> Hello all, > I have a general query regarding FIPS mode. I am running an simple openssl > https server based on openssl that services https requests from window > clients. I have the following setting in my windows XP "Use FIPS comliant > algorithms for encryption, hashing and signing set to 1" . > Using IE on a windows xp client with the above setting i am able to > communicate with a openssl command line https server. I dont have > FIPS enabled on my opessl command line tool. Then how come i am able to > handle requests from a windows machine which has the FIPS setting to 1.
It's very hard to understand the logic behind your question. Why wouldn't it work? FIPS is *not* an 'over the wire' security thing. It's a 'secure endpoint' thing. FIPS is not a protocol, it's about methodology, testing, and validating. If the client is FIPS validated, we would hope that the server would be unable to trick it or exploit defects in its encryption algorithm. But if the server doesn't try, there's no reason things shouldn't work. > Now is it ok to say i am FIPS compliant on the server side becaause > i am handling FIPS requests from clients? Of course not. That's like saying a bank has good security because sometimes honest people can walk in and not rob it. Good security is about what happens when the bad guys try to rob the bank. It's not about what happens when good guys try to make a deposit. FIPS compliance is about how you design, test, and validate by an objective third party. It's not just about what the code but about it was assured that it will not do what it's not supposed to do. > thanks in advance for your time. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
