[strongSwan-dev] openssl plugin FIPS modes?

Andreas Steffen andreas.steffen at strongswan.org
Mon Dec 23 19:51:03 CET 2013


Hi Zach,

the OpenSSL FIPS 2.0 User Guide

http://www.openssl.org/docs/fips/UserGuide-2.0.pdf

says in section 5.2 FIPS Mode Initialization:

The FIPS_mode_set() function call when invoked with any positive
argument will enable the FIPS mode of operation. Depending on the
argument it may also enable additional restrictions. For example,
an argument of 1 will enable the basic FIPS mode where all FIPS
approved algorithms are available. An argument of FIPS_SUITEB(2)
will restrict the available algorithms to those allowed by the
Suite B specification.

But using openssl-fips with strongSwan I see that 3DES still can
be used with fips_mode = 2, although 3DES is not a Suite B algorithm.
See ipsec listalgs:

http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-suite-b-128/moon.listall

So your observation is true, that there is no difference between
the settings 1 and 2.

Best regards

Andreas

On 23.12.2013 16:56, Zachery Stoddard wrote:
> I've (quickly) scoured the source and the documentation, but I can't
> determine the use of fips_mode = 1 (enabled) vs 2 (suite b enabled)?  At
> first glance there doesn't appear to be any difference/distinction
> between the two.
> 
> Could someone shed a little light on this subject?
> 
> ~Zach
> 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20131223/7faceb55/attachment.bin>


More information about the Dev mailing list