One of our customers needs OpenSSL FIPS support enabled on one of their servers. The best I can tell is that there is no FIPS enabled OpenSSL available from the repository and that I'll need to download the FIPS module myself, compile it, and then compile OpenSSL with FIPS support enabled. I sort of hate doing that because it means replacing the repositories' OpenSSL with custom binaries. Are there any "gotchas" that I need to be aware of? Are there any good resources that you recommend?
OpenSSL has published their documentation: https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf https://www.openssl.org/docs/fipsnotes.html I've found these, but they look old, especially because the compile options reference "fipscanisterbuild" but the latest documentation above does not list "fipscanisterbuild" as a compile option (see page 23 of 29 in the Security Policy guide): http://marc.info/?l=openssl-users&m=132696206010687 https://groups.google.com/forum/#!topic/mailing.openssl.users/i9E2Y-e3iXc http://www.joshianlindsay.com/index.php?id=123 Also, I am a little bit concerned about the bug mentioned here and that for bureaucratic reasons will not be fixed. Apparently no one uses the affected code anyway, but... http://marc.info/?l=openssl-announce&m=138747119822324&w=2 Are there any other recommendations or advise before I start down this road? Thanks, John -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
