[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: use openssl or moznss for more than TLS?

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Antw: use openssl or moznss for more than TLS?
From: devzero2000 <pinto.elia@gmail.com>
Date: Fri, 25 Oct 2013 21:14:36 +0200
Cc: Steve Eckmann <steve.eckmann@issinc.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=N/cLRqnrySJca2C0AAtgISyi2+phBQBo9CsMTpocWqQ=; b=aZByjt1idosazaaGyfZHAtpA2hyW1RHSPjvTNNt+pRi6t8968a+3p3pA4+je/tDYeY scN2j0/Xuq/r48ZOMGG/gEfe0W12rIqJc8Xjz2fQe6L+mHp+Ugpr1tJLkFdJcNmYuZg9 5mpHGVcO+GpAxgWAAprDULGWk+cIjCrGVmsjxaYulx3baJBjWwZ7pAFrTPKP+DhXfWWG Nv+5VNuizS/b3vj3L5A4ogf/gMxODVb/mIaptvFJgQle5dOlvbdOyQu292rf2mGnWqkx 7KSYadLXnN/2CmsqyxLPXQb38oqOQi3Hw6ELNFFt0ieNzVxfzLk6KnnLUICHMgpTXuAM 7BVg==
In-reply-to: <526AB189.8060008@stroeder.com>
References: <1cc760ef909d438ab78baff3ff7547b1@CO1PR04MB442.namprd04.prod.outlook.com> <526A3373020000A100012E38@gwsmtp1.uni-regensburg.de> <81cce762fcab41598cc1c8afcf239d60@CO1PR04MB442.namprd04.prod.outlook.com> <526AB189.8060008@stroeder.com>

On Fri, Oct 25, 2013 at 7:59 PM, Michael Ströder <michael@stroeder.com> wrote:
> Steve Eckmann wrote:
>> We are using {SSHA} (SHA-1) in OpenLDAP now. The customer wants SHA-512.
>> And they require a FIPS-validated implementation, which I think narrows our
>> options to using either OpenSSL or NSS in FIPS mode. I cannot see a better
>> way to meet the customer's two requirements than gutting pw-sha2 and using
>> that as a thin wrapper for the raw crypto functions in either openssl or
>> nss.
>
> You probably should first ask on the openssl-users mailing list under which
> conditions you get some "FIPS-validated" code regarding the whole OpenLDAP
> "application". Likely it's not feasible.
>
> I'm pretty sure that your customer FIPS requirement is plain nonsense and you
> might work around this by some other strange policy text. ;-}
I am not sure "nonsense" if some distro are doing something in this
area. Right or,
perhaps, sometime wrong (o perhaps sometime break).
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

Best regards

>
> Ciao, Michael.
>

Follow-Ups:
- Re: use openssl or moznss for more than TLS?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Antw: use openssl or moznss for more than TLS?
  - From: Howard Chu <hyc@symas.com>

References:
- use openssl or moznss for more than TLS?
  - From: Steve Eckmann <steve.eckmann@issinc.com>
- Antw: use openssl or moznss for more than TLS?
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- RE: Antw: use openssl or moznss for more than TLS?
  - From: Steve Eckmann <steve.eckmann@issinc.com>
- Re: Antw: use openssl or moznss for more than TLS?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: RE: Antw: use openssl or moznss for more than TLS?
Next by Date: Re: use openssl or moznss for more than TLS?
Index(es):
- Chronological
- Thread