[gnutls-help] Compiling with the FIPS option
jonetsu at teksavvy.com
jonetsu at teksavvy.com
Tue Jan 27 00:15:34 CET 2015
On Thu, 15 Jan 2015 12:43:10 +0100
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> It works transparently. The checks are executed on library load, and
> the default algorithm sets are modified to contain only the FIPS140-2
> allowed ciphers.
Hello,
It seems to be fine. With GNUTLS_FORCE_FIPS_MODE=1 and
GNUTLS_DEBUG_LEVEL=7 the output ends in:
% gnutls-cli --fips140-mode
gnutls[2]: Enabled GnuTLS logging...
gnutls[2]: FIPS140-2 mode: 1
gnutls[2]: AES-128-CBC self check succeeded
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
[ snip ]
gnutls[2]: Successfully verified library MAC for libgmp.so.10
library is in FIPS140-2 mode
A question regarding the hmac files. The following was previously
seen for all library files apart from GnuTLS itself:
gnutls[2]: Could not open
/usr/lib/x86_64-linux-gnu/.libnettle.so.4.hmac for MAC testing: Error
while reading file.
gnutls[2]: Could not open
/usr/lib/x86_64-linux-gnu/fipscheck/libnettle.so.4.hmac for MAC
testing: Error while reading file.
I had to create a fipscheck/ subdirectory and copy all hmac files
generated by fipshmac there. So now there are hmac files in the
parent directory (prefixed by a dot) and in this fipscheck directory.
Why is this redundancy needed ?
Regards.
More information about the Gnutls-help
mailing list