> On Feb 4, 2016, at 10:13 AM, Lesley Kimmel <lesley.j.kim...@gmail.com> wrote:
> 
> All;
> 
> I'm working with PosgreSQL in a DoD environment and am supposed to enforce 
> FIPS operation. PostgreSQL doesn't perform a call to FIP_mode_set() but does 
> provide a configuration item 'ssl_ciphers'. Is there more to FIPS_mode than I 
> am aware of or would it be functionally equivalent to simply set my ciphers 
> to something like 'FIPS:!aNULL:!eNULL’?

Yes, there is more to it.  From a technical standpoint, several “power-on 
self-tests” are supposed to be run in order for FIPS mode to be enabled.  While 
my own experience is the DoD’s auditors are a lot looser with the rules than 
most, other people report the opposite, and even the looser ones I’ve been in 
contact with would never allow what you’re suggesting.  You really need to be 
modifying PostgreSQL to invoke FIPS_mode_set(), and understand that there may 
be more to it than that.  I haven’t looked in a long time, but there are 
conceivably runtime issues if you just add that single call.

Also, depending on the auditor, you’d probably need to modify PostgreSQL’s 
documentation, too, so that it cannot in any way refer to non-approved 
algorithms as cryptography (except as allowed by relevant NIST publications, 
but I think SHA-1 is the only special case).  That could be tricky, and it’s up 
to the you to prove it’s OK, and then to remove the references anyway if the 
auditor still doesn’t like it. :)

> As a semi-related question, would a non-FIPS OpenSSL installation still 
> enforce the same cipher suites but just not be 'officially' validated?

AFAIK, you could limit it to the appropriate cipher suites, but be aware that 
FIPS 140 is all about proving that only certain known and tested 
[implementations of] algorithms are used.  It’s unlikely that another version 
of OpenSSL would use exactly the same implementations (after all, fixes and 
performance enhancements have been added), and there’d still be nothing to 
prove those are the approved algorithms, even if they were the exact same.  So 
I can’t imagine any auditor approving such a setup.

OpenSSL doesn’t provide a cheap, easy answer to the issues surrounding FIPS 140 
compliance, but it does significantly reduce the cost of effort for those 
producing software.  For those who rely on third-party software, it still 
helps, but it’s usually going to be a lot more effort than just “add the 
OpenSSL FIPS module” to the system. :)

TOM

> Thanks!
> -LJK
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to