Paul Wouters wrote:
> Why would that be the right choice?
Because this is the FIPS/CC way. Moreover, our FIPS/CC consultant have made
it clear.
This being said, a difference must be established between a unit, a hardware
unit, and software components running inside. It might very well be that
On Fri, 22 Jan 2016, jonetsu wrote:
For instance if the system at boot finds a FIPS-related error then it should
stop everything. For instance binary integrity failure. Report using one of
the FIPS logical interfaces and reboot. No library or application will do
that.
Why would that be the ri
On 01/22/2016 06:42 AM, jonetsu wrote:
Robert Relyea wrote:
The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The
dance to programatically is to call SECMOD_DeleteInternalModule(),
which toggles the module between FIPS and non-FIPS modes.
Thanks. I will try it.
When are the se
Paul Wouters wrote:
> So while I just added a check, it should be completely redundant.
Depends. I'd be wary of a system that proclaims itself FIPS enabled without
'seeing it with my own eyes'. So I am not convinced this is redundant.
> Those are done within the libraries and applications. Lib
On Fri, 22 Jan 2016, jonetsu wrote:
Paul Wouters wrote:
How is a library in FIPS mode when it hasn't yet initialised because
the application has not kicked of yet? Do you actually initialise
them using a test program?
Yes. This is the case for OpenSSL and GnuTLS. For NSS, as we have seen,
Paul Wouters wrote:
> How is a library in FIPS mode when it hasn't yet initialised because
> the application has not kicked of yet? Do you actually initialise
> them using a test program?
Yes. This is the case for OpenSSL and GnuTLS. For NSS, as we have seen,
the FIPS initialisation is done ext
On Fri, 22 Jan 2016, jonetsu wrote:
libreswan uses NSS and supports a FIPS mode.
I know. I wouldn't call libreswan 'example code', though :)
I have browsed the code although did not find what I was looking for,
which is exactly what you mentioned above. In our systems we have to
verify that
Paul Wouters wrote:
> Oh, I did not know about this one. I guess once we (the application)
> detect the system is in FIPS mode, we could verify that NSS is as
> well.
>> Finally, is there any example code out there that uses NSS in FIPS
>> mode ?
> libreswan uses NSS and supports a FIPS mode.
Robert Relyea wrote:
> The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The
> dance to programatically is to call SECMOD_DeleteInternalModule(),
> which toggles the module between FIPS and non-FIPS modes.
Thanks. I will try it.
When are the self-tests run, from an application pe
On Thu, 21 Jan 2016, Robert Relyea wrote:
The call PK11_IsFIPS() returns true if softoken is in FIPS mode.
Oh, I did not know about this one. I guess once we (the application)
detect the system is in FIPS mode, we could verify that NSS is as well.
Finally, is there any example code out ther
On 01/21/2016 07:33 AM, jonetsu wrote:
Hello,
Please let me know if this is not the right place to ask about the
following...
This is the right place.
I am new to NSS and would like to use it in FIPS mode. I do know
about OpenSSL and GnuTLS, both of them having explicit calls to
enabled FIPS
11 matches
Mail list logo
