Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in

monit-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in

From:	Lior Okman
Subject:	Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Date:	Sat, 24 Jul 2010 08:34:19 +0300

Hi Jan-Henrik,

I don't know if OpenSSL will actually be updated any time soon to
support FIPS-140 in 1.0.0.

Since FIPS-140 support is required for any product that uses
cryptography in most federal installations, I can only guess that the
FIPS module in OpenSSL will be updated. It's probably going to take
some time, since it costs a lot of money to get a FIPS-140
certification from the NSA, and the current OpenSSL certification is
good until the end of 2010. I'm guessing that one of the big players
will want to keep OpenSSL FIPS-certified, and that will mean updating
the certification.

Looking at most enterprise distributions and some of the larger ones
(RHEL, SuSE, Ubuntu, Debian), they all still ship with (and their
unstable version is based on) 0.9.8 - I'm guessing one of the reasons
is exactly this. You need FIPS-140 support (or the ability to support
it) if you want to sell to the US federal government.

Lior

On Sat, Jul 24, 2010 at 1:37 AM, Jan-Henrik Haukeland
<address@hidden> wrote:
> Hi Lior, Thank you very much for the patch. I'm not familiar with FIPS and 
> looked up the URL and must admit I didn't get much wiser. What I noticed 
> though was this sentence: "OpenSSL 1.0.0 is not supported for use with the 
> OpenSSL FIPS Object Module." Given that most newer systems will come with 
> version 1.x of OpenSSL I wonder if this may over time just be dead code in 
> Monit? Or do you know if there is any indication that the FIPS module will be 
> maintained and updated to newer versions of OpenSSL?
>
> jan-henrik
>
> On Jul 22, 2010, at 4:35 PM, Lior Okman wrote:
>
>> Hi all,
>>
>> Please find attached a patch to add support for enabling FIPS-140 mode in 
>> Monit.
>>
>> This requires an OpenSSL installation that supports FIPS-140 (see
>> http://openssl.org/docs/fips/ for details).
>>
>> The patch does the following:
>>
>> 1. Add a global "set fips" directive to enable FIPS-140 mode.
>> 2. Force using TLSv1 instead of SSLv23 (as per FIPS-140 requirements)
>> 3. Disable the certmd5 option when in FIPS mode since md5 is not
>> available when in FIPS-140 mode.
>>
>> Regards,
>> Lior Okman
>
>
>
>
>
>
>
>
> _______________________________________________
> monit-dev mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/monit-dev
>

[Prev in Thread]

Current Thread

[Next in Thread]

[monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Lior Okman, 2010/07/22
- Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Jan-Henrik Haukeland, 2010/07/23
  - Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Lior Okman <=
    - Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Jan-Henrik Haukeland, 2010/07/24

Prev by Date: Re: [monit-dev] [PATCH] Pass correct MONIT_DESCRIPTION env variable for external program
Next by Date: Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Previous by thread: Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Next by thread: Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Index(es):
- Date
- Thread