On Fri, Feb 10, 2006, Kyle Hamilton wrote: > (the 'non-security-policy-compliant' part comes from the extra > parameter to ./config -- I can't touch the OpenSSL build that's > already in the system directories, and the security policy states that > no other parameters can be passed to ./config. [if that's true, it > should test for it.]) >
The "no extra parameters" rule only applies to the building of the FIPS module itself. The compiled module could be used by another build of OpenSSL which does include parameters. This functionality is not yet integrated completely into the build system. Though this can be done for the Windows VC++ build. > > The security policy makes no mention of the requirement to use the > 'fipsld' command. In fact, the security policy's 'testing' code is > incorrect (as far as it goes) -- it should, in my view, result in a > compilable program that can be used to verify that the library will go > into FIPS mode. (The SP also fails to mention that you can't use the > library in non-FIPS mode without the use of the fipsld command.) > The user guide will be updated to reflect the changes to the fingerprinting system in due course. It will also contain some guidelines about the steps an application needs to make to be compliant. The version of OpenSSL submitted for testing some months ago used this technique, the changes have however only been recently applied to CVS. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]