Debian OpenSSL with FIPS

Debian OpenSSL with FIPS

Noam Meltzer tsnoam at gmail.com
Wed Jan 20 16:00:30 IST 2010


Hi Noam,

Currently we're using mod_nss and we're seriously considering using mod_ssl
with FIPS compliant openssl (which we'll compile ourselves).

btw, mod_nss is not in a great place either (FIPS wise). The versions
certified are not very recent and there are newer versions for mos_nss which
are not FIPS certified yet (at least last I've checked).

Best regards,
Noam Meltzer

On Wed, Jan 20, 2010 at 3:45 PM, Noam Rathaus <noamr at beyondsecurity.com>wrote:

> Hi Noam,
>
> So the outcome of your research was to move to mod_nss instead of
> mod_ssl for FIPS?
>
> That would be quite "weird" as OpenSSL should now "natively" be FIPS
> compatible
>
> Especially with newer packages than openssl-0.9.8j being available
> (0.9.8k on debian/sid)
>
>
> On Wed, Jan 20, 2010 at 3:41 PM, Noam Meltzer <tsnoam at gmail.com> wrote:
> >
> > Hi Noam,
> >
> > The RPM you have found is not FIPS compliant. Please see below:
> >
> > 1. I recently googled a lot and digged RedHat website. The only place
> RHEL is FIPS compliant is with mod_nss (apache SSL with netscape engine.)
> > http://kbase.redhat.com/faq/docs/DOC-19187
> > I wish to be wrong here. It'll save me lot of work :-)
> >
> > 2. According to https://openssl.org/docs/fips/UserGuide-1.2.pdf &
> https://openssl.org/docs/fips/SecurityPolicy-1.2.pdf  the FIPS compliant
> versions of openssl are
> > openssl-0.9.8j and above while the FIPS canister used to compile & link
> is created from openssl-fips-1.2 (you can download source from
> https://openssl.org/source/openssl-fips-1.2.tar.gz )
> >
> > 3. to make the situation even more funny, check
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1111
> > and
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051
> > Neither RHEL nor debian was ever certified with openssl-fips.
> >
> >
> > Best regards,
> > Noam Meltzer
> >
> >
> > On Wed, Jan 20, 2010 at 3:11 PM, Noam Rathaus <noamr at beyondsecurity.com>
> wrote:
> >>
> >> Hi Noam,
> >>
> >> I have seen several threads on RedHat and CentOS compatibility with
> FIPS, and some of these mention openssl-fips-0.9.8e, so I assumed such a
> package existed.
> >>
> >> If you did some googling you would find that:
> >>
> http://rpm.pbone.net/index.php3/stat/4/idpl/12835601/com/openssl-0.9.8e-12.el5.i686.rpm.html
> >>
> >> Lists openssl-fips in it.
> >>
> >> I don't have a way to test how or if it works, but it is out there...
> >>
> >> On Wed, Jan 20, 2010 at 2:39 PM, Noam Meltzer <tsnoam at gmail.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> afaik RHEL/CentOS does not ship openssl which is fips compliant.
> >>> can you point me to the package which you saw that has this inside?
> >>>
> >>> 10x!
> >>> - Noam
> >>>
> >>> On Wed, Jan 20, 2010 at 2:11 PM, Noam Rathaus <
> noamr at beyondsecurity.com> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> I noticed that RedHat and CentOS has special packages of OpenSSL that
> have
> >>>> FIPS complied into it.
> >>>>
> >>>> Does anyone know where can I locate such a thing for Debian?
> >>>>
> >>>> Thanks,
> >>>> Noam.
> >>>>
> >>>> _______________________________________________
> >>>> Linux-il mailing list
> >>>> Linux-il at cs.huji.ac.il
> >>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
> >>>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100120/d4709afc/attachment-0001.html>


More information about the Linux-il mailing list