Re: Re: svn: /php/php-src/ branches/PHP_5_4/ext/openssl/openssl.c trunk/ext/openssl/openssl.c

From:	Thomas Hruska	Date:	Sun, 24 Jul 2011 00:27:27 +0000
Subject:	Re: Re: svn: /php/php-src/ branches/PHP_5_4/ext/openssl/openssl.c trunk/ext/openssl/openssl.c
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 7/19/2011 5:09 PM, Pierre Joye wrote:
On Wed, Jul 20, 2011 at 1:50 AM, Scott MacVicar<[email protected]>  wrote:
OpenSSL has been FIPS certified, your change has changed this contract and it's calling back into a Windows API. Has it been reviewed for correctness?

And by the way, the CryptoAPI for the windows versions we support is
certified as well. Just in case you did not check yourself in the 1st
place.

Furter ref, http://technet.microsoft.com/en-us/library/cc750357.aspx

Cheers,

I'm jumping on this one rather late.

I have no idea if you can *mix* two different FIPS-validated crypto/SSL libraries and still be able to claim FIPS validation of those libraries.  I'm pretty sure you would have to go through the whole FIPS validation process with the combination of the two.  To the best of my knowledge, no one has ever done that before.

That all said, I have NEVER thought of PHP as a project that would ever care about claiming FIPS compliance.

To use FIPS with OpenSSL, FIPS first has to be compiled into OpenSSL using a special build process almost no one goes through.  Then the library has to be switched into "FIPS mode" within the application code itself using either FIPS_mode_set() or a configuration file and then checking for FIPS with a call to FIPS_mode() from within the application.  You're supposed to exit if you are expecting FIPS and it failed to initialize for whatever reason.

-- 
Thomas Hruska
CubicleSoft President

Barebones CMS is a high-performance, open source content management 
system for web developers operating in a team environment.

An open source CubicleSoft initiative.
Your choice of a MIT or LGPL license.

http://barebonescms.com/



   

Thread (5 messages)

• Scott MacVicarTue, 19 Jul 2011 23:50:58 +0000
  • Pierre JoyeTue, 19 Jul 2011 23:59:14 +0000
  • Pierre JoyeWed, 20 Jul 2011 00:09:27 +0000
    • Chad EmrysWed, 20 Jul 2011 05:40:01 +0000
    • Thomas HruskaSun, 24 Jul 2011 00:27:27 +0000