Debian OpenSSL with FIPS

Debian OpenSSL with FIPS

Noam Rathaus noamr at beyondsecurity.com
Wed Jan 20 15:45:18 IST 2010


Hi Noam,

So the outcome of your research was to move to mod_nss instead of
mod_ssl for FIPS?

That would be quite "weird" as OpenSSL should now "natively" be FIPS compatible

Especially with newer packages than openssl-0.9.8j being available
(0.9.8k on debian/sid)


On Wed, Jan 20, 2010 at 3:41 PM, Noam Meltzer <tsnoam at gmail.com> wrote:
>
> Hi Noam,
>
> The RPM you have found is not FIPS compliant. Please see below:
>
> 1. I recently googled a lot and digged RedHat website. The only place RHEL is FIPS compliant is with mod_nss (apache SSL with netscape engine.)
> http://kbase.redhat.com/faq/docs/DOC-19187
> I wish to be wrong here. It'll save me lot of work :-)
>
> 2. According to https://openssl.org/docs/fips/UserGuide-1.2.pdf & https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf  the FIPS compliant versions of openssl are
> openssl-0.9.8j and above while the FIPS canister used to compile & link is created from openssl-fips-1.2 (you can download source from https://openssl.org/source/openssl-fips-1.2.tar.gz )
>
> 3. to make the situation even more funny, check http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111
> and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051
> Neither RHEL nor debian was ever certified with openssl-fips.
>
>
> Best regards,
> Noam Meltzer
>
>
> On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <noamr at beyondsecurity.com> wrote:
>>
>> Hi Noam,
>>
>> I have seen several threads on RedHat and CentOS compatibility with FIPS, and some of these mention openssl-fips-0.9.8e, so I assumed such a package existed.
>>
>> If you did some googling you would find that:
>> http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html
>>
>> Lists openssl-fips in it.
>>
>> I don't have a way to test how or if it works, but it is out there...
>>
>> On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <tsnoam at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> afaik RHEL/CentOS does not ship openssl which is fips compliant.
>>> can you point me to the package which you saw that has this inside?
>>>
>>> 10x!
>>> - Noam
>>>
>>> On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus <noamr at beyondsecurity.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I noticed that RedHat and CentOS has special packages of OpenSSL that have
>>>> FIPS complied into it.
>>>>
>>>> Does anyone know where can I locate such a thing for Debian?
>>>>
>>>> Thanks,
>>>> Noam.
>>>>
>>>> _______________________________________________
>>>> Linux-il mailing list
>>>> Linux-il at cs.huji.ac.il
>>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>>
>>
>



More information about the Linux-il mailing list