Paul Wouters wrote: > How is a library in FIPS mode when it hasn't yet initialised because > the application has not kicked of yet? Do you actually initialise > them using a test program?
Yes. This is the case for OpenSSL and GnuTLS. For NSS, as we have seen, the FIPS initialisation is done externally, by using modutils. And as we have recently seen, libreswan assumes NSS is in FIPS mode :) > - Are we a FIPS product (does /etc/system-fips exist?) > - Is the kernel in FIPS mode (does /proc/sys/crypto/fips_enabled > contain the value 1) These are also part of the verification, as well as integrity of the binaries on the system, for instance. > I personally wished NSS would lock out non-FIPS algorithms, so the > applications don't need any of that logic. Now I have to read the > FIPS documents too :P It seems so far that FIPS mode for NSS consists of enabling the self-tests. No restrictions on algorithms, etc, are applied. Hmmm... Do you mean that the current libreswan does not fully support FIPS ? :) -- View this message in context: http://mozilla.6506.n7.nabble.com/Using-NSS-in-FIPS-mode-tp350446p350515.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
