> Hi, > > I'm using openssl (*openssl-0.9.8r.tar.gz *) in a project, and now we > want certificate the software with FIPS certification, my question is > if we must have *openssl-fips-1.2.3.tar.gz* to use OpenSSL FIPS > Object Module? In * openssl-0.9.8r.tar.gz* project we already some > fips files. What is the difference between > *openssl-fips-1.2.3.tar.gz* and *openssl-0.9.8r.tar.gz*? > > In User Guide I read the following: > > "The FIPS Object Module is the special monolithic object module built > from the special source distribution identified in the Security > Policy. It is not the same as the OpenSSL product or any specific > official OpenSSL distribution release." >
If you just want to experiment with the source then you will find code relevant to FIPS 140-2 relevant functionality in most recent distributions. If you want to build a FIPS module and claim that it is FIPS 140-2 validated (n.b.: validated not certified), that is something else entirely. To make that claim you must follow the procedures outlined in the relevant Security Policy document (for instance, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf) where you will see the source code you must start with is uniquely identified. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 [email protected]
