Date: Thu, 3 Mar 2011 12:23:12 -0500 From: Alexander Sack <pisymbol@gmail.com> To: freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? Message-ID: <AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1@mail.gmail.com> In-Reply-To: <AANLkTi=%2BqUYAsXuAKehhAVgrta%2BFJrOf%2BcZ-WJv1%2B=i4@mail.gmail.com> References: <AANLkTi=%2BqUYAsXuAKehhAVgrta%2BFJrOf%2BcZ-WJv1%2B=i4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol@gmail.com> wrote: > Hello: > > I am a bit confused! =A0I am reading the FIPS user guide and the > following document: > > http://www.openssl.org/docs/fips/fipsnotes.html > > I quote > > "If even the tiniest source code or build process changes are required > for your intended application, you cannot use the open source based > validated module directly. You must obtain your own validation. This > situation is common; see "Private Label" validation, below. " > > Also, the openssl distribution has to match the right PGP keys. > > So to those who are more of Openssl/FIPS experts than I, I have some > basic questions: > > 1) =A0I assume if it impossible to make a FIPS capable openssl > distribution straight out of the FreeBSD source tree without "Private > Validation" as defined in the document above? (i.e. you can certainly > build it this way but you are violating the guidelines for FIPS > Compliance or do the maintainers out of src/crypto/openssl ENSURE that > the distro in that tree is equivalent to the openssl distro, even for > PGP key checks?) > > 2) =A0Can you make a FIPS capable openssl port? > > i.e. use the stock distro, write some script to validate keys, create > a separate FIPS port or part of hte openssl port, etc. case in point, > RHEL I believe has a FIPS compliant RPM which does this in its spec > file. I guess to put things more simply: Is the distribution integrated within the FreeBSD source tree been validated against its PGP keys so it can be built FIPS capable? I really appreciate an official answer from one of the security officers. Thanks! -aps
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikJHkBk-Af3O60PJNzPOjYe8-OMU%2BjvyW_qPhq1>