Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in

monit-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in

From:	Jan-Henrik Haukeland
Subject:	Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Date:	Sat, 24 Jul 2010 11:37:22 +0200

Hi Lior

Thank you very much for the follow up. I have read up a bit more on FIPS and I 
agree that it may be a useful addition to Monit and that someone will hopefully 
also sponsor to bring the FIPS module up to par with the latest release of 
OpenSSL. Your patch looks fine and we'll add it to the next release of Monit. 

Thanks again for your work. Appreciated!

Jan-Henrik


On Jul 24, 2010, at 7:34 AM, Lior Okman wrote:

> Hi Jan-Henrik,
> 
> I don't know if OpenSSL will actually be updated any time soon to
> support FIPS-140 in 1.0.0.
> 
> Since FIPS-140 support is required for any product that uses
> cryptography in most federal installations, I can only guess that the
> FIPS module in OpenSSL will be updated. It's probably going to take
> some time, since it costs a lot of money to get a FIPS-140
> certification from the NSA, and the current OpenSSL certification is
> good until the end of 2010. I'm guessing that one of the big players
> will want to keep OpenSSL FIPS-certified, and that will mean updating
> the certification.
> 
> Looking at most enterprise distributions and some of the larger ones
> (RHEL, SuSE, Ubuntu, Debian), they all still ship with (and their
> unstable version is based on) 0.9.8 - I'm guessing one of the reasons
> is exactly this. You need FIPS-140 support (or the ability to support
> it) if you want to sell to the US federal government.
> 
> Lior
> 
> 
> On Sat, Jul 24, 2010 at 1:37 AM, Jan-Henrik Haukeland
> <address@hidden> wrote:
>> Hi Lior, Thank you very much for the patch. I'm not familiar with FIPS and 
>> looked up the URL and must admit I didn't get much wiser. What I noticed 
>> though was this sentence: "OpenSSL 1.0.0 is not supported for use with the 
>> OpenSSL FIPS Object Module." Given that most newer systems will come with 
>> version 1.x of OpenSSL I wonder if this may over time just be dead code in 
>> Monit? Or do you know if there is any indication that the FIPS module will 
>> be maintained and updated to newer versions of OpenSSL?
>> 
>> jan-henrik
>> 
>> On Jul 22, 2010, at 4:35 PM, Lior Okman wrote:
>> 
>>> Hi all,
>>> 
>>> Please find attached a patch to add support for enabling FIPS-140 mode in 
>>> Monit.
>>> 
>>> This requires an OpenSSL installation that supports FIPS-140 (see
>>> http://openssl.org/docs/fips/ for details).
>>> 
>>> The patch does the following:
>>> 
>>> 1. Add a global "set fips" directive to enable FIPS-140 mode.
>>> 2. Force using TLSv1 instead of SSLv23 (as per FIPS-140 requirements)
>>> 3. Disable the certmd5 option when in FIPS mode since md5 is not
>>> available when in FIPS-140 mode.
>>> 
>>> Regards,
>>> Lior Okman

[Prev in Thread]

Current Thread

[Next in Thread]

[monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Lior Okman, 2010/07/22
- Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Jan-Henrik Haukeland, 2010/07/23
  - Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Lior Okman, 2010/07/24
    - Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL, Jan-Henrik Haukeland <=

Prev by Date: Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Next by Date: [monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hidden>
Previous by thread: Re: [monit-dev] [PATCH] add support for FIPS-140 mode when available in OpenSSL
Next by thread: [monit-dev] [PATCH] Pass correct MONIT_DESCRIPTION env variable for external program
Index(es):
- Date
- Thread