On 01/08/2014 07:48 AM, Stephan Mueller wrote: > Am Mittwoch, 8. Januar 2014, 13:36:37 schrieb Dr. Stephen Henson: > > Hi Stephen, > >> On Wed, Jan 08, 2014, Abdul Anshad wrote: >>> Hello All, >>> >>> I noticed in trying to build OpenSSL 1.0.0l that, Configure doesn't >>> accept the fips and --with-fipsdir= arguments. But, the OpenSSl >>> 1.0.1f and OpenSSL 0.9.8y accepts the same. >>> >>> Does that mean that the OpenSSL 1.0.0l wont support fips mode ? is >>> the >>> branch OpenSSL 1.0.0 still under fips validation ?
OpenSSL proper has never been FIPS 140-2 validated and never will be. The OpenSSL FIPS Object Module v2.0 is the thing that is validated, and that's a separate and distinct software component. This question here is which versions of OpenSSL are compatible with the FIPS module. > The descriptions of the OpenSSL FIPS security policy (e.g. section > 4.2.3) hint to using the "regular" OpenSSL library version which can be > compiled to use the fipsified OpenSSL version as a crypto-backend. IIRC > this is what the above mentioned configure options hint to. You mean the FIPS module User Guide, not the Security Policy. I'm not sure what hint you're getting from section 4.2.3 which states: "Once the validated FIPS Object Module has been generated it is usually combined with an OpenSSL distribution in order to provide the standard OpenSSL API. Any 1.0.1 release can be used for this purpose." I thought that rather specifically excluded 1.0.0 along with all other releases that aren't 1.0.1. Should that paragraph also state "Releases other than 1.0.1 cannot be used for this purpose"? -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
