
> there's one thing I do not see clearly, that is:
>
> > 2) Applications that don???t know they???re operating i
On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis wrote:
> This is a bad idea. It can generally be done, and it’s probably not
> even too hard (for some uses, anyway). But it’s a bad idea. Here’s
> why:
Thanks for the detailed comments. I understand the concerns, although
there's one thing I do
On Tue, 27 Jan 2015 14:13:57 -0500
Steve Marquess wrote:
> The user guide documents that correctly. For the OpenSSL FIPS Object
> Module 2.0 (#1747) the FIPS mode of operation is enabled with
> FIPS_mode_set(). There is no "library startup"; you keep confusing
> past validations with new ones.
O
On 01/27/2015 11:09 AM, jonetsu wrote:
> "Steve Marquess" wrote on 01/27/15 09:18: Thank
> you (and Tom) for your comments - much appreciated.
>
>> Tom Francis nailed the answer to this one. We did design the FIPS
>> module + "FIPS capable" OpenSSL combination to make it possible to
>> have a syst
"Steve Marquess" wrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.
> Tom Francis nailed the answer to this one. We did design the FIPS module
> + "FIPS capable" OpenSSL combination to make it possible to have a
> system wide "FIPS mode" capability, but that presume
On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote:
> On Fri, 16 Jan 2015 10:16:48 -0500
> Steve Marquess wrote:
>
>> On 01/15/2015 05:52 AM, Marcus Meissner wrote:
>
>>> On Linux usually triggered by /proc/sys/crypto/fips_enabled
>>> containing "1" or the environment variable
>>> OPENSSL_FORCE_
> On Jan 26, 2015, at 6:21 PM, jone...@teksavvy.com wrote:
>
> On Fri, 16 Jan 2015 10:16:48 -0500
> Steve Marquess wrote:
>
>> On 01/15/2015 05:52 AM, Marcus Meissner wrote:
>
>>> On Linux usually triggered by /proc/sys/crypto/fips_enabled
>>> containing "1" or the environment variable
>>> OPE
On Fri, 16 Jan 2015 10:16:48 -0500
Steve Marquess wrote:
> On 01/15/2015 05:52 AM, Marcus Meissner wrote:
>> On Linux usually triggered by /proc/sys/crypto/fips_enabled
>> containing "1" or the environment variable
>> OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs done by SUSE and
>> Redhat,
On 01/15/2015 05:52 AM, Marcus Meissner wrote:
> On Thu, Jan 15, 2015 at 05:46:22AM -0500, jone...@teksavvy.com
> wrote:
>> On Tue, 13 Jan 2015 21:33:49 -0500 "jone...@teksavvy.com"
>> wrote:
>>
>>> So basically every app that uses libssl will have to be modified
>>> to add a FIPS_mode_set() call
On Thu, Jan 15, 2015 at 05:46:22AM -0500, jone...@teksavvy.com wrote:
> On Tue, 13 Jan 2015 21:33:49 -0500
> "jone...@teksavvy.com" wrote:
>
> > So basically every app that uses libssl will have to be modified to
> > add a FIPS_mode_set() call near the beginning. Is that right ?
>
> Is there a
On Tue, 13 Jan 2015 21:33:49 -0500
"jone...@teksavvy.com" wrote:
> So basically every app that uses libssl will have to be modified to
> add a FIPS_mode_set() call near the beginning. Is that right ?
Is there a way to automatically have the FIPS test executed when an
application loads the libra
14 matches
Mail list logo
