Hi Noam, Currently we're using mod_nss and we're seriously considering using mod_ssl with FIPS compliant openssl (which we'll compile ourselves).
btw, mod_nss is not in a great place either (FIPS wise). The versions certified are not very recent and there are newer versions for mos_nss which are not FIPS certified yet (at least last I've checked). Best regards, Noam Meltzer On Wed, Jan 20, 2010 at 3:45 PM, Noam Rathaus <no...@beyondsecurity.com>wrote: > Hi Noam, > > So the outcome of your research was to move to mod_nss instead of > mod_ssl for FIPS? > > That would be quite "weird" as OpenSSL should now "natively" be FIPS > compatible > > Especially with newer packages than openssl-0.9.8j being available > (0.9.8k on debian/sid) > > > On Wed, Jan 20, 2010 at 3:41 PM, Noam Meltzer <tsn...@gmail.com> wrote: > > > > Hi Noam, > > > > The RPM you have found is not FIPS compliant. Please see below: > > > > 1. I recently googled a lot and digged RedHat website. The only place > RHEL is FIPS compliant is with mod_nss (apache SSL with netscape engine.) > > http://kbase.redhat.com/faq/docs/DOC-19187 > > I wish to be wrong here. It'll save me lot of work :-) > > > > 2. According to https://openssl.org/docs/fips/UserGuide-1.2.pdf & > https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf the FIPS compliant > versions of openssl are > > openssl-0.9.8j and above while the FIPS canister used to compile & link > is created from openssl-fips-1.2 (you can download source from > https://openssl.org/source/openssl-fips-1.2.tar.gz ) > > > > 3. to make the situation even more funny, check > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111 > > and > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051 > > Neither RHEL nor debian was ever certified with openssl-fips. > > > > > > Best regards, > > Noam Meltzer > > > > > > On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <no...@beyondsecurity.com> > wrote: > >> > >> Hi Noam, > >> > >> I have seen several threads on RedHat and CentOS compatibility with > FIPS, and some of these mention openssl-fips-0.9.8e, so I assumed such a > package existed. > >> > >> If you did some googling you would find that: > >> > http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html > >> > >> Lists openssl-fips in it. > >> > >> I don't have a way to test how or if it works, but it is out there... > >> > >> On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <tsn...@gmail.com> wrote: > >>> > >>> Hi, > >>> > >>> afaik RHEL/CentOS does not ship openssl which is fips compliant. > >>> can you point me to the package which you saw that has this inside? > >>> > >>> 10x! > >>> - Noam > >>> > >>> On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus < > no...@beyondsecurity.com> wrote: > >>>> > >>>> Hi, > >>>> > >>>> I noticed that RedHat and CentOS has special packages of OpenSSL that > have > >>>> FIPS complied into it. > >>>> > >>>> Does anyone know where can I locate such a thing for Debian? > >>>> > >>>> Thanks, > >>>> Noam. > >>>> > >>>> _______________________________________________ > >>>> Linux-il mailing list > >>>> Linux-il@cs.huji.ac.il > >>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >>> > >> > > >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il