Re: [Fed-Talk] OpenSSL
Re: [Fed-Talk] OpenSSL
- Subject: Re: [Fed-Talk] OpenSSL
- From: Paul Nelson <email@hidden>
- Date: Fri, 01 Mar 2013 11:12:26 -0600
You can obtain OpenSSL FIPS 1.2.4 (NIST cert #1051). This version has been validated for use on Mac OS X.
You need another OpenSSL distro such as 0.9.8 to build WITH the FIPS version.
Remember that the FIPS version should not be used by itself, but in combination with a more recent distro that has the updated non-crypto parts (TLS etc).
0.9.8 is pretty good.
Building OpenSSL is not simple since there are no directions for Mac OSX in the Security Policy, but it isn't too bad.
The Security Policy doc is here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf
Also see:
http://www.openssl.org/docs/fips/fipsnotes.html
On Mar 1, 2013, at 10:56 AM, "Marcus, Allan B" <email@hidden> wrote:
> To clarify:
>
> "the programmatic interface to OpenSSL is deprecated in OS X and is not
> provided in iOS. Use of the Apple-provided OpenSSL libraries by apps is
> strongly discouraged."
>
> However, Apple's own ssh tool still uses it:
>
> $ ssh -V
> OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
> $ sw_vers
> ProductName: Mac OS X
> ProductVersion: 10.8.2
>
>
>
> So, anyone know if Apple will follow it's own advice and use the CFNetwork
> API for SSH?
>
> Alternatively, does anyone know of an ssh tool on Mac that uses an up to
> date OpenSSL or the CFNetwork API?
>
> Note also that OpenSSL on MacPorts is @1.0.0d, which is Feb-2011
>
> --
> Thanks,
>
> Allan Marcus
> Chief IT Architect
> Los Alamos National Laboratory
> 505-667-5666
> email@hidden
>
>
>
>
>
> On 3/1/13 8:47 AM, "Fiumara, Gregory" <email@hidden> wrote:
>
>> On Mar 1, 2013, at 10:33 AM, Oliver, John N JR CTR SPAWARSYSCEN-PACIFIC,
>> 53223 wrote:
>>
>>> Anyone have any word on when Apple might update their ancient OpenSSL?
>>
>> Never. OpenSSL is deprecated as of 10.7, citing the move to CommonCrypto.
>>
>> http://developer.apple.com/library/mac/#documentation/security/Conceptual/
>> cryptoservices/SecureNetworkCommunicationAPIs/SecureNetworkCommunicationAP
>> Is.html
>>
>> -Greg
>>
>> --
>> Greg Fiumara
>>
>>
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden