This is a discussion on Re: FIPS - Openssl ; Stan wrote: > Hi guys, > > We used to use 0.9.8 Openssl on Linux platform. We want to use FIPS now. > > We did following to make FIPS mode work: > - library is linked statically because FIPS ...
> Hi guys,
> We used to use 0.9.8 Openssl on Linux platform. We want to use FIPS now.
> We did following to make FIPS mode work:
> - library is linked statically because FIPS cannot be implemented as shared
> - we had to make little work around to link FIPS using C compiler because
> c++ compiler doesn't work with it.
> - Once it was working we had to regenerate keys. With FIPS they have to be
> in PCKS8 format.
> - Because MD5 is not supported in FIPS mode consequently 3DES to encrypt
> private key didn't work. We used function OpenSSL_add_all_algorithms(); that
> enabled it and it does work now.
> We use EVP_des_ede3_cbc() to encrypt private RSA key, this function was
> failing. We found in the mail archive discrussion about the problem where
> someone explained that MD5 is not supported in FIPS and consequently
> EVP_des_ede3_cbc() didn't work. But OpenSSL_add_all_algorithms(); made it
> work anyway.
> Does anyone know what has changed by calling OpenSSL_add_all_algorithms()?
> Does it brake FIPS certification in any way?
> If that is not correct what private key encryption is supposed to be used
> with FIPS?
I've seen messages on this list about 0.9.8x not supporting FIPS mode.
Has this changed and 0.9.8x with the FIPS certified module now works as
advertised (i.e. 0.9.8x with FIPS in FIPS mode is certified)?
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
Ask me about discounts on any Shining Light Productions product!
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com