[erlang-questions] OTP in FIPS mode ?

Niclas Eklund <>
Tue Apr 21 18:32:56 CEST 2015


Hi!

IMHO I think that it would be good if FIPS could supported by OTP, 
especially since the purpose of the FIPS standards are issued to ensure 
computer security and interoperability. I've seen a question about this 
at least once before on this list before - 
http://erlang.org/pipermail/erlang-questions/2012-April/065902.html But 
I don't know what became of it.

Best regards,

Nick


On 04/21/2015 03:48 PM, jonetsu wrote:
> Hello,
>
> We are using an Erlang-based middleware using OTP, ConfD, which
> must now support FIPS mode.  Briefly, FIPS is a U.S. standard
> that imposes a set of crypto parameters (ciphers, algorithms,
> etc...).  FIPS-applications must use high-level OpenSSL
> methods (The EVP set of methods) since the low-level functions
> will make OpenSSL abort.  The application must also call
> FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
> that supports FIPS.
>
> OTP uses low-level OpenSSL functions.
>
> Initially I considered replacing, for instance, the AES_* uses in
> crypto.c by their EVP equivalent, while keeping the interface to
> Erlang intact.
>
> Now, looking at the extent of the FIPS modifications to the OTP
> code done last year by Dániel Szoboszlay, who worked at Ericsson
> and Erlang Solutions, I wonder about my naïve approach.
>
> Are anyone here familiar with this FIPS OTP port ?  Any comments
> ? To anyone also familiar with ConfD: do you know of any effort
> done in using this FIPS-enabled OTP code ?
>
> Thanks for any comments and suggestions !
>
> Regards.
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list