[strongSwan-dev] openssl plugin FIPS modes?
andreas.steffen at strongswan.org
Mon Dec 23 19:51:03 CET 2013
the OpenSSL FIPS 2.0 User Guide
says in section 5.2 FIPS Mode Initialization:
The FIPS_mode_set() function call when invoked with any positive
argument will enable the FIPS mode of operation. Depending on the
argument it may also enable additional restrictions. For example,
an argument of 1 will enable the basic FIPS mode where all FIPS
approved algorithms are available. An argument of FIPS_SUITEB(2)
will restrict the available algorithms to those allowed by the
Suite B specification.
But using openssl-fips with strongSwan I see that 3DES still can
be used with fips_mode = 2, although 3DES is not a Suite B algorithm.
See ipsec listalgs:
So your observation is true, that there is no difference between
the settings 1 and 2.
On 23.12.2013 16:56, Zachery Stoddard wrote:
> I've (quickly) scoured the source and the documentation, but I can't
> determine the use of fips_mode = 1 (enabled) vs 2 (suite b enabled)? At
> first glance there doesn't appear to be any difference/distinction
> between the two.
> Could someone shed a little light on this subject?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
More information about the Dev