>>> When I use FIPS capable OpenSSL through Java JNI, I got error: >>> "3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint >>> does not match nonpic relocated:.\fips\fips.c:236" >>> which means it failed the base address check. >>> Based on OpenSSL FIPS document, I changed to use a different base address >>> such as 0x75000000, then yes it works. >>> Just wandering: >>> (1) Why FIPS capable OpenSSL is doing base address check? >>> >> >> You only get the address check if the in core integrity check fails. The >> reason it does that is to provide a useful diagnostic as to why it has failed. >> > > I succeded in getting this to work using fipsld and also including the link option "-Wl,-Bsymbolic", this was from thread in "mailing.openssl.users " > > titled "FIPS compliant shared object Options" but to be honest I'm not 100% sure if this still creates a valid FIPS shared library that can be used in a > project requiring full FIPS 140-2 compliance?
Just found out that the thread I commented on is only visible via google groups? On openssl-dev the thread I referred to is here: http://www.mail-archive.com/[email protected]/msg52448.html But google groups thread has about 5 other responses? http://groups.google.com/group/mailing.openssl.users/browse_thread/threa d/f7dc6346ffe97750/f75a0e078101eca1?lnk=gst&q=FIPS+shared#f75a0e078101ec a1 -- Iain ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
