Question about no-* options (no-fips in particular) on 1.1 branch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Question about no-* options (no-fips in particular) on 1.1 branch

wrowe
Did the no-fips option get removed by-design? Are the no-*
corollaries going to be dropped going forwards?

../src/openssl-1.1.0git/config shared no-fips --libdir=lib
--prefix=/opt/openssl110

Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0f-dev (0x10100060L)
***** Unsupported options: no-fips
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about no-* options (no-fips in particular) on 1.1 branch

Jan Ehrhardt
Hi Bill,

William A Rowe Jr in gmane.comp.encryption.openssl.devel (Wed, 12 Apr
2017 13:09:05 -0500):

>Did the no-fips option get removed by-design? Are the no-*
>corollaries going to be dropped going forwards?
>
>../src/openssl-1.1.0git/config shared no-fips --libdir=lib
>--prefix=/opt/openssl110
>
>Operating system: x86_64-whatever-linux2
>Configuring for linux-x86_64
>Configuring OpenSSL version 1.1.0f-dev (0x10100060L)
>***** Unsupported options: no-fips

fips is not supported in OpenSSL 1.1 yet, so my best guess is that both
fips and no-fips are removed by-design.
--
Jan

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about no-* options (no-fips in particular) on 1.1 branch

OpenSSL - Dev mailing list
In reply to this post by wrowe
> Did the no-fips option get removed by-design? Are the no-* corollaries going
> to be dropped going forwards?

Yes.  All FIPS support was removed.  It could be brought back, and made a no-op, if that's a real issue.

There are no plans to remove any other no-* at this time.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about no-* options (no-fips in particular) on 1.1 branch

OpenSSL - Dev mailing list
> Yes.  All FIPS support was removed.  It could be brought back, and made a
> no-op, if that's a real issue.

By it, I meant the "no-fips" option
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Question about no-* options (no-fips in particular) on 1.1 branch

wrowe
In reply to this post by OpenSSL - Dev mailing list
On Wed, Apr 12, 2017 at 1:26 PM, Salz, Rich via openssl-dev
<[hidden email]> wrote:
>> Did the no-fips option get removed by-design? Are the no-* corollaries going
>> to be dropped going forwards?
>
> Yes.  All FIPS support was removed.  It could be brought back, and made a no-op, if that's a real issue.

It isn't a big problem here for me (default = no-fips, whether the
/usr/local/openssl/fips/ tree was discovered or not.) It was future
proofing a new schema before some existing fips binary might be
detected on a build box inadvertently.

But for consistency, permitting 'no-fips' for the lifespan of 1.0.2/1.1.0
seems prudent. No reason for it to survive on master.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...