<div dir="ltr">Hi Noam,<br><br>The RPM you have found is not FIPS compliant. Please see below:<br><br>1. I recently googled a lot and digged RedHat website. The only place RHEL is FIPS compliant is with mod_nss (apache SSL with netscape engine.)<br>
<a href="http://kbase.redhat.com/faq/docs/DOC-19187">http://kbase.redhat.com/faq/docs/DOC-19187</a><br>I wish to be wrong here. It'll save me lot of work :-)<br><br>2. According to <a href="https://openssl.org/docs/fips/UserGuide-1.2.pdf">https://openssl.org/docs/fips/UserGuide-1.2.pdf</a> & <a href="https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf">https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf</a> the FIPS compliant versions of openssl are<br>
openssl-0.9.8j and above while the FIPS canister used to compile & link is created from openssl-fips-1.2 (you can download source from <a href="https://openssl.org/source/openssl-fips-1.2.tar.gz">https://openssl.org/source/openssl-fips-1.2.tar.gz</a> )<br>
<br>3. to make the situation even more funny, check <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111</a><br>and <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051</a><br>
Neither RHEL nor debian was ever certified with openssl-fips.<br><br><br>Best regards,<br>Noam Meltzer<br><br><br><div class="gmail_quote">On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <span dir="ltr"><<a href="mailto:noamr@beyondsecurity.com">noamr@beyondsecurity.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Hi Noam,<br><br>I have seen several threads on RedHat and CentOS compatibility with FIPS, and some of these mention openssl-fips-0.9.8e, so I assumed such a package existed.<br>
<br>If you did some googling you would find that:<br>
<a href="http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html" target="_blank">http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html</a><br><br>
Lists openssl-fips in it.<br>
<br>I don't have a way to test how or if it works, but it is out there...<div><div></div><div class="h5"><br><br><div class="gmail_quote">On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <span dir="ltr"><<a href="mailto:tsnoam@gmail.com" target="_blank">tsnoam@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr">Hi,<br><br>afaik RHEL/CentOS does not ship openssl which is fips compliant.<br>
can you point me to the package which you saw that has this inside?<br><br>10x!<br><font color="#888888">- Noam</font><div><div></div><div><br><br><div class="gmail_quote">On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus <span dir="ltr"><<a href="mailto:noamr@beyondsecurity.com" target="_blank">noamr@beyondsecurity.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br>
<br>
I noticed that RedHat and CentOS has special packages of OpenSSL that have<br>
FIPS complied into it.<br>
<br>
Does anyone know where can I locate such a thing for Debian?<br>
<br>
Thanks,<br>
Noam.<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il" target="_blank">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>