Results 1 to 7 of 7

Thread: What is "FIPS Mode" and does OS11.4 do it out of the box?

  1. #1

    Default What is "FIPS Mode" and does OS11.4 do it out of the box?

    I know this sounds like a poorly asked question, but I was asked if our Linux systems are running in "FIPS mode". This document http://www.oss-institute.org/FIPS_73...uide-1.1.1.pdf says
    Approved Mode

    The FIPS 1402 Approved Mode of Operation is the operation of the FIPS object module when all requirements of the Security Policy have been met and the software has successfully performed the powerup and self test operation (invocation of the FIPS_mode_set() function call). In this document this Approved Mode is referred to simply as FIPS mode.
    Is this the default for OS 11.4? The only place I know that OpenSSL is being used on our systems is with OpenSSH. Is the question even relevant to this situation?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    A search using openssl fips mode turned up this discussion. I haven't search to see if the situation has improved since this thread 2 years ago.

    FIPS 140-2 on OpenSSH?

  3. #3

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    Wow! I noticed that both RHEL and Fedora show fips with ssh -V. Unfortunately, I am forced to use RHEL for most of my Linux work. I would very much like to see OS become more accepted by the US Federal Government. FIPS compliance would be essential for that to happen.

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    I would bet it is much more likely to happen in SLES, since each configuration has to be certified, and not just have the capability, and oS changes every 8 months.

  5. #5

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    From what I can gather, OpenSUSE does not have OpenSSL complied with FIPS Module support. Apparently "FIPS Mode" would mean using OpenSSL with the OPENSSL_FIPS=1 environment variable setting. (see http://www.oss-institute.org/FIPS_73...uide-1.1.1.pdf ) I don't really know what that means since when I set OPENSSL_FIPS=1 on a Fedora box which advertises it's OpenSSL as 1.0.0a-fips, and then did a traffic capture of an ssh session initiated from that system, I see the client is advertising algorithms not permitted by FIPS 140-2.

  6. #6

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    This appears to say that the validation is not specific to a particular make and model of hardware host.

    Red Hat Enterprise Linux 5 OpenSSH Server Cryptographic Module version 1.0 FIPS 140-2 Security Policy

    This appears to say that OpenSSH FIPS 140-2 compliance was first accomplished on SUSE 9: http://www.openssl.org/docs/fips/Sec...licy-1.1.1.pdf but not as part of the distribution.

  7. #7

    Default Re: What is "FIPS Mode" and does OS11.4 do it out of the box?

    Quote Originally Posted by hattons View Post
    I know this sounds like a poorly asked question, but I was asked if our Linux systems are running in "FIPS mode". This document http://www.oss-institute.org/FIPS_73...uide-1.1.1.pdf says

    Is this the default for OS 11.4? The only place I know that OpenSSL is being used on our systems is with OpenSSH. Is the question even relevant to this situation?
    Whether or not your Linux systems are running in FIPS mode is up to you to figure out.

    From the document you reference all Linux systems are compatible with FIPS, can support FIPS. But the FIPS Object Model must be compiled to be operational on a given platform. I take that to mean if you didn't compile it it's not operational.

    Except for 1 java security header file I don't have any FIPS files or libraries on my openSUSE 11.4 installation, certainly not enough to compile. FIPS doesn't seem to be in the usual repos either, so unless some developer has it cloaked I say not in 11.4.
    Box 1: OpenSuse 11.1/Win7 | Linux 2.6.27 Gnome | AMD 64 X2 6000+ | nVidia 8600GT | 2GB RAM
    Box 2: OpenSuse 11.2 | Linux 2.6.31 Gnome | AMD 64 3000+ | ATI X800 Pro | 1GB RAM
    Box 3: Win7 Premium Home | Intel P4 3.0Gz | ATI AIW 2006 | 2GB RAM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •