--- On Sat, 9/17/11, Rob Weir <[email protected]> wrote: ... > > OpenSSL is a a validated module when run in "FIPS mode": > > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1111 > > But that would still apply to AES, not Blowfish. > > Think of it this way: FIPS 140 defines what the > acceptable algorithms are. Then the actual modules, > the actual libraries, are validated by 3rd party > testing labs according to NIST criteria. If we use > validated modules implementing approved algorithms, then > we're golden. >
Thanks for this point. NSS is not certified and given the version OOo carries has known security issues I suggest we kill the configure option to avoid hazards to our users. Without other options I prefer Blowfish to no security at all. Again, patches for OpenSSL or any other certified solution are welcome :). While here .. I also think we should kill mozilla: 1) The version we carry also has serious security issues. 2) Google Chromium has a better license. 3) I actually think we should be browser version agnostic. > I'd be happy if we had deep in some configuration dialog > the ability for user (or more likely the IT department) > to specify the algorithm to use. > I would think it could be a compile time option so we could name such switch "configure --with-ssl". See? Everyone happy now :). Cheers, Pedro.
