On Fri June 12 2009, Lovette, Steve wrote: > Team > In the NIST list of FIPS 140-2 certified products & algorithms I do not see > OpenSSL on that list. Are you embedding (hope) a certified product and/or > algorithm that I am unaware of. This for us has become a hot item. Is it > possible that I could get an answer from someone today or over the weekend? > Any insight you can provide is greatly appreciated. >
Where are you looking? http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm Certificate: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1111.pdf Mike > Steve Lovette > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess > Sent: Monday, March 09, 2009 7:23 AM > To: openssl-users@openssl.org > Subject: Re: FIPS > > Kyle Hamilton wrote: > > On Mon, Mar 2, 2009 at 1:49 PM, Dr. Stephen Henson > > <st...@openssl.org> wrote: > > > ... The set of FIPS comparible ciphersuites is represented by the > > > string "FIPS". > > > > > > In FIPS mode you cannot select any other ciphersuites: non FIPS > > > ciphersuites are disabled. > > > > Would it make any sense to allow an administrator to attempt to > > ensure FIPS-compliant mode via the use of the "FIPS" protocol string, > > making it an error if the library is not in FIPS mode? > > Ummm, I'd say no. I've found the FIPS designation handy for checking to > see if applications work with FIPS compatible algorithms, without being > in FIPS mode or using validated software. Ironically I was doing that > very check on a DoD web server just as your message arrived. > > Note that while procurement of FIPS validated software is formally > mandated in DoD, compliance is spotty. But even where non-validated > crypto is used the FIPS compatible algorithms should still be utilized. > Compliance in that regard is better, though still far from universal. I > configure all crypto I work on for my DoD clients to use only the FIPS > compatible algorithms. If nothing else that will ease an eventual > transition to validated software. > > > In FIPS mode, can specific FIPS-validated ciphers be enabled or > > disabled after the "FIPS" protocol string is provided? > > Yes, and I'd argue that is as it should be. The "FIPS" label in that > context is just shorthand for a set of algorithms. > > -Steve M. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org