> The part about the PRNG is in question? How did people pre-OpenSSL FIPs get > validated when they used OpenSSL? Did they have to modify the OpenSSL code > and add their own PRNG that would pass?
Are there any FIPS certified apps that use openssl? If there are any, the short answer is that yes, they replaced the non-compliant code with code and got that certified. Depending on how the organization, if they already had a FIPS library, they probably ripped out most of openssl and treated the TLS library as an application that used their own crypto. I'm just speculating, mind you. /r$ -- SOA Appliance Group IBM Application Integration Middleware ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]