FIPS compliant openssl possible within the FreeBSD build
systems?
Alexander Sack
pisymbol at gmail.com
Mon Mar 7 00:20:33 UTC 2011
On Sun, Mar 6, 2011 at 5:16 PM, jw011235 <jw011235 at gmail.com> wrote:
>
> On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote:
>
>>
>> On 3 Mar 2011, at 18:23, Alexander Sack wrote:
>>
>>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol at gmail.com>
>>> wrote:
>>>>
>>>> Hello:
>>>>
>>>> I am a bit confused! I am reading the FIPS user guide and the
>>>> following document:
>>>>
>>>> http://www.openssl.org/docs/fips/fipsnotes.html
>>>>
>>>> I quote
>>>>
>>>> "If even the tiniest source code or build process changes are required
>>>> for your intended application, you cannot use the open source based
>>>> validated module directly. You must obtain your own validation. This
>>>> situation is common; see "Private Label" validation, below. "
>>>>
>>>> Also, the openssl distribution has to match the right PGP keys.
>>>>
>>>> So to those who are more of Openssl/FIPS experts than I, I have some
>>>> basic questions:
>>>>
>>>> 1) I assume if it impossible to make a FIPS capable openssl
>>>> distribution straight out of the FreeBSD source tree without "Private
>>>> Validation" as defined in the document above? (i.e. you can certainly
>>>> build it this way but you are violating the guidelines for FIPS
>>>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that
>>>> the distro in that tree is equivalent to the openssl distro, even for
>>>> PGP key checks?)
>>
>> [...]
>>>
>>> I guess to put things more simply:
>>>
>>> Is the distribution integrated within the FreeBSD source tree been
>>> validated against its PGP keys so it can be built FIPS capable?
>>
>> For all the imports I did of OpenSSL to the FreeBSD base system (which
>> means any OpenSSL import since FreeBSD 7.0), the PGP key for the source tar
>> was verified. That said, in the FreeBSD base system totally replace the
>> OpenSSL build system and 'manually' apply fixes for the OpenSSL security
>> issues we certainly don't build OpenSSL unmodified.
>>
>> I never had a reason to look at OpenSSL FIPS, so I don't really know if
>> it's possible to get it working on FreeBSD, but it's possible you can
>> manually build and install stock OpenSSL by hand.
>>
>> --
>> Simon L. B. Nielsen
>> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer
>>
>> _______________________________________________
>> freebsd-security at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>
>
> I've been running OpenSSL FIPS for several years now on FreeBSD so it's
> certainly possible. It's not terribly hard to compile but I wouldn't do it
> through the ports. Download the source ( I used the 0.9 source ) and FIPS
> instructions and compile by hand.
>
> Certifying your installation through NIST is an entirely different matter.
> My company elected to put off the process until we had a contract to justify
> the expense and time involved. You'll have to dig for it, but the NIST
> website has details on the process.
Wait, is NIST cert required to be FIPS capable? I don't think so.
-aps
More information about the freebsd-security
mailing list