Re: relationship between FIPS module and OpenSSL

Fri, 08 May 2009 07:19:43 -0700 



From this thread, it sounds like relying on the OpenSSL-FIPS canister  
for cryptography means you can't use hardware cryptographic
accelerators through the engine interface, because the crypto would be  
done in h/w and NOT within the

canister?


I'm assuming if the h/w cryptographic module itself is FIPS-certified,  
and is accessed through the OpenSSL
engine interface, then you could say this "solution" is FIPS  
certifiable.


Randy


On May 8, 2009, at 6:22 AM, Bill Colvin wrote:


Try:

     export OPENSSL_FIPS=1
     <your command line>
     unset OPENSSL_FIPS

Bill

-----Original Message-----

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org 
] On Behalf Of Carl Anderson

Sent: May 8, 2009 8:39 AM
To: openssl-users@openssl.org
Subject: Re: relationship between FIPS module and OpenSSL

I was using openssl to encrypt files at the command line and I was
wondering if the FIPS mode could be enabled for doing that.

Carl Anderson


On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton <aerow...@gmail.com>  
wrote:

OpenSSL FIPS is used essentially as a crypto engine, except that it's
not called through the standard engine interface.

The FIPS module is validated to perform its advertised functions; if
it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module
to perform all of its cryptographic operations (and should be used in
preference to engines, as well, since a FIPS operational environment
requires all cryptographic operations to be performed within the
bounds of a validated cryptographic canister).


If the OpenSSL library is not in FIPS mode, then it's essentially  
ignored.


-Kyle H

On Thu, May 7, 2009 at 1:31 PM,  <carlyo...@keycomm.co.uk> wrote:

Hi,


Could someone please explain to me in simple terms the  
relationship between the OpenSSL FIPS module and OpenSSL itself?



Is the FIPS module used by OpenSSL as a crypto engine or such like  
or am I way off base here?


Thanks for any assistance or pointers.

Thanks,

Carl


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________

OpenSSL Project                                 http:// 
www.openssl.org
User Support Mailing List                    openssl- 
us...@openssl.org
Automated List Manager                            
majord...@openssl.org



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






Attachment:
smime.p7s

Description: S/MIME cryptographic signature






















					Reply via email to