Date: Sun, 6 Mar 2011 19:20:32 -0500 From: Alexander Sack <pisymbol@gmail.com> To: jw011235 <jw011235@gmail.com> Cc: "Simon L. B. Nielsen" <simon@nitro.dk>, freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? Message-ID: <AANLkTi=xcBMujOT6WtX3jL7KOvV=%2BRTsRpxGAqFO=yhb@mail.gmail.com> In-Reply-To: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> References: <AANLkTi=%2BqUYAsXuAKehhAVgrta%2BFJrOf%2BcZ-WJv1%2B=i4@mail.gmail.com> <AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1@mail.gmail.com> <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 6, 2011 at 5:16 PM, jw011235 <jw011235@gmail.com> wrote: > > On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > >> >> On 3 Mar 2011, at 18:23, Alexander Sack wrote: >> >>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol@gmail.com> >>> wrote: >>>> >>>> Hello: >>>> >>>> I am a bit confused! =A0I am reading the FIPS user guide and the >>>> following document: >>>> >>>> http://www.openssl.org/docs/fips/fipsnotes.html >>>> >>>> I quote >>>> >>>> "If even the tiniest source code or build process changes are required >>>> for your intended application, you cannot use the open source based >>>> validated module directly. You must obtain your own validation. This >>>> situation is common; see "Private Label" validation, below. " >>>> >>>> Also, the openssl distribution has to match the right PGP keys. >>>> >>>> So to those who are more of Openssl/FIPS experts than I, I have some >>>> basic questions: >>>> >>>> 1) =A0I assume if it impossible to make a FIPS capable openssl >>>> distribution straight out of the FreeBSD source tree without "Private >>>> Validation" as defined in the document above? (i.e. you can certainly >>>> build it this way but you are violating the guidelines for FIPS >>>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that >>>> the distro in that tree is equivalent to the openssl distro, even for >>>> PGP key checks?) >> >> [...] >>> >>> I guess to put things more simply: >>> >>> Is the distribution integrated within the FreeBSD source tree been >>> validated against its PGP keys so it can be built FIPS capable? >> >> For all the imports I did of OpenSSL to the FreeBSD base system (which >> means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar >> was verified. That said, in the FreeBSD base system totally replace the >> OpenSSL build system and 'manually' apply fixes for the OpenSSL security >> issues we certainly don't build OpenSSL unmodified. >> >> I never had a reason to look at OpenSSL FIPS, so I don't really know if >> it's possible to get it working on FreeBSD, but it's possible you can >> manually build and install stock OpenSSL by hand. >> >> -- >> Simon L. B. Nielsen >> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > I've been running OpenSSL FIPS for several years now on FreeBSD so it's > certainly possible. It's not terribly hard to compile but I wouldn't do i= t > through the ports. Download the source ( I used the 0.9 source ) and FIPS > instructions and compile by hand. > > Certifying your installation through NIST is an entirely different matter= . > My company elected to put off the process until we had a contract to just= ify > the expense and time involved. You'll have to dig for it, but the NIST > website has details on the process. Wait, is NIST cert required to be FIPS capable? I don't think so. -aps
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=xcBMujOT6WtX3jL7KOvV=%2BRTsRpxGAqFO=yhb>