Thor Lancelot Simon wrote:

On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:

On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification.

SSL's not certifiable, period.

I realize that, FIPS 140 addresses crypto modules with cryptographic algorithms, not protocols like SSL.
Although in "cryptomodule" terms "SSL's not certifiable" is not necessarily a correct claim. You can certainly certify one big module including cryptography, including the entire SSL protocol for FIPS 140. That would be somewhat bizzare, though.
But, that's not my point. The questions was, how would one claim that he is using FIPS certified cryptography *under* OpenSSL, if the crypto layer does not have a FIPS certified key management (read RSA) algorithm?

TLS has been held to be certifiable, and products using TLS have been
certified.  However, it's necessary to disable any use of MD5 in the
certificate validation path.  When I had a version of OpenSSL certified
for use in a product at my former employer, I had to whack the OpenSSL
source to throw an error if in FIPS mode and any part of the certificate

validation path called the MD5 functions.  Perhaps this has been done
in the version currently undergoing certification.  You'll also need

Yeah, been there.
I think my current company (Novell) suggested that, not sure what happened.

certificates that use SHA1 as the signing algorithm, which some public
CAs cannot provide (though most can, and will if the certificate request
itself uses SHA1 as the signing algorithm).

Well, that is sort of my point.
SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not a certified algorithm in OpenSSL's FIPS 140 certification, sha1-with-rsa isn't, either.
Perhaps, my understanding of the OpenSSL FIPS 140 certification is not entirely accurate.

The use of MD5 in the TLS protocol itself is okay, because it is always
used in combination with SHA1 in the PRF.  We got explicit guidance from
NIST on this issue.

Yes, but I am addressing signature generation and verification, and more importantly key exchange: encrypting the PMS and such.


- Tolga

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to