From owner-freebsd-security@FreeBSD.ORG Tue Mar 1 01:06:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BE5E106564A for ; Tue, 1 Mar 2011 01:06:57 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 49CC08FC08 for ; Tue, 1 Mar 2011 01:06:56 +0000 (UTC) Received: by qwj8 with SMTP id 8so3577130qwj.13 for ; Mon, 28 Feb 2011 17:06:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=rTQOpz8HXxHAlGmVL//iCL2xiPZhszWpFj4QUaMWV0A=; b=yFoeEf9r03YAPWH4LF9kERPvuefaHHWM3ca12Hax6izxfww8/YuZlEZgCsAodMIyxU imximecc/oKgB7c+aRbBPKMuGF/Yj4fBAU6dt0Jz7PUgm1Ili1DTCKhxE+4QD3/x6bFI QIGnCvS1DF0HMRfz1JLqwKGCAjOQkre5byyIk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=W2OaCjIPRsw9adHSfYVCsb47uojfcasI9yNMIKHCfXQltzNx3dyTHVE/Z3y3QTiqkT 5FGcDxQQp4AkvS79tZp5ItCwcTDHFzbmloer+MOJowpTYSW3bMReRieAQvfUbDJrKfbR 7loo25aAyEEPNIPRrESXwm+t4WCMycLrfECcI= MIME-Version: 1.0 Received: by 10.229.233.74 with SMTP id jx10mr4864682qcb.97.1298939629365; Mon, 28 Feb 2011 16:33:49 -0800 (PST) Received: by 10.229.221.131 with HTTP; Mon, 28 Feb 2011 16:33:49 -0800 (PST) Date: Mon, 28 Feb 2011 19:33:49 -0500 Message-ID: From: Alexander Sack To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 01:06:57 -0000 Hello: I am a bit confused! I am reading the FIPS user guide and the following document: http://www.openssl.org/docs/fips/fipsnotes.html I quote "If even the tiniest source code or build process changes are required for your intended application, you cannot use the open source based validated module directly. You must obtain your own validation. This situation is common; see "Private Label" validation, below. " Also, the openssl distribution has to match the right PGP keys. So to those who are more of Openssl/FIPS experts than I, I have some basic questions: 1) I assume if it impossible to make a FIPS capable openssl distribution straight out of the FreeBSD source tree without "Private Validation" as defined in the document above? (i.e. you can certainly build it this way but you are violating the guidelines for FIPS Compliance or do the maintainers out of src/crypto/openssl ENSURE that the distro in that tree is equivalent to the openssl distro, even for PGP key checks?) 2) Can you make a FIPS capable openssl port? i.e. use the stock distro, write some script to validate keys, create a separate FIPS port or part of hte openssl port, etc. case in point, RHEL I believe has a FIPS compliant RPM which does this in its spec file. 3) Does anyone know if common openssl consumers with FIPS mode set breaks them? :-) (i.e. the Apache/mod_ssl's of the world) My organization is investigating what it will take to make a fully FIPS compliant system (capable first, but in a compliant way). I have been assigned this most fantastic assignment. Any advice (other than run), would be appreciated! Thanks! -aps