FIPS Capable OpenSSL for OpenSolaris
By mbp on Nov 05, 2009
A FIPS Capable OpenSSL is a regular OpenSSL built with the OpenSSL FIPS 140-2 Object Module which has been certified by NIST to be 140-2 compliant. It can be used in both a FIPS mode and as a regular OpenSSL. The certification for the OpenSSL FIPS 140-2 Object module was very unusual in that it was given for the source code instead of for a binary object. As long as the certified source has not been modified in any way and the security policy is strictly followed when building the source the certification remains valid. If you would like to see how OpenSSL is built for OpenSolaris, the full source for the SFW consolidation can be downloaded here.
The only application included in OpenSolaris which works properly in FIPS mode with the FIPS Capable OpenSSL is openssl(1).
$ LD_LIBRARY_PATH=/lib/openssl/fips-140 OPENSSL_FIPS=1 openssl version OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-2409)
Unfortunately it was not possible to simply replace the existing version of OpenSSL with the FIPS Capable OpenSSL. The main issue was one of performance - the OpenSSL FIPS Object Module is based on older code than the 0.9.8k release and performs poorly on some newer CPUs. We didn't feel that it was viable to introduce such a performance regression especially as most people aren't interested in a FIPS Capable OpenSSL. More information can be found in the PSARC mail logs.
We may deliver a version of SunSSH which can be run in a "FIPS mode" which will make use of the FIPS Capable OpenSSL.
The FIPS Capable OpenSSL will be available build 128.