<div dir="ltr">Hi Noam,<br><br>Currently we're using mod_nss and we're seriously considering using mod_ssl with FIPS compliant openssl (which we'll compile ourselves).<br><br>btw, mod_nss is not in a great place either (FIPS wise). The versions certified are not very recent and there are newer versions for mos_nss which are not FIPS certified yet (at least last I've checked).<br>
<br>Best regards,<br>Noam Meltzer<br><br><div class="gmail_quote">On Wed, Jan 20, 2010 at 3:45 PM, Noam Rathaus <span dir="ltr"><<a href="mailto:noamr@beyondsecurity.com">noamr@beyondsecurity.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Noam,<br>
<br>
So the outcome of your research was to move to mod_nss instead of<br>
mod_ssl for FIPS?<br>
<br>
That would be quite "weird" as OpenSSL should now "natively" be FIPS compatible<br>
<br>
Especially with newer packages than openssl-0.9.8j being available<br>
(0.9.8k on debian/sid)<br>
<div><div></div><div class="h5"><br>
<br>
On Wed, Jan 20, 2010 at 3:41 PM, Noam Meltzer <<a href="mailto:tsnoam@gmail.com">tsnoam@gmail.com</a>> wrote:<br>
><br>
> Hi Noam,<br>
><br>
> The RPM you have found is not FIPS compliant. Please see below:<br>
><br>
> 1. I recently googled a lot and digged RedHat website. The only place RHEL is FIPS compliant is with mod_nss (apache SSL with netscape engine.)<br>
> <a href="http://kbase.redhat.com/faq/docs/DOC-19187" target="_blank">http://kbase.redhat.com/faq/docs/DOC-19187</a><br>
> I wish to be wrong here. It'll save me lot of work :-)<br>
><br>
> 2. According to <a href="https://openssl.org/docs/fips/UserGuide-1.2.pdf" target="_blank">https://openssl.org/docs/fips/UserGuide-1.2.pdf</a> & <a href="https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf" target="_blank">https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf</a> the FIPS compliant versions of openssl are<br>
> openssl-0.9.8j and above while the FIPS canister used to compile & link is created from openssl-fips-1.2 (you can download source from <a href="https://openssl.org/source/openssl-fips-1.2.tar.gz" target="_blank">https://openssl.org/source/openssl-fips-1.2.tar.gz</a> )<br>
><br>
> 3. to make the situation even more funny, check <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111" target="_blank">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111</a><br>
> and <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051" target="_blank">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051</a><br>
> Neither RHEL nor debian was ever certified with openssl-fips.<br>
><br>
><br>
> Best regards,<br>
> Noam Meltzer<br>
><br>
><br>
> On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <<a href="mailto:noamr@beyondsecurity.com">noamr@beyondsecurity.com</a>> wrote:<br>
>><br>
>> Hi Noam,<br>
>><br>
>> I have seen several threads on RedHat and CentOS compatibility with FIPS, and some of these mention openssl-fips-0.9.8e, so I assumed such a package existed.<br>
>><br>
>> If you did some googling you would find that:<br>
>> <a href="http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html" target="_blank">http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html</a><br>
>><br>
>> Lists openssl-fips in it.<br>
>><br>
>> I don't have a way to test how or if it works, but it is out there...<br>
>><br>
>> On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <<a href="mailto:tsnoam@gmail.com">tsnoam@gmail.com</a>> wrote:<br>
>>><br>
>>> Hi,<br>
>>><br>
>>> afaik RHEL/CentOS does not ship openssl which is fips compliant.<br>
>>> can you point me to the package which you saw that has this inside?<br>
>>><br>
>>> 10x!<br>
>>> - Noam<br>
>>><br>
>>> On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus <<a href="mailto:noamr@beyondsecurity.com">noamr@beyondsecurity.com</a>> wrote:<br>
>>>><br>
>>>> Hi,<br>
>>>><br>
>>>> I noticed that RedHat and CentOS has special packages of OpenSSL that have<br>
>>>> FIPS complied into it.<br>
>>>><br>
>>>> Does anyone know where can I locate such a thing for Debian?<br>
>>>><br>
>>>> Thanks,<br>
>>>> Noam.<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Linux-il mailing list<br>
>>>> <a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
>>>> <a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
>>><br>
>><br>
><br>
</div></div></blockquote></div><br></div>