Hi Zach, the OpenSSL FIPS 2.0 User Guide
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf says in section 5.2 FIPS Mode Initialization: The FIPS_mode_set() function call when invoked with any positive argument will enable the FIPS mode of operation. Depending on the argument it may also enable additional restrictions. For example, an argument of 1 will enable the basic FIPS mode where all FIPS approved algorithms are available. An argument of FIPS_SUITEB(2) will restrict the available algorithms to those allowed by the Suite B specification. But using openssl-fips with strongSwan I see that 3DES still can be used with fips_mode = 2, although 3DES is not a Suite B algorithm. See ipsec listalgs: http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-suite-b-128/moon.listall So your observation is true, that there is no difference between the settings 1 and 2. Best regards Andreas On 23.12.2013 16:56, Zachery Stoddard wrote: > I've (quickly) scoured the source and the documentation, but I can't > determine the use of fips_mode = 1 (enabled) vs 2 (suite b enabled)? At > first glance there doesn't appear to be any difference/distinction > between the two. > > Could someone shed a little light on this subject? > > ~Zach > ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
