Debian OpenSSL with FIPS

Debian OpenSSL with FIPS

Noam Meltzer tsnoam at gmail.com
Wed Jan 20 15:41:17 IST 2010 

Hi Noam,

The RPM you have found is not FIPS compliant. Please see below:

1. I recently googled a lot and digged RedHat website. The only place RHEL
is FIPS compliant is with mod_nss (apache SSL with netscape engine.)
http://kbase.redhat.com/faq/docs/DOC-19187
I wish to be wrong here. It'll save me lot of work :-)

2. According to https://openssl.org/docs/fips/UserGuide-1.2.pdf &
https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf  the FIPS compliant
versions of openssl are
openssl-0.9.8j and above while the FIPS canister used to compile & link is
created from openssl-fips-1.2 (you can download source from
https://openssl.org/source/openssl-fips-1.2.tar.gz )

3. to make the situation even more funny, check
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111
and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051
Neither RHEL nor debian was ever certified with openssl-fips.


Best regards,
Noam Meltzer


On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <noamr at beyondsecurity.com>wrote:

> Hi Noam,
>
> I have seen several threads on RedHat and CentOS compatibility with FIPS,
> and some of these mention openssl-fips-0.9.8e, so I assumed such a package
> existed.
>
> If you did some googling you would find that:
>
> http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html
>
> Lists openssl-fips in it.
>
> I don't have a way to test how or if it works, but it is out there...
>
>
> On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <tsnoam at gmail.com> wrote:
>
>> Hi,
>>
>> afaik RHEL/CentOS does not ship openssl which is fips compliant.
>> can you point me to the package which you saw that has this inside?
>>
>> 10x!
>> - Noam
>>
>>
>> On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus <noamr at beyondsecurity.com>wrote:
>>
>>> Hi,
>>>
>>> I noticed that RedHat and CentOS has special packages of OpenSSL that
>>> have
>>> FIPS complied into it.
>>>
>>> Does anyone know where can I locate such a thing for Debian?
>>>
>>> Thanks,
>>> Noam.
>>>
>>> _______________________________________________
>>> Linux-il mailing list
>>> Linux-il at cs.huji.ac.il
>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100120/eda6e173/attachment.html>

More information about the Linux-il mailing list