[Openswan dev] _realsetup fipscheck stuff

Paul Wouters paul at xelerance.com
Mon Jul 13 05:32:15 EDT 2009


On Mon, 13 Jul 2009, Tuomo Soini wrote:

> But what if you want non-nss version of openswan on fips enabled system.

The whole point is that you cannot. Because the "you want" is undistinguishable
from "some exploit wants". Its supposed to protect you....

> Now _realsetup has fipscheck calls even when openswan is compiled
> without USE_LIBNSS and USE_FIPSCHECK.
> Compile without USE_FIPSCHECK should mean no fipscheck calls in _realsetup.

That indeed should get fixed.

Paul


More information about the Dev mailing list