At an extremely high level, the FIPS module is validated by independent assessors and only that /exact/ version of the module is allowed to run in FIPS mode. That assessment is expensive and slow. There are other concerns too, but you should probably just read about them from the source.
See http://www.openssl.org/docs/fips/fipsnotes.html Patrick Watson, CISSP Software Engineer Data Security & Electronic Payment Systems NCR Retail -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Micah Cowan Sent: Wednesday, October 23, 2013 3:06 PM To: [email protected] Cc: [email protected] Subject: Re: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault On 10/23/2013 06:16 AM, Stephen Henson via RT wrote: > What version of OpenSSL are you using? This was worked around in > 1.0.1e due to the difficulty of changing the FIPS module. Ah, okay; I see the drbg_free_entropy functions are checking for NULL there now, which works (even though it's probably still FIPS's bad). We're using (modified) Ubuntu Precise's openssl1.0.0 (really 1.0.1) debian package, which looks to have cherry-picked security fixes from 1.0.1e (and prior), but probably didn't grab the FIPS stuff under consideration of the fact that they don't _build_ with FIPS stuff. For my curiosity, what's difficult about modifying FIPS? More involved change-vetting process? -mjc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
