[erlang-questions] OTP in FIPS mode ?

Drew Varner drew.varner@REDACTED
Tue Apr 21 20:22:05 CEST 2015


Here’ s the discussion on a FIPS pull request that’s now closed: https://github.com/erlang/otp/pull/377 <https://github.com/erlang/otp/pull/377>

- Drew

> On Apr 21, 2015, at 12:32 PM, Niclas Eklund <nick@REDACTED> wrote:
> 
> Hi!
> 
> IMHO I think that it would be good if FIPS could supported by OTP, especially since the purpose of the FIPS standards are issued to ensure computer security and interoperability. I've seen a question about this at least once before on this list before - http://erlang.org/pipermail/erlang-questions/2012-April/065902.html But I don't know what became of it.
> 
> Best regards,
> 
> Nick
> 
> 
> On 04/21/2015 03:48 PM, jonetsu wrote:
>> Hello,
>> 
>> We are using an Erlang-based middleware using OTP, ConfD, which
>> must now support FIPS mode.  Briefly, FIPS is a U.S. standard
>> that imposes a set of crypto parameters (ciphers, algorithms,
>> etc...).  FIPS-applications must use high-level OpenSSL
>> methods (The EVP set of methods) since the low-level functions
>> will make OpenSSL abort.  The application must also call
>> FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
>> that supports FIPS.
>> 
>> OTP uses low-level OpenSSL functions.
>> 
>> Initially I considered replacing, for instance, the AES_* uses in
>> crypto.c by their EVP equivalent, while keeping the interface to
>> Erlang intact.
>> 
>> Now, looking at the extent of the FIPS modifications to the OTP
>> code done last year by Dániel Szoboszlay, who worked at Ericsson
>> and Erlang Solutions, I wonder about my naïve approach.
>> 
>> Are anyone here familiar with this FIPS OTP port ?  Any comments
>> ? To anyone also familiar with ConfD: do you know of any effort
>> done in using this FIPS-enabled OTP code ?
>> 
>> Thanks for any comments and suggestions !
>> 
>> Regards.
>> 
>> 
>> 
>> 
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150421/dc5ec7f0/attachment.htm>


More information about the erlang-questions mailing list