What is "FIPS Mode" and does OS11.4 do it out of the box?

English Network/Internet
#1

I know this sounds like a poorly asked question, but I was asked if our Linux systems are running in “FIPS mode”. This document http://www.oss-institute.org/FIPS_733/UserGuide-1.1.1.pdf says

Approved Mode

The FIPS 1402 Approved Mode of Operation is the operation of the FIPS object module when all requirements of the Security Policy have been met and the software has successfully performed the powerup and self test operation (invocation of the FIPS_mode_set() function call). In this document this Approved Mode is referred to simply as FIPS mode.

Is this the default for OS 11.4? The only place I know that OpenSSL is being used on our systems is with OpenSSH. Is the question even relevant to this situation?

#2

A search using openssl fips mode turned up this discussion. I haven’t search to see if the situation has improved since this thread 2 years ago.

FIPS 140-2 on OpenSSH?

#3

Wow! I noticed that both RHEL and Fedora show fips with ssh -V. Unfortunately, I am forced to use RHEL for most of my Linux work. I would very much like to see OS become more accepted by the US Federal Government. FIPS compliance would be essential for that to happen.

#4

I would bet it is much more likely to happen in SLES, since each configuration has to be certified, and not just have the capability, and oS changes every 8 months.

#5

From what I can gather, OpenSUSE does not have OpenSSL complied with FIPS Module support. Apparently “FIPS Mode” would mean using OpenSSL with the OPENSSL_FIPS=1 environment variable setting. (see http://www.oss-institute.org/FIPS_733/UserGuide-1.1.1.pdf ) I don’t really know what that means since when I set OPENSSL_FIPS=1 on a Fedora box which advertises it’s OpenSSL as 1.0.0a-fips, and then did a traffic capture of an ssh session initiated from that system, I see the client is advertising algorithms not permitted by FIPS 140-2.

#6

This appears to say that the validation is not specific to a particular make and model of hardware host.

Red Hat Enterprise Linux 5 OpenSSH Server Cryptographic Module version 1.0 FIPS 140-2 Security Policy

This appears to say that OpenSSH FIPS 140-2 compliance was first accomplished on SUSE 9: http://www.openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf but not as part of the distribution.

#7

Whether or not your Linux systems are running in FIPS mode is up to you to figure out.

From the document you reference all Linux systems are compatible with FIPS, can support FIPS. But the FIPS Object Model must be compiled to be operational on a given platform. I take that to mean if you didn’t compile it it’s not operational.

Except for 1 java security header file I don’t have any FIPS files or libraries on my openSUSE 11.4 installation, certainly not enough to compile. FIPS doesn’t seem to be in the usual repos either, so unless some developer has it cloaked I say not in 11.4.