Richard Levitte wrote:
>jaltman> One concern with your answer is that it appears to imply that
>jaltman> FIPS certification can only be useful to applications which
>jaltman> statically link in all libraries. Therefore, the openssl
>jaltman> distributions which are shipped by Linux vendors in RPMs
>jaltman> cannot be considered FIPS certified. Correct?
>
>The consequence would be that if OpenSSL is configured with "fips", it
>should be considered to be configure without "shared", regardless of
>the arguments given by the person building/script. Would that be
>regarded as a viable solution?
It would, but there is a complication. Our mechanism doesn't preclude
use of shared libraries per se. In the special case where the path to
the shared library is known (so the *.sha1 file could be located), the
FIPS_mode_set() integrity check will still work. This would be the
case where an application loaded the shared library by explicit pathname,
as with dlopen(). Graeme Perrow posted to the users list his desire
to use such an explicitly loaded shared library, and I have modified the
Security Policy document accordingly. It has not been reviewed and
approved by NIST but based on verbal discussions I think it will be.
So disabling "shared" with "fips" would break that potential use.
-Steve M.
