FIPS compliant openssl possible within the FreeBSD build systems?

jw011235 jw011235 at gmail.com
Mon Mar 7 03:49:04 UTC 2011 

On Mar 6, 2011, at 7:20 PM, Alexander Sack wrote:

> On Sun, Mar 6, 2011 at 5:16 PM, jw011235 <jw011235 at gmail.com> wrote:
>>
>> On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote:
>>
>>>
>>> On 3 Mar 2011, at 18:23, Alexander Sack wrote:
>>>
>>>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack  
>>>> <pisymbol at gmail.com>
>>>> wrote:
>>>>>
>>>>> Hello:
>>>>>
>>>>> I am a bit confused!  I am reading the FIPS user guide and the
>>>>> following document:
>>>>>
>>>>> http://www.openssl.org/docs/fips/fipsnotes.html
>>>>>
>>>>> I quote
>>>>>
>>>>> "If even the tiniest source code or build process changes are  
>>>>> required
>>>>> for your intended application, you cannot use the open source  
>>>>> based
>>>>> validated module directly. You must obtain your own validation.  
>>>>> This
>>>>> situation is common; see "Private Label" validation, below. "
>>>>>
>>>>> Also, the openssl distribution has to match the right PGP keys.
>>>>>
>>>>> So to those who are more of Openssl/FIPS experts than I, I have  
>>>>> some
>>>>> basic questions:
>>>>>
>>>>> 1)  I assume if it impossible to make a FIPS capable openssl
>>>>> distribution straight out of the FreeBSD source tree without  
>>>>> "Private
>>>>> Validation" as defined in the document above? (i.e. you can  
>>>>> certainly
>>>>> build it this way but you are violating the guidelines for FIPS
>>>>> Compliance or do the maintainers out of src/crypto/openssl  
>>>>> ENSURE that
>>>>> the distro in that tree is equivalent to the openssl distro,  
>>>>> even for
>>>>> PGP key checks?)
>>>
>>> [...]
>>>>
>>>> I guess to put things more simply:
>>>>
>>>> Is the distribution integrated within the FreeBSD source tree been
>>>> validated against its PGP keys so it can be built FIPS capable?
>>>
>>> For all the imports I did of OpenSSL to the FreeBSD base system  
>>> (which
>>> means any OpenSSL import since FreeBSD 7.0), the PGP key for the  
>>> source tar
>>> was verified. That said, in the FreeBSD base system totally  
>>> replace the
>>> OpenSSL build system and 'manually' apply fixes for the OpenSSL  
>>> security
>>> issues we certainly don't build OpenSSL unmodified.
>>>
>>> I never had a reason to look at OpenSSL FIPS, so I don't really  
>>> know if
>>> it's possible to get it working on FreeBSD, but it's possible you  
>>> can
>>> manually build and install stock OpenSSL by hand.
>>>
>>> --
>>> Simon L. B. Nielsen
>>> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer
>>>
>>> _______________________________________________
>>> freebsd-security at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>>> To unsubscribe, send any mail to
>>> "freebsd-security-unsubscribe at freebsd.org"
>>
>>
>> I've been running OpenSSL FIPS for several years now on FreeBSD so  
>> it's
>> certainly possible. It's not terribly hard to compile but I  
>> wouldn't do it
>> through the ports. Download the source ( I used the 0.9 source )  
>> and FIPS
>> instructions and compile by hand.
>>
>> Certifying your installation through NIST is an entirely different  
>> matter.
>> My company elected to put off the process until we had a contract  
>> to justify
>> the expense and time involved. You'll have to dig for it, but the  
>> NIST
>> website has details on the process.
>
> Wait, is NIST cert required to be FIPS capable?  I don't think so.
>
> -aps

Using the OpenSSL FIPS code is not enough to claim your products or  
services built upon it are FIPS 140-2 certified. You have to go  
through the certification process with NIST since they are responsible  
for the specification. There's a disclaimer with the OpenSSL FIPS  
instructions and source which basically states as much. I suppose you  
could claim that you are FIPS 140-2 compliant but I'm not a legal  
expert and don't know what you may or may not claim in terms of FIPS  
compliance or "capability".

If you're working with the U.S Government or subcontracting to someone  
who is, you will eventually need the certification to seal the deal  
for full funding (or at least be going through the certification  
process), otherwise, how would they know you meet the specification?  
(three letter agencies tend to be sticklers for wanting proof of that  
sort of thing :P) If you're not doing business with Uncle Sam then no  
problem, but then why bother with FIPS 140-2? It's basically a pain.  
YMMV, but that's your business.

Regards,
Jason Williams

More information about the freebsd-security mailing list