Default OpenSSL can understand and speak the cryptographic algorithms that FIPS can validate. This does not mean that it is FIPS validated. (For example, if it can accept MD5 for anything other than establishing the premaster secret, it's not FIPS validated or even FIPS validatable.) This is an interoperability issue -- OpenSSL tries to be interoperable, as much as it can. (This is in marked contrast to other implementations, such as Windows's up to and including Server 2003.)
FIPS validated cryptography is mandated on endpoints which handle sensitive information by the US Federal Government (though current practice includes "procurement", not necessarily "implementation"). You cannot claim FIPS validation at your server simply because it can talk to FIPS-validated clients. Your server must also be FIPS-validated, which means that it must use a validated cryptographic module in accordance with that module's security policy. -Kyle H On Thu, Feb 19, 2009 at 10:23 PM, smitha daggubati <smithad...@gmail.com> wrote: > Hello all, > I have a general query regarding FIPS mode. I am running an simple openssl > https server based on openssl that services https requests from window > clients. I have the following setting in my windows XP "Use FIPS comliant > algorithms for encryption, hashing and signing set to 1" . > Using IE on a windows xp client with the above setting i am able to > communicate with a openssl command line https server. I dont have FIPS > enabled on my opessl command line tool. Then how come i am able to handle > requests from a windows machine which has the FIPS setting to 1. > > Now is it ok to say i am FIPS compliant on the server side becaause i am > handling FIPS requests from clients? > > thanks in advance for your time. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
