Crypto overhaul

[Julian Elischer]

On 27/10/17 8:38 pm, Wall, Stephen wrote:
> Be aware that moving away from a crypto library that has a FIPS-approved crypto core will have a significant impact on commercial users of FreeBSD who do business with U.S. government (and likely some other governments and corporate sectors as well).  BoringSSL is persuing/has persued FIPS validation, but they offer this warning on their web page:
This is a HUGE issue for $JOB as our government customers require this.
Not having it would result in a rip-out of our product from their 
sites, or us being stranded on the last version supporting openssl.
The alternative is to make sure everything including the base system 
is compiled against the openSSL port, or more precisely the FiPS variant..
(how would one even do that?)

>
>
> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
>
>
>
> BearSSL, being a new, small project, is highly unlikely to pursue FIPS certification.  LibreSSL has deliberately stripped anything FIPS related out of their fork, and the project has stated multiple times that it will not come back.
>
>
>
> I am not opposing a change (indeed, consolidating the various crypto sources in FreeBSD to single (FIPS-possible) library would be a good thing) , I just prefer (strongly) that FIPS not be pushed out of the picture.
>
>
>
> -spw
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>