mething very broken in your build environment
or platform; you'll want to sort that out before trying anything
adventurous.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 301 874 2571
marqu...@openssl.com
gpg/pgp key: http://op
don't benefit the
OpenSSL community as a whole.
Please note that if you're trying to do your own "private label"
validation you'll have to use a new unique set of test vectors provided
by your accredited test lab; reprocessing a previously used set doesn't
buy you mu
to compare your test vectors with a known good set from
http://openssl.com/testing/validation-2.0/testvectors/. Pick a recent
set, as the format of the test vectors changes over time. Note that as a
result frequent adjustment of fipsalgtest.pl is often necessary.
-Steve M.
--
Steve Marquess
OpenSSL Validation
want to use FIPS_mode_set(); see
the FIPS module user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and/or the wiki at
https://wiki.openssl.org/.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 301 874 2571
m
er the application
executable file containing the FIPS module (which in many cases would be
a shared library), but that was specifically rejected (see section 2.2
of the OpenSSL FIPS module user guide,
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf).
-Steve M.
--
Steve Marquess
OpenSSL Valida
ned patches to add x.509 support to OpenSSH
(http://roumenpetrov.info/openssh/), but hacking OpenSSH for both FIPS
140 and x.509 is not a project for the faint-hearted, and since OpenSSH
is unlikely to ever add either feature officially you're left with a
long maintenance tail.
-Steve M.
--
Steve
ified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 2171
ssage "FIPS mode not supported."
Note that tells you nothing about whether another application has
enabled FIPS mode, though. For that you need to look under the hood of
that application (i.e. ask the vendor).
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephrai
Apparently PIC isn't possible
on Win32, for instance.
Hopefully Andy will weigh in. If there is a graceful way to accommodate
Windows we'd gladly do it.
As for DLLs, the fipscanister.o code can always be embedded within a DLL
or shared library. It's the rebasing that's the problem.
-S
ed. So whether you can build it there
or not it moot.
We can still add platforms to the 2.0 FIPS module, but of course that
takes time and money. Typically we would introduce new architecture
targets in config/Configure as necessary to accommodate the requirement
that command line options not be
ything of vital importance please speak up.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
as yours, will *not*
satisfy those requirements.
It should be possible to have your platform (RTOS on ARM) added to one
of the validations, but that will cost time and money. But, until and if
that is done stock OpenSSL will achieve the same level of FIPS 140-2
righteousness (i.e., none).
-
nse
(https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and
offer any legal advice, though; for that you'll need to check with your
own legal counsel.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
a
dormant Dual EC DRBG matters to you then upgrade to any revision 2.0.8
or later.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x
e apparently going to the expense and
trouble of obtaining a copycat validation, there's no reason for you
*not* to use 2.0.13. That way you'd potentially have coverage for more
platforms.
-Steve M.
[*] Removal of Dual EC DRBG -- arguably a vulnerability mitigation -- at
revisions 2.0.6 and 2.0.
oftware it's prudent to always use the latest revision to pick up
bugfixes and refinements; for the FIPS module it doesn't matter.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@op
The background discussion there will still be relevant for the new FIPS
module.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D189
ny product that is sold into the USG/DoD market will come in a
FIPS 140 flavor. If you don't have source you'll not be able to tell if
it's readily adaptable for FIPS 140 compliance.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamst
ing up the spam is tedious so please note that going forward we'll
need better evidence that new contributors are real OpenSSL users. How
we do that we'll need to figure out as we go; please bear with us.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London
link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").
Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.
-Steve M.
--
Steve Marquess
d applications,
> perhaps also some of the other required steps from the FIPS
> module users guide.
>
See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
The FIPS module requires special build-time voodoo to satisfy the
peculiar requirements of the FIPS 140-2 validation.
-Steve
would for OpenSSL proper or other more conventionally maintained
software.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.as
pendence trumped any hypothetical financial
gain. We have turned down other donations-with-strings opportunities in
the past for similar reasons.
Also, while we value the individual donations received via PayPal, the
bulk of our donation funding has been received via bank transfers
(Swift/ACH), and tha
On 05/12/2016 09:39 AM, Steve Marquess wrote:
> On 05/11/2016 06:04 PM, Johann v. Preußen wrote:
>> i am sorry if i have wasted your time on non-profit formation and
>> taxation issues when i put my CPA hat on. i originally meant to point
>> out some banking alternatives an
call when they open for business. I suspect we'll run into
the U.S. web server location issue, but I'll check.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
hecked with several, and with
ones experienced with 501(c)) don't see a viable path worth the
substantial investment it would cost us.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@o
tus are nil. Apparently the IRS does not look kindly on our type of
open source project.
That is one of the reasons we need to relocate outside of U.S. jurisdiction.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
On 05/05/2016 04:41 PM, Steve Marquess wrote:
> We've had a PayPal account for years, as the most convenient way for
> individuals to send small donations. However, as the person who has
> managed that account I can attest that PayPal has always been rather
> annoying to de
s which are listed in alphabetical order in table 2.10b.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-use
isting accounts isn't the problem.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing lis
On 05/06/2016 10:29 AM, Jakob Bohm wrote:
> On 06/05/2016 15:26, Steve Marquess wrote:
>> On 05/06/2016 09:14 AM, Jakob Bohm wrote:
>>> On 06/05/2016 13:45, Salz, Rich wrote:
>>>>> Consider having the non-U.S. person do the account setup too.
>>>>>
still being actively worked, and I'm sure we'll solve it
eventually. I initially (as someone who has created multiple U.S.
companies) thought it would be as easy as you assume. It's been an
education.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London
f us fall in that category anyway; OpenSSL is not a
U.S. centric organization. Our U.S. connections are only due to the
circumstantial fact that the OpenSSL team member (me) who initially set
up our banking arrangements happened to be American.
-Steve M.
--
Steve Marquess
OpenSSL Validation Servic
r unspecified
reasons a week later. I've spent an unbelievable amount of time on this.
If there is a non-U.S. bank willing to have OpenSSL as a customer I'd
love to talk to them. We've even created non-U.S. corporate entities (in
IoM and BVI) for that purpose; after many months they
On 05/05/2016 07:52 PM, debbie10t wrote:
> Hello,
>
> On 05/05/16 21:41, Steve Marquess wrote:
>> We've had a PayPal account for years, as the most convenient way for
>> individuals to send small donations. However, as the person who has
>> managed that account I c
re is a requirement
that the web site on which payments are processed be located in the U.S.
Our servers are all in Europe, appropriately so.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@o
egret that there is no clear alternative to switch to instead
(suggestions welcome if there are options I'm unaware of).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
On 04/19/2016 10:43 AM, Jakob Bohm wrote:
> On 19/04/2016 16:31, Steve Marquess wrote:
>> On 04/19/2016 09:16 AM, Jakob Bohm wrote:
>>> On 19/04/2016 13:44, Leaky wrote:
>>>> Thanks, but I am still scratching my head as to if that is even
>>>> possible o
ailable, but the
CMVP required the specification of fixed build commands from the very
first validation.
No requirement that a specific version of "gunzip" be used, so the use
of a script would appear to be permitted.
Confusing, for sure...
-Steve M.
--
Steve Marquess
OpenSSL Vali
On 04/18/2016 08:25 PM, Jakob Bohm wrote:
> On 19/04/2016 01:51, Steve Marquess wrote:
>> On 04/18/2016 04:05 PM, Leaky wrote:
>>>>> plus you're constrained by the
>>>>> requirements of the Security Policy to build the module with precisely
>>>
d requirements. It doesn't make sense, from the
software engineering viewpoint, but is what the FIPS 140-2 validation
bureaucracy insists on.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301
you can then use normal software engineering best practice
for building OpenSSL proper (e.g. 1.0.2g) and your application code, and
automation would make more sense.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+
ore than a week behind
us, and we haven't been offered the bazillion dollars and a pony it
would take for us to agree to relinquish that validation.
I've asked the accredited test lab to contact the CMVP to correct it.
Based on past experience that could take days to weeks.
-Steve M
not supported:o_fips.c:92:
> ...
You linked your test program with a stock version of OpenSSL, not the
"FIPS capable" OpenSSL that contains the OpenSSL FIPS Object Module.
Building of the "FIPS capable" OpenSSL is discussed in the OpenSSL FIPS
User Guide:
https://www.op
hat will suffice as
proof a product is using a validated cryptographic module. It is even
less possible than the "secure backdoor" in FBI/DoJ fantasies.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
s not fipscanister.o, but
the TEXT and RODATA data within it.
To use your analogy, the fipscanister.o "can" contains only one tomato
which is an indigestible and indivisible blob that appears intact in the
baked quiche. Bon Appétit.
-Steve M.
--
Steve Marquess
OpenSSL Validation Servic
ng as a magical pixie dust detector. We cannot
make one; no one can.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
5 documentation thing) and
move on; I didn't and was condemned to an eternity of tilting at the
FIPS 140-2 windmill...
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu
ia the usual common sense means).
At a minimum you'll need an official CD (section 6.6; yup, snail mail is
a "trusted path"). We're still sending those out for free, in spite of
the significant financial losses the OpenSSL FIPS business sustained
last year.
-Steve M.
--
Stev
to get specific answers to hypothetical
questions from the CMVP. Test labs may say "well, we're not sure", or
different labs may give diametrically different answers. Sometimes the
best way to answer such questions is to submit a formal validation
action to elicit a definitive response.
entry:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
So once again all three of the OpenSSL FIPS Object Module v2.0
validations are shown as successfully surviving the "RNG transition".
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount E
a not uncommon occurrence. So,
don't panic yet. I think we will eventually receive confirmation that
this red-letter message is an error and that it will be corrected.
Such confirmation may take some time, though. Similar errors in the past
have remained uncorrected for months.
-Steve M.
--
St
On 02/13/2016 04:58 AM, Kyle Hamilton wrote:
>
> On 2/12/2016 2:03 PM, Steve Marquess wrote:
>> On 02/12/2016 04:26 PM, Kyle Hamilton wrote:
>>> I'm not seeing anything about openssl-fips-2.0.11 in
>>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
. The answer to that
question is why we're still snail-mailing CDs (see
http://openssl.com/fips/verify.html).
-Steve M.
[1] A tedious discussion starts at http://openssl.com/fips/hostage.html
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
mandated procedure. Then take the resulting fipscanister.* and
fips_premain.* files and version control those from then on out. Don't
try to continually rebuild the FIPS module from source that cannot be
modified anyway.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Eph
md5 is not an enabled cipher in FIPS mode.
It depends on the version. Recent versions of OpenSSL will give a "FIPS
mode not supported" error for
env OPENSSL_FIPS=1 openssl md5 ...
Whereas that command for a properly built FIPS-enabled OpenSSL will give
a "not permitted in FIPS mode&q
tforms at revision
2.0.12 along with the RNG transition wordsmithing.
Thanks again to DataGravity for making this "RNG transition" compliance
possible by paying the test lab fees.
-Steve M.
[*] The de-listed validations can be found at
http://csrc.nist.gov/groups/STM/cmvp/documents/140
ndated process its FIPS-ness is unaffected by OpenSSL.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-use
sually have to call on my smarter
colleagues for assistance.
There are others who may be able to help, for instance Jeff Walton.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@op
rsue a new validation I haven't seen it yet.
-Steve M.
[1] Tediously documented in the "hostage/ransom/aftermath" trilogy at
http://openssl.com/fips/
[2] See https://openssl.org/blog/blog/2015/09/29/fips/
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
On 02/04/2016 05:31 PM, Steve Marquess wrote:
> On 02/04/2016 03:19 PM, Yang Hong wrote:
>> Hello folks.
>>
>>
>> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
>> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Supp
/when we test more iOS versions we'll make changes as appropriate.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
e Wikipedia article is as good a place as any to
start. Also note the OpenSSL FIPS User Guide,
https://openssl.org/docs/fips/SecurityPolicy-2.0.pdf.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775
openssl.conf. See the FIPS user
guide, https://openssl.org/docs/fips/UserGuide-2.0.pdf, section 5.2.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.co
"fips" option in the
presence of the FIPS module) will behave just like stock OpenSSL until
the FIPS mode of operation is enabled. At that point many cryptographic
operations are automagically disabled; but that's not the same thing as
changing the API.
-Steve M.
--
Steve Marquess
Op
hoose to give
their customized OS a distinctive brand name (e.g. "AcmeOS 1.0") so that
the same formally tested OE will cover multiple Linux kernels under that
OS brand name and unchanged OS version number.
It would be a bit of a stretch to re-brand Microsoft Windows, though.
Your options
It isn't; the validated crypto is necessarily inferior to its
unvalidated equivalent (e.g. stock OpenSSL in the case of the OpenSSL
FIPS Object Module) by every real world metric (security, performance,
maintainability).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephrai
atch (or if source code tweaks are necessary), you can
fund addition of your platform(s) of interest to one of the validations.
That is how the list of formally tested platforms has over time grown to
more than 120 "OEs", more than any other validated module.
-Steve M.
--
Steve Marque
openssl.com/> (2473). Does that mean that we
> now have a FIPS compliant Open SSL again?**
You missed my post yesterday:
https://mta.openssl.org/pipermail/openssl-users/2016-January/002858.html
Note it's not a simple yes/no kind of answer.
-Steve M.
--
Steve Marquess
Open
ction
labeled "X9.31 RNG transition, December 31, 2015".
[2] Details for masochists only: http://openssl.com/fips/ransom.html
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pg
On 01/22/2016 04:28 PM, security veteran wrote:
> Hi All,
>
> What type of license does OpenSSL FIPS modules have? Is it the same as
> the OpenSSL license, or is it a different license?
>
> Thanks.
Same license.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829
0. I'm not even going to try and guess how long
they'll take to review it; we've had to wait over six months for similar
(no new platforms) change letters.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6
t one set of shared libraries can be used for all
processes, both those that care about FIPS 140-2 and those that don't.
The OpenSSL + OpenSSL FIPS module combination (the "FIPS capable"
OpenSSL) was designed for such dual use so that the FIPS behavior
wouldn't be seen *unles
distros, and generally found it more trouble than it was worth to try
try replacing bundled vendor packages, as opposed to installing a new
OpenSSL along with new versions of the OSS products that used it (such
as OpenSSH, Apache httpd, Stunnel, etc.).
-Steve M.
--
Steve Marquess
OpenSSL Softwar
option to
make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
modifications. Try it and see.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp k
conflict with
that objective (to some extent anyway, by forcing the POST to even in
the more common case where FIPS 140-2 was not desired). So that design
objective will not be fully achievable in future validations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Roa
the "FIPS enabled" mechanism just so that vendors would
not need to ship two different sets of binaries to their customers who
do and don't care about FIPS 140-2. Ship the "FIPS enabled" OpenSSL
libraries to all your customers, and those who don't explicitly enable
FI
the
same cryptographic module). I check the NIST CMVP web site[*] every day
to see what they have or haven't done in the last 24 hours, and will
announce any results here if and when there is anything to announce.
-Steve M.
[*] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val
On 12/14/2015 08:23 AM, Steve Marquess wrote:
> On 12/02/2015 11:16 AM, Steve Marquess wrote:
>> If you don't know or care what FIPS 140-2 is, be very glad this isn't
>> your problem and turn your charitable attentions to some worthy cause.
>>
>> The CMVP
of any actual use of X9.31 with
those modules. The paper shuffle basically consists of removing most
mentions of X9.31 RNG from the Security Policy document. Any application
that has deliberately and explicitly enabled a non-default use of the
X9.31 RNG would need to be changed, independently of th
We are not taking on a new validation with new algorithms, etc.,
> unless we get one or more sponsors who are willing to contribute a
> significant amount of money, among other things.
Correct ... we are eager to do so but lack the opportunity at present. I
remain hopeful that we will be able to att
bled" OpenSSL need to be built for that target platform,
not the build system.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.
de as sudo, I get this error:
>
> error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not
> supported
Your specific platform isn't supported. The OpenSSL FIPS module doesn't
run on as many platforms as OpenSSL proper.
-Steve M.
--
Steve Marquess
OpenSSL S
On 12/21/2015 07:06 AM, Jakob Bohm wrote:
> On 18/12/2015 19:58, Steve Marquess wrote:
>> On 12/18/2015 12:58 PM, jonetsu wrote:
>>> Fair enough (in this context). But what about the code itself, is it
>>> ready
>>> to be RSA 186-4 compliant ?
>> We thin
ndary consideration, instead you must ask
"is there a validated product available that will allow X"? You can't
code your way to FIPS 140-2 validated status, you have to find and use
something that is already validated.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829
rectory" means.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-us
Level 3" validation?:
https://en.wikipedia.org/wiki/FIPS_140-2#Level_3
The OpenSSL FIPS Object Module v.20 validations are Level 1, as is the
case with all software-only validations. The higher level validations
are much more closely tied to specific hardware devices.
-Steve M.
--
Steve
hasn't been sprinkled with the magical pixie dust of
FIPS 140-2 validation.
Writing the code isn't trivial, but that has never been the hard part...
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 25
utcomes.
We will undertake another tilt a the windmill with the prerequisites
Rich noted above, but I think a successful outcome for the sixth
such validation will also require the engagement of politically adept
stakeholders.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephra
aren't allowed to
fix vulnerabilities (e.g. Lucky 13).
So no.
We will address all new FIPS 140-2 requirements, and known
vulnerabilities, and support of OpenSSL 1.1, if and when we're in a
position to pursue a new open source based validation to succeed the
current #1747/#2398/#2473.
-Steve
and its three validations (#1747, #2398, #2473).
-Steve M.
[1] For masochists only: http://openssl.com/fips/aftermath.html
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key
On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't
> your problem and turn your charitable attentions to some worthy cause.
>
> The CMVP has introduced a new policy that will result in the effective
> t
cript" file.
I'll also note that sorting out the algorithm tests will be relatively
trivial compared to hacking the OpenSSL FIPS Object Module v2.0 code to
meet all the new requirements that have accumulated since that
validation was obtained. You'll want to do those mods before the
al
holds.
I'll blog again when I know the outcome of the X9.31 RNG transition issue.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x
On 12/02/2015 11:16 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is, be very glad this isn't > your
> problem and turn your charitable attentions to some worthy >
cause. > > The CMVP has introduced a new policy that will result in the
>
end any money to us; if you're interested in covering this cost
I'll put you directly in touch with the test lab to work out specific
payment arrangements.
Thanks,
-Steve M.
[1] See "X9.31 RNG transition, December 31, 2015" at
http://csrc.nist.gov/groups/STM/cmvp/notices
's an open
ended gamble: submit, hope, wait, ...
-Steve M.
[1] See http://veridicalsystems.com/blog/the-fickleness-of-fips/; note
that dual submission did pay off for that client.
--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6
cess
> as long as infinite recursion is avoided, preferably
> through the choice of server certificates.
There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim
S Object Module User Guide,
http://www.openssl.org/docs/fips/UserGuide.pdf
Again, you really need to seek appropriate legal counsel and should not
make any decisions based on any comments by OSF or OpenSSL.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
On 10/21/2015 03:22 PM, jonetsu wrote:
>> From: "Steve Marquess"
>> Date: 10/21/15 14:18
>> See Appendix B of the OpenSSL FIPS User Guide:
>
>> https://openssl.org/docs/fips/UserGuide-2.0.pdf
>
> Thanks.
>
>> The specific algorithm te
1 - 100 of 422 matches
Mail list logo
