Re: relationship between FIPS module and OpenSSL
OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, wrote: > Hi, > > Could someone please explain to me in simple terms the relationship between > the OpenSSL FIPS module and OpenSSL itself? > > Is the FIPS module used by OpenSSL as a crypto engine or such like or am I > way off base here? > > Thanks for any assistance or pointers. > > Thanks, > > Carl > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: relationship between FIPS module and OpenSSL
I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton wrote: > OpenSSL FIPS is used essentially as a crypto engine, except that it's > not called through the standard engine interface. > > The FIPS module is validated to perform its advertised functions; if > it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module > to perform all of its cryptographic operations (and should be used in > preference to engines, as well, since a FIPS operational environment > requires all cryptographic operations to be performed within the > bounds of a validated cryptographic canister). > > If the OpenSSL library is not in FIPS mode, then it's essentially ignored. > > -Kyle H > > On Thu, May 7, 2009 at 1:31 PM, wrote: >> Hi, >> >> Could someone please explain to me in simple terms the relationship between >> the OpenSSL FIPS module and OpenSSL itself? >> >> Is the FIPS module used by OpenSSL as a crypto engine or such like or am I >> way off base here? >> >> Thanks for any assistance or pointers. >> >> Thanks, >> >> Carl >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: relationship between FIPS module and OpenSSL
Try: export OPENSSL_FIPS=1 unset OPENSSL_FIPS Bill -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carl Anderson Sent: May 8, 2009 8:39 AM To: openssl-users@openssl.org Subject: Re: relationship between FIPS module and OpenSSL I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton wrote: > OpenSSL FIPS is used essentially as a crypto engine, except that it's > not called through the standard engine interface. > > The FIPS module is validated to perform its advertised functions; if > it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module > to perform all of its cryptographic operations (and should be used in > preference to engines, as well, since a FIPS operational environment > requires all cryptographic operations to be performed within the > bounds of a validated cryptographic canister). > > If the OpenSSL library is not in FIPS mode, then it's essentially ignored. > > -Kyle H > > On Thu, May 7, 2009 at 1:31 PM, wrote: >> Hi, >> >> Could someone please explain to me in simple terms the relationship between >> the OpenSSL FIPS module and OpenSSL itself? >> >> Is the FIPS module used by OpenSSL as a crypto engine or such like or am I >> way off base here? >> >> Thanks for any assistance or pointers. >> >> Thanks, >> >> Carl >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: relationship between FIPS module and OpenSSL
From this thread, it sounds like relying on the OpenSSL-FIPS canister for cryptography means you can't use hardware cryptographic accelerators through the engine interface, because the crypto would be done in h/w and NOT within the canister? I'm assuming if the h/w cryptographic module itself is FIPS-certified, and is accessed through the OpenSSL engine interface, then you could say this "solution" is FIPS certifiable. Randy On May 8, 2009, at 6:22 AM, Bill Colvin wrote: Try: export OPENSSL_FIPS=1 unset OPENSSL_FIPS Bill -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org ] On Behalf Of Carl Anderson Sent: May 8, 2009 8:39 AM To: openssl-users@openssl.org Subject: Re: relationship between FIPS module and OpenSSL I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton wrote: OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http:// www.openssl.org User Support Mailing Listopenssl- us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
