On Sun, Mar 6, 2011 at 5:16 PM, jw011235 <[email protected]> wrote: > > On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > >> >> On 3 Mar 2011, at 18:23, Alexander Sack wrote: >> >>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <[email protected]> >>> wrote: >>>> >>>> Hello: >>>> >>>> I am a bit confused! I am reading the FIPS user guide and the >>>> following document: >>>> >>>> http://www.openssl.org/docs/fips/fipsnotes.html >>>> >>>> I quote >>>> >>>> "If even the tiniest source code or build process changes are required >>>> for your intended application, you cannot use the open source based >>>> validated module directly. You must obtain your own validation. This >>>> situation is common; see "Private Label" validation, below. " >>>> >>>> Also, the openssl distribution has to match the right PGP keys. >>>> >>>> So to those who are more of Openssl/FIPS experts than I, I have some >>>> basic questions: >>>> >>>> 1) I assume if it impossible to make a FIPS capable openssl >>>> distribution straight out of the FreeBSD source tree without "Private >>>> Validation" as defined in the document above? (i.e. you can certainly >>>> build it this way but you are violating the guidelines for FIPS >>>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that >>>> the distro in that tree is equivalent to the openssl distro, even for >>>> PGP key checks?) >> >> [...] >>> >>> I guess to put things more simply: >>> >>> Is the distribution integrated within the FreeBSD source tree been >>> validated against its PGP keys so it can be built FIPS capable? >> >> For all the imports I did of OpenSSL to the FreeBSD base system (which >> means any OpenSSL import since FreeBSD 7.0), the PGP key for the source tar >> was verified. That said, in the FreeBSD base system totally replace the >> OpenSSL build system and 'manually' apply fixes for the OpenSSL security >> issues we certainly don't build OpenSSL unmodified. >> >> I never had a reason to look at OpenSSL FIPS, so I don't really know if >> it's possible to get it working on FreeBSD, but it's possible you can >> manually build and install stock OpenSSL by hand. >> >> -- >> Simon L. B. Nielsen >> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer >> >> _______________________________________________ >> [email protected] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "[email protected]" > > > I've been running OpenSSL FIPS for several years now on FreeBSD so it's > certainly possible. It's not terribly hard to compile but I wouldn't do it > through the ports. Download the source ( I used the 0.9 source ) and FIPS > instructions and compile by hand. > > Certifying your installation through NIST is an entirely different matter. > My company elected to put off the process until we had a contract to justify > the expense and time involved. You'll have to dig for it, but the NIST > website has details on the process.
Wait, is NIST cert required to be FIPS capable? I don't think so. -aps _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
