cURL / Mailing Lists / curl-library / Single Mail


RE: A FIPS-capable libcurl - How To Mod libcurl to IncorporateOpenSSL built with the OSSI FIPS Object Module

From: Welling, Conrad Gerhart <>
Date: Tue, 24 Apr 2007 22:52:31 -0700

Dan, that's a BREATH-TAKINGLY "...long certification checklist ...". However, only the FOM must be built on a "gov certified" platform (I temporarily forget the applicable government acronym ... there's so many I've started storing them in those vacuum bags that you suck the air out of with a vacuum cleaner).
My point of view (until it changes tomorrow) is that I can take a "certified" FOM, link it into OpenSSL, then, libcurl with a CURL_EASY_SETOPT() option for turning FIPS mode on, then share the pkg with my friends on the commercial side of the building (who seem to feel sorry for me) without rebuilding again.
And, yes, it seems likely that there's no reason - as in my app - to turn the FIPS mode off once it's been turned on.
Also, note that the FOM User Guide on Page 60 says ...
        "When invoked with ONOFF of zero FIPS_mode_set() exits FIPS mode"

-----Original Message-----
[]On Behalf Of Dan Fandrich
Sent: Tuesday, April 24, 2007 10:11 PM
Subject: Re: A FIPS-capable libcurl - How To Mod libcurl to
IncorporateOpenSSL built with the OSSI FIPS Object Module

On Tue, Apr 24, 2007 at 08:39:44PM -0700, Welling, Conrad Gerhart wrote:
> Not sure if this is helpful, but, who cares. If I can help just one person in
> this crazy world, my life will have been fulfilled.


> Here are my mods to the curl library to incorporate the OSSI FIPS Object Module
> (FOM) in OpenSSL and the curl library (I'm developing a FIPS-capable Windows
> service using HTTPS). This is a terse posting of the changes I made to libcurl
> if(0 == (fipscode = FIPS_mode_set(data->set.ssl.fips.pre_state))) {

It looks like it all boils down to this line, which enables/disables FIPS
mode. Just what does FIPS mode really do, and is it likely to be turned
on and off during normal operation by an app or is it more likely to be
simply turned on and left on? Given that the only users of this are
government users with a long certification checklist, and are probably
going to have to build their libcurl anyway to get their app FIPS
certified, is it a valid possibility to turn this into a compile-time option
instead of a run-time one? That would mean those developers would need
to compile their own libcurl and configure it with --enable-fips, which
would unconditionally call FIPS_mode_set to always turn it on.

>>> Dan

--              The web change of address service
          Let webmasters know that your web site has moved
Received on 2007-04-25