On Oct 30, 2009, at 1:08 PM, Allan Marcus wrote: Ahh, I read Shawn's note more closely and I think he's essentially saying that since Apache doesn't use Apple's crypto engine, it's not FIPS out of the box.
This is a can of worms I'm hoping not to open where I work, but Mac OS X default encryption (anything that uses ssl/ssh) isn't FIPS certified :-( Probably one of the reason's we aren't seeing and fdcc for Mac; pull the sting far enough and one pretty much can't use at Mac for the federal government.
I would love to hear if anyone has resolved this issue.
--- Thanks,
Allan Marcus
Allan,
Yes, after your second read you were closer to the actual statements I made in the message. :-)
I was indeed stating that Apache in Mac OS X is not using a version of OpenSSL that is utilizing a FIPS validated crypto module, but that if Mark wanted to attempt to achieve compliance and use the same Apache, he could try to wedge a FIPS validated version of OpenSSL.
I do, however, feel the need to challenge your comments above.....
This is a can of worms I'm hoping not to open where I work, but Mac OS X default encryption (anything that uses ssl/ssh) isn't FIPS certified :-(
Your reference to default and then to SSL/SSH seems it could possibly confuse some on this list, so I'd like to break it out and clarify....
Mac OS X's built-in Cryptographic Service Provider (CSP) Software Module is currently in process for FIPS 140-2 Level 1 Conformance Validation.
OpenSSL on Mac OS X 10.5/10.6 is not compiled using their FIPS validated crypto module
OpenSSH uses the installed OpenSSL on the platform (see above)
Apache on Mac OS X uses OpenSSL (see above) Probably one of the reason's we aren't seeing and fdcc for Mac;
I'm not sure how you can make such a jump here. The above situation regarding Apache/OpenSSL/OpenSSH has no impact in when or how you will see an FDCC for Mac. In fact you, the SDC will be first, followed by the FDCC. The work one this has wound down, but it must still travel through the formal sign-off process. pull the sting far enough and one pretty much can't use at Mac for the federal government.
This is just a false statement.....
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|