'Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).
From:       Jayalakshmi bhat <bhat.jayalakshmi () gmail ! com>
Date:       2015-09-11 5:54:06
Message-ID: CALq8Rv+mj4KAiKMvgN19MgoxY3oXDNfLz5pa4KKD1Y5EXPcVbw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Hi Tom,

Thanks  a lot for clarifying the doubt.

Regards
Jayalakshmi

On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis.jr@pobox.com>
wrote:

>
> > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <
> bhat.jayalakshmi@gmail.com> wrote:
> >
> > Hello all,
> >
> > I have a question on FIPS. We have OpenSSL FIPS module integrated with
> our product. We have an option to enable/disable FIPS at run time.  We are
> executing the following openSSL API's every time when FIPS status changes.
>
> Typically, this is not allowed; you must restart your application in order
> to switch in or out of FIPS approved mode.  Your customer's auditor (or
> your auditor) may believe differently, but my former employer had auditors
> make it very clear that an application must never switch into or out of
> FIPS approved mode without restarting the application (and most of the
> auditors wanted us to require the user to reboot their entire system to
> make the switch; fortunately they were willing to allow the application
> with just an extra note recommending the user reboot after modifying the
> setting).
>
> > {
> >       We have mapped OpenSSL crypto locks to mutex intenally. Hence we
> delete it and create it every time when FIPS status changes.
> >       ERR_free_strings()
> >       ERR_remove_state(0);
> >       EVP_cleanup();
> >       SSL_library_init()
> >       SSLeay_add_all_algorithms()
> > }
> >
> > Without executing this we are hitting the error,
> error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our
> approach is correct?
>
> IIRC you should be able to switch in and out of FIPS appoved mode by
> simply calling FIPS_mode_set() with the appropriate argument.  I know this
> worked with the FIPS 1.2 module, but I never bothered to try it with the
> 2.0 module (see above about allowed uses).  I wouldn't recommend trying to
> uninitialize and re-initialize OpenSSL, though — while probably safe, it
> seems like a bad idea.  If this is a long-running program that can do
> multiple things at a time, it's definitely a bad idea to allow a toggle
> like that — someone might've started a task, then turned on FIPS approved
> mode — if the task hasn't done anything with OpenSSL yet, it'll probably be
> done with FIPS approved mode, but was that the user's intent?  I'd
> recommend that when a user changes the setting, you store the setting and
> inform the user that the new setting will take affect only after restarting
> the application.
>
> I really doubt you'll be allowed to switch FIPS approved mode on and off
> with just a simple toggle (even if it works technically).
>
>
> > Regards
> > Jayalakshmi
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

[Attachment #5 (text/html)]

<div dir="ltr">Hi Tom,<div><br></div><div>Thanks   a lot for clarifying the doubt.  \
</div><div><br></div><div>Regards</div><div>Jayalakshmi</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 10, 2015 at 8:44 AM, Tom \
Francis <span dir="ltr">&lt;<a href="mailto:thomas.francis.jr@pobox.com" \
target="_blank">thomas.francis.jr@pobox.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> &gt; On Sep 10, 2015, at 8:44 AM, \
Jayalakshmi bhat &lt;<a \
href="mailto:bhat.jayalakshmi@gmail.com">bhat.jayalakshmi@gmail.com</a>&gt; \
wrote:<br> &gt;<br>
&gt; Hello all,<br>
&gt;<br>
&gt; I have a question on FIPS. We have OpenSSL FIPS module integrated with our \
product. We have an option to enable/disable FIPS at run time.   We are executing the \
following openSSL API&#39;s every time when FIPS status changes.<br> <br>
</span>Typically, this is not allowed; you must restart your application in order to \
switch in or out of FIPS approved mode.   Your customer's auditor (or your auditor) \
may believe differently, but my former employer had auditors make it very clear that \
an application must never switch into or out of FIPS approved mode without restarting \
the application (and most of the auditors wanted us to require the user to reboot \
their entire system to make the switch; fortunately they were willing to allow the \
application with just an extra note recommending the user reboot after modifying the \
setting).<br> <span class=""><br>
&gt; {<br>
&gt;           We have mapped OpenSSL crypto locks to mutex intenally. Hence we \
delete it and create it every time when FIPS status changes.<br> &gt;           \
ERR_free_strings()<br> &gt;           ERR_remove_state(0);<br>
&gt;           EVP_cleanup();<br>
&gt;           SSL_library_init()<br>
&gt;           SSLeay_add_all_algorithms()<br>
&gt; }<br>
&gt;<br>
&gt; Without executing this we are hitting the error, \
error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our approach is \
correct?<br> <br>
</span>IIRC you should be able to switch in and out of FIPS appoved mode by simply \
calling FIPS_mode_set() with the appropriate argument.   I know this worked with the \
FIPS 1.2 module, but I never bothered to try it with the 2.0 module (see above about \
allowed uses).   I wouldn't recommend trying to uninitialize and re-initialize \
OpenSSL, though — while probably safe, it seems like a bad idea.   If this is a \
long-running program that can do multiple things at a time, it's definitely a bad \
idea to allow a toggle like that — someone might've started a task, then turned on \
FIPS approved mode — if the task hasn't done anything with OpenSSL yet, it'll \
probably be done with FIPS approved mode, but was that the user's intent?   I'd \
recommend that when a user changes the setting, you store the setting and inform the \
user that the new setting will take affect only after restarting the application.<br> \
<br> I really doubt you'll be allowed to switch FIPS approved mode on and off with \
just a simple toggle (even if it works technically).<br> <br>
<br>
&gt; Regards<br>
&gt; Jayalakshmi<br>
<div class="HOEnZb"><div class="h5">&gt; \
_______________________________________________<br> &gt; openssl-users mailing \
list<br> &gt; To unsubscribe: <a \
href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" \
target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br> <br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" \
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
 </div></div></blockquote></div><br></div>

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[prev in list] [next in list] [prev in thread] [next in thread] 