[erlang-questions] OTP in FIPS mode ?
Niclas Eklund
nick@REDACTED
Tue Apr 21 18:32:56 CEST 2015
Hi!
IMHO I think that it would be good if FIPS could supported by OTP,
especially since the purpose of the FIPS standards are issued to ensure
computer security and interoperability. I've seen a question about this
at least once before on this list before -
http://erlang.org/pipermail/erlang-questions/2012-April/065902.html But
I don't know what became of it.
Best regards,
Nick
On 04/21/2015 03:48 PM, jonetsu wrote:
> Hello,
>
> We are using an Erlang-based middleware using OTP, ConfD, which
> must now support FIPS mode. Briefly, FIPS is a U.S. standard
> that imposes a set of crypto parameters (ciphers, algorithms,
> etc...). FIPS-applications must use high-level OpenSSL
> methods (The EVP set of methods) since the low-level functions
> will make OpenSSL abort. The application must also call
> FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
> that supports FIPS.
>
> OTP uses low-level OpenSSL functions.
>
> Initially I considered replacing, for instance, the AES_* uses in
> crypto.c by their EVP equivalent, while keeping the interface to
> Erlang intact.
>
> Now, looking at the extent of the FIPS modifications to the OTP
> code done last year by Dániel Szoboszlay, who worked at Ericsson
> and Erlang Solutions, I wonder about my naïve approach.
>
> Are anyone here familiar with this FIPS OTP port ? Any comments
> ? To anyone also familiar with ConfD: do you know of any effort
> done in using this FIPS-enabled OTP code ?
>
> Thanks for any comments and suggestions !
>
> Regards.
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
More information about the erlang-questions
mailing list