[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).
From: Jayalakshmi bhat <bhat.jayalakshmi () gmail ! com>
Date: 2015-09-11 5:54:06
Message-ID: CALq8Rv+mj4KAiKMvgN19MgoxY3oXDNfLz5pa4KKD1Y5EXPcVbw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Tom,
Thanks a lot for clarifying the doubt.
Regards
Jayalakshmi
On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis.jr@pobox.com>
wrote:
>
> > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <
> bhat.jayalakshmi@gmail.com> wrote:
> >
> > Hello all,
> >
> > I have a question on FIPS. We have OpenSSL FIPS module integrated with
> our product. We have an option to enable/disable FIPS at run time. We are
> executing the following openSSL API's every time when FIPS status changes.
>
> Typically, this is not allowed; you must restart your application in order
> to switch in or out of FIPS approved mode. Your customer's auditor (or
> your auditor) may believe differently, but my former employer had auditors
> make it very clear that an application must never switch into or out of
> FIPS approved mode without restarting the application (and most of the
> auditors wanted us to require the user to reboot their entire system to
> make the switch; fortunately they were willing to allow the application
> with just an extra note recommending the user reboot after modifying the
> setting).
>
> > {
> > We have mapped OpenSSL crypto locks to mutex intenally. Hence we
> delete it and create it every time when FIPS status changes.
> > ERR_free_strings()
> > ERR_remove_state(0);
> > EVP_cleanup();
> > SSL_library_init()
> > SSLeay_add_all_algorithms()
> > }
> >
> > Without executing this we are hitting the error,
> error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our
> approach is correct?
>
> IIRC you should be able to switch in and out of FIPS appoved mode by
> simply calling FIPS_mode_set() with the appropriate argument. I know this
> worked with the FIPS 1.2 module, but I never bothered to try it with the
> 2.0 module (see above about allowed uses). I wouldn't recommend trying to
> uninitialize and re-initialize OpenSSL, though — while probably safe, it
> seems like a bad idea. If this is a long-running program that can do
> multiple things at a time, it's definitely a bad idea to allow a toggle
> like that — someone might've started a task, then turned on FIPS approved
> mode — if the task hasn't done anything with OpenSSL yet, it'll probably be
> done with FIPS approved mode, but was that the user's intent? I'd
> recommend that when a user changes the setting, you store the setting and
> inform the user that the new setting will take affect only after restarting
> the application.
>
> I really doubt you'll be allowed to switch FIPS approved mode on and off
> with just a simple toggle (even if it works technically).
>
>
> > Regards
> > Jayalakshmi
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Tom,<div><br></div><div>Thanks a lot for clarifying the doubt. \
</div><div><br></div><div>Regards</div><div>Jayalakshmi</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 10, 2015 at 8:44 AM, Tom \
Francis <span dir="ltr"><<a href="mailto:thomas.francis.jr@pobox.com" \
target="_blank">thomas.francis.jr@pobox.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> > On Sep 10, 2015, at 8:44 AM, \
Jayalakshmi bhat <<a \
href="mailto:bhat.jayalakshmi@gmail.com">bhat.jayalakshmi@gmail.com</a>> \
wrote:<br> ><br>
> Hello all,<br>
><br>
> I have a question on FIPS. We have OpenSSL FIPS module integrated with our \
product. We have an option to enable/disable FIPS at run time. We are executing the \
following openSSL API's every time when FIPS status changes.<br> <br>
</span>Typically, this is not allowed; you must restart your application in order to \
switch in or out of FIPS approved mode. Your customer's auditor (or your auditor) \
may believe differently, but my former employer had auditors make it very clear that \
an application must never switch into or out of FIPS approved mode without restarting \
the application (and most of the auditors wanted us to require the user to reboot \
their entire system to make the switch; fortunately they were willing to allow the \
application with just an extra note recommending the user reboot after modifying the \
setting).<br> <span class=""><br>
> {<br>
> We have mapped OpenSSL crypto locks to mutex intenally. Hence we \
delete it and create it every time when FIPS status changes.<br> > \
ERR_free_strings()<br> > ERR_remove_state(0);<br>
> EVP_cleanup();<br>
> SSL_library_init()<br>
> SSLeay_add_all_algorithms()<br>
> }<br>
><br>
> Without executing this we are hitting the error, \
error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our approach is \
correct?<br> <br>
</span>IIRC you should be able to switch in and out of FIPS appoved mode by simply \
calling FIPS_mode_set() with the appropriate argument. I know this worked with the \
FIPS 1.2 module, but I never bothered to try it with the 2.0 module (see above about \
allowed uses). I wouldn't recommend trying to uninitialize and re-initialize \
OpenSSL, though — while probably safe, it seems like a bad idea. If this is a \
long-running program that can do multiple things at a time, it's definitely a bad \
idea to allow a toggle like that — someone might've started a task, then turned on \
FIPS approved mode — if the task hasn't done anything with OpenSSL yet, it'll \
probably be done with FIPS approved mode, but was that the user's intent? I'd \
recommend that when a user changes the setting, you store the setting and inform the \
user that the new setting will take affect only after restarting the application.<br> \
<br> I really doubt you'll be allowed to switch FIPS approved mode on and off with \
just a simple toggle (even if it works technically).<br> <br>
<br>
> Regards<br>
> Jayalakshmi<br>
<div class="HOEnZb"><div class="h5">> \
_______________________________________________<br> > openssl-users mailing \
list<br> > To unsubscribe: <a \
href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" \
target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br> <br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" \
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic