Re: [Fed-Talk] Disabling sslv2 on ssh
Re: [Fed-Talk] Disabling sslv2 on ssh
- Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 26 Feb 2009 10:41:40 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Disabling sslv2 on ssh
Oh, heck no. FIPS 140 applies to all unclassified cryptographic modules
used in government systems per the Federal Information Security Management
Act (FISMA 44 USC S 3541).
Classified modules and designated national security systems fall under NSA's
purview, where I'm wiling to bet OpenSSL is probably going to fly like a
lead balloon.
Whoever's feeding you this from NETWARCOM needs to go back and review his
compliance requirements ASAP. Because the system will get audited and it
will fail on this requirement. There are no statutory processes for FIPS
compliance waivers.
-- Tim
On 2/25/09 9:04 AM, "Losasso, Jonathan E IT3 CCG, N63"
<email@hidden> wrote:
> Word I got was FIPS only applies to non-military agencies and contractors.
> Thus netwarcom's bypass
>
> -Jonathan
>
> -----Original Message-----
> From: Miller, Timothy J. [mailto:email@hidden]
> Sent: Tuesday, February 24, 2009 14:59
> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>
> Not surprised, but you should hit them back on that. FIPS compliance is
> Federal law.
>
> -- Tim
>
>
> On 2/24/09 4:55 PM, "Losasso, Jonathan E IT3 CCG, N63"
> <email@hidden> wrote:
>
>> In order to be compliant with netwarcom, openssl needs to be the
>> newest version (0.9.8j), funny huh.
>>
>> -----Original Message-----
>> From: Miller, Timothy J. [mailto:email@hidden]
>> Sent: Tuesday, February 24, 2009 14:25
>> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>
>> On 2/23/09 4:30 PM, "Losasso, Jonathan E IT3 CCG, N63"
>> <email@hidden> wrote:
>>
>>> Tim - We are running the latest version of openssl 0.9.8j, had to
>>> compile on my own as apple is sometimes slow to release updates, so
>>> not exactly the version that ships with leopard.
>>
>> Which is still not FIPS compliant. The OpenSSL FIPS Object Module
>> will only work with OpenSSL 0.9.7. See:
>>
>> http://www.oss-institute.org/fips-faq.html
>>
>> http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf
>>
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pd
>> f
>>
>> On how to get FIPS compliant with OpenSSL.
>>
>> This is a DIACAP requirement, so you're going to run into it sooner or
>> later.
>>
>> -- Tim
>>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden