Results 1 to 9 of 9

Thread: fips openssl RPMs?

  1. Question fips openssl RPMs?

    According to the README-FIPS.txt file (/usr/share/doc/packages/openssl/README-FIPS.txt) the openssl package includes libopenssl0_9_8-hmac. I've found reference to this being a separate RPM, but I'm unable to find it in the repositories.

    According to the recently released security policy (http://csrc.nist.gov/groups/STM/cmvp.../140sp1930.pdf), the FIPS packages are:

    libopenssl0_9_8-hmac-0.9.8j-0.44.1.x86_64.rpm
    libopenssl0_9_8 0.9.8j-0.44.1.x86_64.rpm


    The latest RPMs I have installed from the repositories are:
    openssl-0.9.8j-0.50.1
    libopenssl0_9_8-0.9.8j-0.50.1
    libopenssl-devel-0.9.8j-0.50.1


    Will the hmac RPM be added to the repositories?

    Will it be updated to 0.50?

    When I compile our apps & libraries I'd like to link to the FIPS certified module.

  2. Re: fips openssl RPMs?

    Hi Shawn,

    > the openssl package includes libopenssl0_9_8-hmac. I've found reference to this being a separate RPM, but I'm unable to find it in the repositories.

    I see them in the regular update repositories:

    Code:
    jmozdzen@myhost:~> zypper se -s libopenssl0_9_8-hmac
    Daten des Repositorys laden ...
    Installierte Pakete lesen ...
    
    S | Name                       | Typ   | Version       | Arch   | Repository        
    --+----------------------------+-------+---------------+--------+-------------------
      | libopenssl0_9_8-hmac       | Paket | 0.9.8j-0.50.1 | x86_64 | SLES11-SP2-Updates
      | libopenssl0_9_8-hmac       | Paket | 0.9.8j-0.44.1 | x86_64 | SLES11-SP1-Updates
      | libopenssl0_9_8-hmac-32bit | Paket | 0.9.8j-0.50.1 | x86_64 | SLES11-SP2-Updates
      | libopenssl0_9_8-hmac-32bit | Paket | 0.9.8j-0.44.1 | x86_64 | SLES11-SP1-Updates
    jmozdzen@myhost:~>
    You have not stated your version of SLES - the above is from a SLES11SP2 machine, obviously.

    Regards,
    Jens

  3. Re: fips openssl RPMs?

    Hi Jens,

    Sorry about that. My build system for SLES packages is a SLED 11SP2 installation.

    Code:
    sprotsman@sled-11sp2 ~$ zypper se -s libopenssl0_9_8-hmac
    Loading repository data...
    Reading installed packages...
    No packages found.
    sprotsman@sled-11sp2 ~$ cat /etc/SuSE-release 
    SUSE Linux Enterprise Desktop 11 (x86_64)
    VERSION = 11
    PATCHLEVEL = 2

  4. Re: fips openssl RPMs?

    Hi Shawn,

    > [building SLES packages on SLED]

    would it be possible for you to switch to using a SLES build system? Once you install/register the SDK, much of what you need to build packages ought to be available - and an exact match of what you need for your live server.

    Of course, you might try to install the according SLES packages on your SLED system. As I have never had to deal with SLED, I cannot tell what works and what doesn't, sorry I can't help with experience here.

    Regards,
    Jens

  5. Re: fips openssl RPMs?

    That is an option.

    However, in the past, all the packages we needed to develop and build software for SLE was available on our SLED workstations. Running SLES was overkill and unnecessary (from a cost perspective too). I'm assuming that the hmac packages never got pushed to the SLED updates repositories. There is absolutely ZERO mention of these being SLES only. Which means they ought to be available from SLED repositories for our developers.

  6. Re: fips openssl RPMs?

    Hi Shawn,

    best I can do is go ask someone from SuSE - but that may take "a day or two" until I receive a reply. I'll post an update once I know more

    Regards,
    Jens

  7. Re: fips openssl RPMs?

    Quote Originally Posted by jmozdzen View Post
    Hi Shawn,

    best I can do is go ask someone from SuSE
    Ha - I can do better than that.

    From https://www.suse.com/support/update/...120885-1.html:

    This update adds libopenssl0_9_8-hmac packages, that, when
    installed, will enforce FIPS 140-2 self-test being run
    upon first use of the library.
    [...]
    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:
    [...]
    SUSE Linux Enterprise Desktop 11 SP2:
    zypper in -t patch sledsp1-libopenssl-devel-6521
    Could you please check if this solves your problem?

    Regards,
    Jens

  8. Re: fips openssl RPMs?

    Quote Originally Posted by jmozdzen View Post
    Could you please check if this solves your problem?

    Regards,
    Jens
    Jens, thank you for this. I'll check and get back to you.

  9. #9
    Join Date
    Nov 2012
    Location
    Rotterdam - Netherlands
    Posts
    309

    Re: fips openssl RPMs?

    Hi shawn_protsman

    Quote Originally Posted by jmozdzen View Post
    Hi Shawn,

    best I can do is go ask someone from SuSE - but that may take "a day or two" until I receive a reply. I'll post an update once I know more

    Regards,
    Jens
    Apologies to chime in this late in the game.
    I had promised Jens to report back here some time ago already, but things came in between.

    The official answer is that this is not an oversight.

    This appears to be described a little awkward I agree.

    The libopenssl0_9_8-hmac files are required just for FIPS, and there's no plan currently to enable FIPS on SLED.
    They are not required for generic SSL development.

    So if you would require to develop FIPS on SLED, you need to get the SLES packages, they should install just fine.

    If you would require FIPS support on SLED, I would suggest you send me a direct email at hvdheuvel [at] novell [dot] com with your details.
    I can and will bring this to the attention of the appropriate product manager for SUSE Linux Enterprise Desktop.

    Thanks and kind regards
    Hans

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •