FIPS canister questions

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS canister questions

Swapna Pinnamaraju

Hi everyone.

 

We are running CentOS 7.8 and the OpenSSL that comes with it, ‘OpenSSL 1.0.2k-fips’. We have built the latest FOM 2.0 and now we want to incorporate the output of the FOM build into our CentOS 7.8 system. So we have two questions.

 

  1. How do we install the output of the FOM build (fipscanister.o et al) on the CentOS system such that the existing OpenSSL will start using the new canister?

 

  1. How do we verify that libcrypto is indeed using the new fipscanister.o?

 

Thanks in advance.

 

Swapna Pinnamaraju | Sr. Staff Software Engineer
Gigamon | www.gigamon.com

Address:  3300 Olcott Street, Santa Clara CA 95054

 

 

This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Gigamon email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”).
Reply | Threaded
Open this post in threaded view
|

Re: FIPS canister questions

Tomas Mraz
Hello,
there is no way to do that. The CentOS OpenSSL build does not allow using the upstream Fips object module.
In theory you could replace the CentOS openssl library with upstream 1.0.2 library built in way that it allows using the fipscanister.o however it would require non-trivial patching of the upstream OpenSSL 1.0.2 code to make it compatible with the rest of the system.

⁣Tomáš​ Mráz

18. 8. 2020 19:51, 19:51, Swapna Pinnamaraju <[hidden email]> napsal/a:

>Hi everyone.
>
>We are running CentOS 7.8 and the OpenSSL that comes with it, 'OpenSSL
>1.0.2k-fips'. We have built the latest FOM 2.0 and now we want to
>incorporate the output of the FOM build into our CentOS 7.8 system. So
>we have two questions.
>
>
>1.  How do we install the output of the FOM build (fipscanister.o et
>al) on the CentOS system such that the existing OpenSSL will start
>using the new canister?
>
>
>1.  How do we verify that libcrypto is indeed using the new
>fipscanister.o?
>
>Thanks in advance.
>
>Swapna Pinnamaraju | Sr. Staff Software Engineer
>Gigamon | www.gigamon.com<http://www.gigamon.com/>
>Address:  3300 Olcott Street, Santa Clara CA 95054
>
>
>This message may contain confidential and privileged information. If it
>has been sent to you in error, please reply to advise the sender of the
>error and then immediately delete it. If you are not the intended
>recipient, do not read, copy, disclose or otherwise use this message.
>The sender disclaims any liability for such unauthorized use. NOTE that
>all incoming emails sent to Gigamon email accounts will be archived and
>may be scanned by us and/or by external service providers to detect and
>prevent threats to our systems, investigate illegal or inappropriate
>behavior, and/or eliminate unsolicited promotional emails ("spam").