RE: Antw: use openssl or moznss for more than TLS?

[Steve Eckmann <steve.eckmann@issinc.com>]

Thanks, Michael. I will follow up on your suggestion to ask about feasibility on openssl-users. And I agree about the validity of the requirement. We are trying to make it go away or identify workarounds.

Regards,
Steve

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com] 
Sent: Friday, October 25, 2013 12:00 PM
To: Steve Eckmann; openldap-technical@openldap.org
Subject: Re: Antw: use openssl or moznss for more than TLS?

Steve Eckmann wrote:
> We are using {SSHA} (SHA-1) in OpenLDAP now. The customer wants SHA-512.
> And they require a FIPS-validated implementation, which I think narrows our
> options to using either OpenSSL or NSS in FIPS mode. I cannot see a better
> way to meet the customer's two requirements than gutting pw-sha2 and using
> that as a thin wrapper for the raw crypto functions in either openssl or
> nss.

You probably should first ask on the openssl-users mailing list under which
conditions you get some "FIPS-validated" code regarding the whole OpenLDAP
"application". Likely it's not feasible.

I'm pretty sure that your customer FIPS requirement is plain nonsense and you
might work around this by some other strange policy text. ;-}

Ciao, Michael.