On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote:
On 3 Mar 2011, at 18:23, Alexander Sack wrote:
On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack
<[email protected]> wrote:
Hello:
I am a bit confused! I am reading the FIPS user guide and the
following document:
http://www.openssl.org/docs/fips/fipsnotes.html
I quote
"If even the tiniest source code or build process changes are
required
for your intended application, you cannot use the open source based
validated module directly. You must obtain your own validation. This
situation is common; see "Private Label" validation, below. "
Also, the openssl distribution has to match the right PGP keys.
So to those who are more of Openssl/FIPS experts than I, I have some
basic questions:
1) I assume if it impossible to make a FIPS capable openssl
distribution straight out of the FreeBSD source tree without
"Private
Validation" as defined in the document above? (i.e. you can
certainly
build it this way but you are violating the guidelines for FIPS
Compliance or do the maintainers out of src/crypto/openssl ENSURE
that
the distro in that tree is equivalent to the openssl distro, even
for
PGP key checks?)
[...]
I guess to put things more simply:
Is the distribution integrated within the FreeBSD source tree been
validated against its PGP keys so it can be built FIPS capable?
For all the imports I did of OpenSSL to the FreeBSD base system
(which means any OpenSSL import since FreeBSD 7.0), the PGP key for
the source tar was verified. That said, in the FreeBSD base system
totally replace the OpenSSL build system and 'manually' apply fixes
for the OpenSSL security issues we certainly don't build OpenSSL
unmodified.
I never had a reason to look at OpenSSL FIPS, so I don't really know
if it's possible to get it working on FreeBSD, but it's possible you
can manually build and install stock OpenSSL by hand.
--
Simon L. B. Nielsen
Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]
"
I've been running OpenSSL FIPS for several years now on FreeBSD so
it's certainly possible. It's not terribly hard to compile but I
wouldn't do it through the ports. Download the source ( I used the 0.9
source ) and FIPS instructions and compile by hand.
Certifying your installation through NIST is an entirely different
matter. My company elected to put off the process until we had a
contract to justify the expense and time involved. You'll have to dig
for it, but the NIST website has details on the process.
Best of luck,
Jason Williams
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
