Re: FIPS Mode

Sun, 08 Jul 2012 15:59:36 -0700

Use the 3rd option suggested by McAfee, it is better than their first two options.
The 3rd option is to "configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges" until your choice of distribution includes OpenSSL 1.0.1 with the new FIPS module. 

On 08-07-2012 20:58, Mike Hoy wrote:

We received the following from McAfee PCI Compliance service:

Description
The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public
key value.

This flaw may aid an attacker in conducting a man-in-the-middle (MiTM)
attack against the remote server since it could enable a forced
calculation of a fully predictable Diffie-Hellman secret.

By itself, this flaw is not sufficient to set up a MiTM attack (hence
a risk factor of 'none'), as it would require some SSL implementation
flaws to affect one of the clients connecting to the remote host.



General Solution
OpenSSL is affected when compiled in FIPS mode. To resolve this
issue, either upgrade to OpenSSL 1.0.0, disable FIPS mode or configure
the ciphersuite used by the server to not include any Diffie-Hellman
key exchanges.

PolarSSL is affected. To resolve this issue, upgrade to version
0.99-pre3 / 0.14.2 or higher.

If using any other SSL implementation, configure the ciphersuite used
by the server to not include any Diffie-Hellman key exchanges or
contact your vendor for a patch.




We want to know how to disable FIPS mode. We cannot upgrade OpenSSL 
without compiling it and we would rather use yum to upgrade our 
software on our servers. CentOS is only offering .9.x currently. My 
understanding is that only people working for the government would be 
utilizing FIPS mode while browsing the net. So is our solution 
correct: Disable FIPS mode? If so how does one go about doing this on 
a GoDaddy dedicated CentOS system?


Thanks,
--
Mike Hoy


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded






















					Reply via email to