Re: FIPS Mode

2012-07-10 Thread Alexander Sack 
On Mon, Jul 9, 2012 at 10:01 AM, Mike Hoy  wrote:

> I've googled around for that and for a layman like myself I didn't find
> anything that 'held my hand' through the process. If you know how to do
> this could you elaborate on how to disable Diffie-Hellman key exchanges?
>
>
http://old.nabble.com/how-to-disable-weak-SSL-ciphers--td29318076.html
http://www.openssl.org/docs/apps/ciphers.html

You might find these documents extremely useful.

-aps

Re: FIPS compliance question regarding openssl distributions

2011-03-10 Thread Alexander Sack 
On Tue, Mar 8, 2011 at 8:25 AM, Dr. Stephen Henson  wrote:
> On Mon, Mar 07, 2011, Kyle Hamilton wrote:
>
>> In order to achieve compliance, you must follow the instructions in the 
>> Security Policy to the letter.
>>
>> This means that you must:
>> - download and read the security policy
>> - download the openssl-fips-1.2.0.tar.gz
>> - verify its integrity according to the security policy
>> - follow the precise instructions to build it, from the security policy
>>
>> You should also go to NIST and look at its certificate, to verify that it 
>> hasn't been revoked.
>>
>> To use it, you must obtain sources for the latest 0.9.8 release and 
>> compile/link it against the fipscanister.  You may be able to do this from 
>> your ports tree -- the instructions and requirements apply only to 
>> fipscanister.o and several of its companion files.  As long as the 
>> requirements of the security policy are upheld, the implementation will be 
>> compliant.

Thanks for this, that was what I needed.

>> Note that compliance cannot be truly determined programmatically.  So, it's 
>> also a good idea to generate multiple hashes (sha-1, sha-256, ripemd160, 
>> etc) over the fipscanister and associated files, print them out, and commit 
>> to them (physically sign them) as a statement of compliance with the build 
>> process.

I do understand this but I just want to get the bits part right first.

> Note that version openssl-fips-1.2.2.tar.gz is the current version. It has a
> few bug fixes and enhancements over the 1.2.0 version. Specifically fixes for
> Win64+ASM and support for cross compilation.

Thank you all for clarifying the process.  I believe I'm good.  Based
on the spec ONCE the process has been followed to the letter, it seems
I can use that to build the integrated version of OpenSSL in the
FreeBSD tree which is my goal.

One thing that is NOT clear to me is why isn't OpenSSL FIPS *capable*
by default?  Or is that process underway for 1.x.x?  (I thought I saw
a note about this on the project page)

-aps
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

FIPS compliance question regarding openssl distributions

2011-03-03 Thread Alexander Sack 
Hello openssl-users:

I asked on the FreeBSD security list but perhaps this one is more
apropos.  Our company has been tasked to ship a FIPS compliant version
of openssl on top of our FreeBSD based product.  I am confused on what
distribution I am allowed to use to create a FIPS compliant release.

Here is what I don't understand after reading the FIPS 140-2 User Guide:

In the example of building the openssl FIPS *capable* distribution, it
seems one should take the distribution from the official
openssl.org/source website and validate it using PGP.  However,
FreeBSD ships openssl distribution within its source tree.

There is no tarball of openssl that I can validate it against.  The
source is already integrated in the official FreeBSD source trees.

However, its based on the openssl distribution found in the official
repos.  I have not done a complete diff, but there maybe small build
changes to incorporate the openssl distribution into the FreeBSD
*world* build.

So, can I build a FIPS compliant product using the FreeBSD openssl
distribution OR do I need to build the official openssl distribution
tarball (a la ports)?

If this has been answered before, I apologize.  Some basic Googling
got me mixed answers

Thanks!

-aps
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org