Re: relationship between FIPS module and OpenSSL
I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton aerow...@gmail.com wrote: OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, carlyo...@keycomm.co.uk wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: relationship between FIPS module and OpenSSL
Try: export OPENSSL_FIPS=1 your command line unset OPENSSL_FIPS Bill -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carl Anderson Sent: May 8, 2009 8:39 AM To: openssl-users@openssl.org Subject: Re: relationship between FIPS module and OpenSSL I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton aerow...@gmail.com wrote: OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, carlyo...@keycomm.co.uk wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: relationship between FIPS module and OpenSSL
From this thread, it sounds like relying on the OpenSSL-FIPS canister for cryptography means you can't use hardware cryptographic accelerators through the engine interface, because the crypto would be done in h/w and NOT within the canister? I'm assuming if the h/w cryptographic module itself is FIPS-certified, and is accessed through the OpenSSL engine interface, then you could say this solution is FIPS certifiable. Randy On May 8, 2009, at 6:22 AM, Bill Colvin wrote: Try: export OPENSSL_FIPS=1 your command line unset OPENSSL_FIPS Bill -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org ] On Behalf Of Carl Anderson Sent: May 8, 2009 8:39 AM To: openssl-users@openssl.org Subject: Re: relationship between FIPS module and OpenSSL I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl Anderson On Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton aerow...@gmail.com wrote: OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, carlyo...@keycomm.co.uk wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http:// www.openssl.org User Support Mailing Listopenssl- us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
relationship between FIPS module and OpenSSL
Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: relationship between FIPS module and OpenSSL
OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, carlyo...@keycomm.co.uk wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org