> From: "Paul Wouters" <[email protected]> > Date: 04/14/15 11:17
> Restriction of algorithms will be done post RHEl-7.1 (and is not strictly > a requirement of FIPS, you can document that one should not use MD5 > without blocking MD5) It's a few times now that I see this. A device offers non-FIPS option but, the user guide says not to use them. Seems all OK for validation purposes. To extrapolate, I guess a device could offer SNMP v1, v2c and v3 witha FIPS user guide that says 'please do not use SNMP v1 and v2c'. > However, current libreswan git head (which will become 3.13) does have > these restrictions enforced now. Which means, MD5, TWOFISH and SERPENT > are not available for IKE or ESP. OK ! Thanks ! > > So far I can say that putting the kernel through FIPS validation > > is not something that was ever mentioned with the consultants. > > It's very expensive. It might be much better to pick a kernel that has > been FIPS certified when you can. Hmmm... > That's because the XFRM itself does not perform cryptographic > operations. The kernel crypto API does that, and it is FIPS certified on > its own: > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1387.pdf Ah. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
