[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in
|
From: |
Jan-Henrik Haukeland |
|
Subject: |
Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL |
|
Date: |
Sat, 24 Jul 2010 00:37:38 +0200 |
Hi Lior, Thank you very much for the patch. I'm not familiar with FIPS and
looked up the URL and must admit I didn't get much wiser. What I noticed though
was this sentence: "OpenSSL 1.0.0 is not supported for use with the OpenSSL
FIPS Object Module." Given that most newer systems will come with version 1.x
of OpenSSL I wonder if this may over time just be dead code in Monit? Or do you
know if there is any indication that the FIPS module will be maintained and
updated to newer versions of OpenSSL?
jan-henrik
On Jul 22, 2010, at 4:35 PM, Lior Okman wrote:
> Hi all,
>
> Please find attached a patch to add support for enabling FIPS-140 mode in
> Monit.
>
> This requires an OpenSSL installation that supports FIPS-140 (see
> http://openssl.org/docs/fips/ for details).
>
> The patch does the following:
>
> 1. Add a global "set fips" directive to enable FIPS-140 mode.
> 2. Force using TLSv1 instead of SSLv23 (as per FIPS-140 requirements)
> 3. Disable the certmd5 option when in FIPS mode since md5 is not
> available when in FIPS-140 mode.
>
> Regards,
> Lior Okman