[erlang-questions] OTP in FIPS mode ?
Tue Apr 21 18:32:56 CEST 2015
IMHO I think that it would be good if FIPS could supported by OTP,
especially since the purpose of the FIPS standards are issued to ensure
computer security and interoperability. I've seen a question about this
at least once before on this list before -
I don't know what became of it.
On 04/21/2015 03:48 PM, jonetsu wrote:
> We are using an Erlang-based middleware using OTP, ConfD, which
> must now support FIPS mode. Briefly, FIPS is a U.S. standard
> that imposes a set of crypto parameters (ciphers, algorithms,
> etc...). FIPS-applications must use high-level OpenSSL
> methods (The EVP set of methods) since the low-level functions
> will make OpenSSL abort. The application must also call
> FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
> that supports FIPS.
> OTP uses low-level OpenSSL functions.
> Initially I considered replacing, for instance, the AES_* uses in
> crypto.c by their EVP equivalent, while keeping the interface to
> Erlang intact.
> Now, looking at the extent of the FIPS modifications to the OTP
> code done last year by Dániel Szoboszlay, who worked at Ericsson
> and Erlang Solutions, I wonder about my naïve approach.
> Are anyone here familiar with this FIPS OTP port ? Any comments
> ? To anyone also familiar with ConfD: do you know of any effort
> done in using this FIPS-enabled OTP code ?
> Thanks for any comments and suggestions !
> erlang-questions mailing list
More information about the erlang-questions