On 03/12/17 16:10, Jim Carroll wrote: [...snip...] > You asked: > > >> + * OpenSSL 1.0.2m > >> + * openssl-fips-2.0.2 > > > I think the points above are expected to be ">="? > > Or are these versions strictly required? > > These versions are strictly required. While the fips module is binary > compatible with OpenSSL 1.0.1x, it would not include OpenSSL bug fixes > available in 1.0.2m which is required by NIST SP 800-171. And because the > fips module is only tested and lab certified up to 1.0.2, you cannot take > the new 1.1.0x branch. This leaves the user with a single choice 1.0.2m.
[...snip...] > You commented: > > > Some distro may even provide their own FIPS enabled packages. > > This is a good point. It is possible that the distro already includes > OpenSSL 1.0.2m. I should change the instructions to suggest they check for > this module and then let them know they can skip the step if they already > have OpenSSL 1.0.2m installed. According to this knowledge base article from Red Hat, this is how you FIPS enable a system: <https://access.redhat.com/solutions/137833> (Requires a registered account; no paid subscription needed) Now, to a detail regarding the OpenSSL version. RHEL 6 ships with openssl-1.0.1e and RHEL 7 shipds with openssl-1.0.2k. And both distributions when configured according to the document above are FIPS compliant installs. I suspect when RHEL 8 comes in the future, it will ship with OpenSSL 1.1.x as well and it would surprise me immensely if that distribution would not be FIPS compliant as well (as Red Hat has a lot of government customers as well) So I don't think the version is as strict as you say. But it might be other distributions have gone through the compliance certification on a different version. For OpenVPN's part, I don't think we should enforce any strict versions. It is up to admin to ensure a compliant OpenSSL library is installed and the system is configured accordingly to be FIPS compliant. -- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
