Re: openssl 0.9.8 with fips

[Steve Marquess]

Beth E. Okun wrote:
 Hi,
 I'm wondering about integrating fips into openssl-0.9.8g.  We were
 previously using openssl-0.9.7m, and have noted that the fips1.0
 directory is absent in the 0.9.8g release, and also that the
 "./Configure" script does not contain any of the fips functionality.

 I did note in some of the documentation that there is an
 openssl-0.9.8 fips build, I'm wondering if this is currently
 validated?  Also, is this a build that anyone can download?

 Thank you so much for your time.

 Sincerely,

 Beth E. Okun

You must have just missed the post from Steve Henson:

 The version currently under test is essentially:

 ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz

 Though there are no guarantees it wont change before validation is
 finalised.

 The snapshots such as:

 ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20080526.tar.gz


 are based on more recent versions of OpenSSL 0.9.8. They can be
 linked against the 1.2 module (when available) in a similar way to
 0.9.7 and the 1.1.2 module.

Note that the OpenSSL FIPS Object Module (the special validated code) is 
*not* contained in each and every version of standard OpenSSL.  It can't 
be, because a key aspect of the FIPS 140-2 voodoo is that validated 
software cannot change at all, and of course the regular OpenSSL 
releases do change.  The FIPS Object Module also has but a small subset 
of the functionality of regular OpenSSL.  It is a separate and distinct, 
and very specialized, entity.

Because the FIPS Object Module has limited functionality, few will want 
to use it directly.  Instead it is designed to be used in conjunction 
with certain "FIPS capable" versions of the full OpenSSL product.  The 
FIPS Object Module provides the validated low level cryptography while 
the FIPS capable OpenSSL provides the familiar OpenSSL API, internally 
redirecting as appropriate to the FIPS Object Module.

So you want the validated FIPS Object Module v.1.2, which won't be 
available for a month (or two, or three...) and a  FIPS capable 0.9.8 
OpenSSL.  There is (will be) only one version of the former, while the 
"FIPS capable" support will be carried forward in future 0.9.8 releases.

-Steve M.

--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]