OpenSSL FIPS Certification

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL FIPS Certification

prakash babu
Hello All,
 
I came to know that OpenSSL is in its final stage of getting FIPS certification.
 
 
Congrats to all the developers and contributors from the OpenSource community for making this happen.
 
I have a couple of question in this regard.
 
1. Once OpenSSL is FIPS certified will a new version be released or an existing version (eg 0.9.7i)  can be called FIPS certified.
  
2. Are there any security policy document that have been published, which contains steps to be followed while creating an application from FIPS certified OpenSSL.
 
Thanks,
Prakash



What are the most popular cars? Find out at Yahoo! Autos
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL FIPS Certification

Kyle Hamilton
0.9.7h is FIPS certified, as long as you build with unmodified sources
(and this is checked with an SHA check on the sources in question).

Or at least, that's what I believe to be the case, given the
documentation on the Security Policy for it.

-Kyle H

On 1/29/06, prakash babu <[hidden email]> wrote:

>
> Hello All,
>
> I came to know that OpenSSL is in its final stage of getting FIPS
> certification.
>
> http://trends.newsforge.com/trends/06/01/23/0429219.shtml
>
> Congrats to all the developers and contributors from the OpenSource
> community for making this happen.
>
> I have a couple of question in this regard.
>
> 1. Once OpenSSL is FIPS certified will a new version be released or an
> existing version (eg 0.9.7i)  can be called FIPS certified.
>
> 2. Are there any security policy document that have been published, which
> contains steps to be followed while creating an application from FIPS
> certified OpenSSL.
>
> Thanks,
> Prakash
>
> ________________________________
>
> What are the most popular cars? Find out at Yahoo! Autos
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL FIPS Certification

Dr. Stephen Henson
On Sun, Jan 29, 2006, Kyle Hamilton wrote:

> 0.9.7h is FIPS certified, as long as you build with unmodified sources
> (and this is checked with an SHA check on the sources in question).
>

Err no IT IS NOT. The version submitted for validation included various changes
to sequestered code (the stuff under fips/). No released version of OpenSSL
currently includes these changes.

The current 0.9.7-stable snapshot sequestered code matches the submitted
version. 0.9.7j (not yet released) and later releases will also match it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL FIPS Certification

Jim Adams
In reply to this post by prakash babu

All,

I downloaded and built the 20060124 stable snapshot and built the FIPS
version for Windows.  It built w/o errors, but it did not create a SHA1
signature file for fipscanister.obj.  I built my application linking with
libeay32.lib and ssleay32.lib.  When I tried to enter FIPS mode with
FIPS_mode_set(1), it failed with error FIPS_F_FIPS_CHECK_DSO,
FIPS_R_FINGERPRINT_DOES_NOT_MATCH.  The build procedures have
changed since 0.9.7i, as a result of the certification back-and-forth, and
I understand the Users Guide will be released soon with the FIPS build
procedures.  But I was able to enter FIPS mode with 0.9.7i by generating
a SHA1 signature file of my app and passing the path to it to FIPS_mode_set,
which has now dropped that parameter.  

My question is, has the current snapshot changed since the 0124 snapshot
with regards to building FIPS versions for Windows and entering FIPS mode?
Or am I doing something wrong, or is there an additional step in the build
process that is not yet documented?

Jim Adams
Principal Software Developer
Seagull Software Systems, Inc.
Voice: (540) 341-8440 x102, Fax: (540) 428-3473
<mailto: [hidden email]>
 

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Monday, January 30, 2006 8:08 AM
To: [hidden email]
Subject: Re: OpenSSL FIPS Certification

On Sun, Jan 29, 2006, Kyle Hamilton wrote:

> 0.9.7h is FIPS certified, as long as you build with unmodified sources
> (and this is checked with an SHA check on the sources in question).
>

Err no IT IS NOT. The version submitted for validation included various changes to sequestered code (the stuff under fips/). No released version of OpenSSL currently includes these changes.

The current 0.9.7-stable snapshot sequestered code matches the submitted version. 0.9.7j (not yet released) and later releases will also match it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL FIPS Certification

Kiyoshi Watanabe
In reply to this post by Dr. Stephen Henson
Are you going to support not only 0.9.7 branch, but also 0.9.8 branch?

+Kiyoshi
Kiyoshi Watanabe
----- Original Message -----
From: "Dr. Stephen Henson" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 30, 2006 10:07 PM
Subject: Re: OpenSSL FIPS Certification


> On Sun, Jan 29, 2006, Kyle Hamilton wrote:
>
>> 0.9.7h is FIPS certified, as long as you build with unmodified sources
>> (and this is checked with an SHA check on the sources in question).
>>
>
> Err no IT IS NOT. The version submitted for validation included various
> changes
> to sequestered code (the stuff under fips/). No released version of
> OpenSSL
> currently includes these changes.
>
> The current 0.9.7-stable snapshot sequestered code matches the submitted
> version. 0.9.7j (not yet released) and later releases will also match it.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL FIPS Certification

Dr. Stephen Henson
In reply to this post by Jim Adams
On Mon, Jan 30, 2006, Jim Adams wrote:

>
> My question is, has the current snapshot changed since the 0124 snapshot
> with regards to building FIPS versions for Windows and entering FIPS mode?
> Or am I doing something wrong, or is there an additional step in the build
> process that is not yet documented?
>

There are several steps in the Windows build process for FIPS which are
currently not documented but that is being worked on. The requirements mean
that this differs quite a lot from the normal Windows builds.

What version of VC++ do you have BTW?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]