FIPS compliant openssl possible within the FreeBSD build
systems?
Alexander Sack
pisymbol at gmail.com
Thu Mar 3 17:23:14 UTC 2011
On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol at gmail.com> wrote:
> Hello:
>
> I am a bit confused! I am reading the FIPS user guide and the
> following document:
>
> http://www.openssl.org/docs/fips/fipsnotes.html
>
> I quote
>
> "If even the tiniest source code or build process changes are required
> for your intended application, you cannot use the open source based
> validated module directly. You must obtain your own validation. This
> situation is common; see "Private Label" validation, below. "
>
> Also, the openssl distribution has to match the right PGP keys.
>
> So to those who are more of Openssl/FIPS experts than I, I have some
> basic questions:
>
> 1) I assume if it impossible to make a FIPS capable openssl
> distribution straight out of the FreeBSD source tree without "Private
> Validation" as defined in the document above? (i.e. you can certainly
> build it this way but you are violating the guidelines for FIPS
> Compliance or do the maintainers out of src/crypto/openssl ENSURE that
> the distro in that tree is equivalent to the openssl distro, even for
> PGP key checks?)
>
> 2) Can you make a FIPS capable openssl port?
>
> i.e. use the stock distro, write some script to validate keys, create
> a separate FIPS port or part of hte openssl port, etc. case in point,
> RHEL I believe has a FIPS compliant RPM which does this in its spec
> file.
I guess to put things more simply:
Is the distribution integrated within the FreeBSD source tree been
validated against its PGP keys so it can be built FIPS capable?
I really appreciate an official answer from one of the security officers.
Thanks!
-aps
More information about the freebsd-security
mailing list