Date: Sun, 6 Mar 2011 22:22:18 +0100 From: "Simon L. B. Nielsen" <simon@nitro.dk> To: Alexander Sack <pisymbol@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? Message-ID: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> In-Reply-To: <AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1@mail.gmail.com> References: <AANLkTi=%2BqUYAsXuAKehhAVgrta%2BFJrOf%2BcZ-WJv1%2B=i4@mail.gmail.com> <AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 Mar 2011, at 18:23, Alexander Sack wrote: > On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol@gmail.com> = wrote: >> Hello: >>=20 >> I am a bit confused! I am reading the FIPS user guide and the >> following document: >>=20 >> http://www.openssl.org/docs/fips/fipsnotes.html >>=20 >> I quote >>=20 >> "If even the tiniest source code or build process changes are = required >> for your intended application, you cannot use the open source based >> validated module directly. You must obtain your own validation. This >> situation is common; see "Private Label" validation, below. " >>=20 >> Also, the openssl distribution has to match the right PGP keys. >>=20 >> So to those who are more of Openssl/FIPS experts than I, I have some >> basic questions: >>=20 >> 1) I assume if it impossible to make a FIPS capable openssl >> distribution straight out of the FreeBSD source tree without "Private >> Validation" as defined in the document above? (i.e. you can certainly >> build it this way but you are violating the guidelines for FIPS >> Compliance or do the maintainers out of src/crypto/openssl ENSURE = that >> the distro in that tree is equivalent to the openssl distro, even for >> PGP key checks?) [...] > I guess to put things more simply: >=20 > Is the distribution integrated within the FreeBSD source tree been > validated against its PGP keys so it can be built FIPS capable? For all the imports I did of OpenSSL to the FreeBSD base system (which = means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar was verified. That said, in the FreeBSD base system totally replace = the OpenSSL build system and 'manually' apply fixes for the OpenSSL = security issues we certainly don't build OpenSSL unmodified. I never had a reason to look at OpenSSL FIPS, so I don't really know if = it's possible to get it working on FreeBSD, but it's possible you can = manually build and install stock OpenSSL by hand. --=20 Simon L. B. Nielsen Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?569CE2FF-151D-45F8-8B73-814D5CA0E47F>