Date: Sun, 6 Mar 2011 17:16:00 -0500 From: jw011235 <jw011235@gmail.com> To: Simon L. B. Nielsen <simon@nitro.dk> Cc: Alexander Sack <pisymbol@gmail.com>, freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? Message-ID: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> In-Reply-To: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> References: <AANLkTi=%2BqUYAsXuAKehhAVgrta%2BFJrOf%2BcZ-WJv1%2B=i4@mail.gmail.com> <AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1@mail.gmail.com> <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk>
index | next in thread | previous in thread | raw e-mail
On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > > On 3 Mar 2011, at 18:23, Alexander Sack wrote: > >> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >> <pisymbol@gmail.com> wrote: >>> Hello: >>> >>> I am a bit confused! I am reading the FIPS user guide and the >>> following document: >>> >>> http://www.openssl.org/docs/fips/fipsnotes.html >>> >>> I quote >>> >>> "If even the tiniest source code or build process changes are >>> required >>> for your intended application, you cannot use the open source based >>> validated module directly. You must obtain your own validation. This >>> situation is common; see "Private Label" validation, below. " >>> >>> Also, the openssl distribution has to match the right PGP keys. >>> >>> So to those who are more of Openssl/FIPS experts than I, I have some >>> basic questions: >>> >>> 1) I assume if it impossible to make a FIPS capable openssl >>> distribution straight out of the FreeBSD source tree without >>> "Private >>> Validation" as defined in the document above? (i.e. you can >>> certainly >>> build it this way but you are violating the guidelines for FIPS >>> Compliance or do the maintainers out of src/crypto/openssl ENSURE >>> that >>> the distro in that tree is equivalent to the openssl distro, even >>> for >>> PGP key checks?) > [...] >> I guess to put things more simply: >> >> Is the distribution integrated within the FreeBSD source tree been >> validated against its PGP keys so it can be built FIPS capable? > > For all the imports I did of OpenSSL to the FreeBSD base system > (which means any OpenSSL import since FreeBSD 7.0), the PGP key for > the source tar was verified. That said, in the FreeBSD base system > totally replace the OpenSSL build system and 'manually' apply fixes > for the OpenSSL security issues we certainly don't build OpenSSL > unmodified. > > I never had a reason to look at OpenSSL FIPS, so I don't really know > if it's possible to get it working on FreeBSD, but it's possible you > can manually build and install stock OpenSSL by hand. > > -- > Simon L. B. Nielsen > Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " I've been running OpenSSL FIPS for several years now on FreeBSD so it's certainly possible. It's not terribly hard to compile but I wouldn't do it through the ports. Download the source ( I used the 0.9 source ) and FIPS instructions and compile by hand. Certifying your installation through NIST is an entirely different matter. My company elected to put off the process until we had a contract to justify the expense and time involved. You'll have to dig for it, but the NIST website has details on the process. Best of luck, Jason Williamshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F26F104-E000-4D4B-833A-C17E454098C5>