On 06/25/2012 03:37 PM, Stefan Fritsch wrote: > ... >> >> One complication to keep in mind: when you don't do all your >> cryptography via a specific crypto library (OpenSSL, NSS, etc.) >> then FIPS 140-2 compliance goes from trivial (for 2.4) to messy. >> Not generally a problem outside of the U.S., but it very much >> matters anywhere in the U.S. government market. > > The APR-MD5 password hashing is already implemented in apr-util and > does not use an external crypto library. Would another password hashin > algorithm chang anything? Or is it already necessary for FIPS > compliance to patch apr-util or httpd?
MD5 isn't allowed in FIPS mode (with the peculiar exception of use for TLS proper). Note that the "FIPS capable" OpenSSL (OpenSSL built with the "fips" build time option in the presence of a validated FIPS module) will automatically disable use of disallowed cryptography when the FIPS mode of operation is enabled. The awkward thing about FIPS 140-2 validated cryptography is that it offers absolutely no tangible advantage over otherwise comparable non-validated cryptographic implementations -- it isn't more secure, performance isn't better, and so forth. There is only one reason to use it: because such use is mandated for certain environments. But, one of those environments (U.S. government) is a huge market. As a consultant I've been paid good money for many years to hack FIPS 140-2 (and other kinds) of compliance into open source products like mod_ssl and OpenSSH. That patching is getting easier over time but is still necessary for many such products. An open source based FIPS validated module is available for use by anyone at no cost (the OpenSSL FIPS Object Module 1.2, soon to be joined by 2.0). But, the need to patch many OSS products to use it is a deterrent to many end users. Make it easy to build a FIPS compliant httpd without patches and help put consultants like me out of business :-) -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected]
