devzero2000 wrote:
> On Fri, Oct 25, 2013 at 7:59 PM, Michael Ströder <michael@stroeder.com> wrote:
>> Steve Eckmann wrote:
>>> We are using {SSHA} (SHA-1) in OpenLDAP now. The customer wants SHA-512.
>>> And they require a FIPS-validated implementation, which I think narrows our
>>> options to using either OpenSSL or NSS in FIPS mode. I cannot see a better
>>> way to meet the customer's two requirements than gutting pw-sha2 and using
>>> that as a thin wrapper for the raw crypto functions in either openssl or
>>> nss.
>>
>> You probably should first ask on the openssl-users mailing list under which
>> conditions you get some "FIPS-validated" code regarding the whole OpenLDAP
>> "application". Likely it's not feasible.
>>
>> I'm pretty sure that your customer FIPS requirement is plain nonsense and you
>> might work around this by some other strange policy text. ;-}
> I am not sure "nonsense" if some distro are doing something in this
> area. Right or,
> perhaps, sometime wrong (o perhaps sometime break).
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
FIPS validation is pretty strict. AFAIK you must not link any other crypto
library into the same software which would IMHO require to hunk out all of
OpenLDAP's built-in hash algorithm implementations and replace them with calls
into the FIPS validated library.
AFAICS you would not gain anything by doing this regarding real security.
So I'd ask the customer where this FIPS validation requirement really comes
from. Most times there's a policy way around it.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature