FIPS mode

[np1]

Hi,
I need to build/use a FIPS-compliant version of FreeBSD and I don't need VPN stuff.
Is it possible?
Thanks

 

[decuser]

Sure. There’s no magic enable-fips button. Just use FIPS approved crypto for your storage and communications. You may be used to Windows’s enable FIPS setting which does practically nothing other than prevent you from using more modern algorithms(as well as other unapproved algs) for those services it monitors.

 

[np1]

Is it possible to build OpenSSL contained in base in fips-mode?

 

[T-Daemon]

Is it possible to build OpenSSL contained in base in fips-mode?

If the case is a FIPS 140-2 validated module then no: https://github.com/freebsd/freebsd-src/blob/main/crypto/openssl/README.FIPS

 

[gessel]

security/openssl-devel was certified to FIPS 140-2 on 2022-08-23; certificate #4282.

The FIPS module option defaults to on. Note the port hasn't been updated yet (2022-10-08) to reflect the certificate issuance.
FIPS 140-3 will be required before 2026, the project indicates that should be part of version 3.1 and may be certified sometime in 2024 (the certification process timeline is non-deterministic).