Manualshelf

OpenSSL Release Notes (5900-1560, August 2011)

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
16171819202122232425
Consider a client-server application sending and receiving unencrypted data over the network.
You now want to achieve a higher level of security for your application. The following methods
describe how to use OpenSSL technology to encrypt client/server communication:
You can modify client and server code using OpenSSL functions. This method gives you
the highest degree of flexibility and control regarding the features and how you implement
them.
You can set up a Stunnel-based environment in which data from the client application is
sent to a Stunnel client instead of to the server. The Stunnel client encrypts the data using
OpenSSL technology and sends encrypted data to the Stunnel server. The Stunnel server
decrypts the data and sends the original data to the target server application. The same
process is followed when data is sent from the server to the client application. This
approach enables you to secure your client-server application without changing the source
code, but limits you to the features offered by the Stunnel environment.
These are the two distinct choices available to a user application environment that wants
to SSL-encrypt its client-server communication. Both choices are valid. Direct use of the
OpenSSL library clearly provides more options.
20 What is the FIPS relationship to the OpenSSL API?
The FIPS object module is designed for use with the OpenSSL API. Applications linked with
the FIPS object module and with the separate OpenSSL libraries can use both the FIPS-validated
cryptographic functions of the FIPS object module and the high level functions of OpenSSL.
The FIPS object module is the special monolithic object module built from the special source
distribution identified in the Security Policy. It is not the same as the OpenSSL product or any
specific official OpenSSL distribution release.
A version of the OpenSSL product that is suitable for reference by an application along with
the FIPS object module is a FIPS compatible OpenSSL which links against FIPS Object Module
1.1.2 or FIPS Object Module 1.2.
When the FIPS object module and a FIPS compatible OpenSSL are separately built and installed
on a system, the combination is referred to as a FIPS capable OpenSSL.
21 What kind of cryptographic algorithms can be used in FIPS mode?
Table 10 lists the cryptographic algorithms that can and cannot be used in FIPS mode.
Table 10 Cryptographic Algorithms that Can be Used in FIPS mode and Standard OpenSSL
Mode
UsageFIPSStandard OpenSSLAlgorithmAlgorithm Type
Key agreement
Digital signature
Encryption/
Decryption
SupportedSupportedRSAAsymmetric keys
Digital signatureDSA
Key agreementDH
24 OpenSSL A.00.09.08q.001, A.00.09.08q.002, and A.00.09.08q.003