On Fri, Oct 25, 2013 at 7:59 PM, Michael Ströder <[email protected]> wrote: > Steve Eckmann wrote: >> We are using {SSHA} (SHA-1) in OpenLDAP now. The customer wants SHA-512. >> And they require a FIPS-validated implementation, which I think narrows our >> options to using either OpenSSL or NSS in FIPS mode. I cannot see a better >> way to meet the customer's two requirements than gutting pw-sha2 and using >> that as a thin wrapper for the raw crypto functions in either openssl or >> nss. > > You probably should first ask on the openssl-users mailing list under which > conditions you get some "FIPS-validated" code regarding the whole OpenLDAP > "application". Likely it's not feasible. > > I'm pretty sure that your customer FIPS requirement is plain nonsense and you > might work around this by some other strange policy text. ;-} I am not sure "nonsense" if some distro are doing something in this area. Right or, perhaps, sometime wrong (o perhaps sometime break). http://fedoraproject.org/wiki/FedoraCryptoConsolidation
Best regards > > Ciao, Michael. >
