On Thu, Sep 25, 2008 at 08:22:11AM -0400, Steve Marquess wrote: > David Jacobson wrote: >> Tim Hudson wrote: >>> The Doctor wrote: >>>> That being said, how do you get openssl to compile with FIPS >>>> and be backwards compatable at the same time? >>> >>> That is what the FIPS mode is for - the library built supports all >>> algorithms and when in FIPS mode it disables the use of non-approved >>> algorithms. >>> >>> A single application can work in both FIPS and non-FIPS mode. You can add >>> in code to choose which mode to be in on a per-connection basis if that >>> is what your application requires. >>> >>> See the usage of FIPS_mode_set() >>> >>> Note also that due to an implementation quirk you need to clear the >>> currently set RNG when switching back into FIPS mode. >> >> It is not an implementation quirk, it is a requirement of FIPS 140. FIPS >> 140 requires that when switching modes all keys and "critical security >> parameters" must be cleared. The random number generator state is a >> critical security parameter. (I'm doing this from memory, but I'm quite >> sure I've got it right.) > > It is an implementation quirk (or to be honest, an outright goof). By the > time we caught this problem it was too late to fix it (with the FIPS 140 > validation process you freeze your code first, *then* test -- ready, fire, > aim!). > > Since there is little practical reason to disable FIPS mode once enabled > (reference earlier discussion) we elected to just leave that bug as-is > rather than abort and restart the validation process. > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >
The end gives up either to choose FIPs and non-MD5 or non-FIPS and MD5. Please fix as compilation quirks on this is not a laughing matter. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! Canada vote anything but Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
