>Short answer; no. There's more to running an application in FIPS approved mode >than just >linking against a properly generated fipscanister.o. Please refer to the >definitive >reference, the Security Policy >(http://csrc.nist.gov/cryptval/140-1/140sp/140sp733.pdf), > especially sections 4 and 5. The User Guide at >http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf may also be of value. > >In particular your application *must* actively enable FIPS mode, which is done >via a call to FIPS_mode_set(). If the OPENSSL_FIPS environment variable is >set the openssl command does so, but this feature is really only intended >for testing purposes. > >-Steve M. > >-- >Steve Marquess
Steve: So, setting the environment variable OPENSSL_FIPS (giving it any value at all, or some specific value like "Y"?) before invoking the openssl command line utility would cause it to call FIPS_mode_set(), but that was mainly intended for testing purposes and may be removed at some point in the future? I gather the developers don't think of operating the openssl command utility in a FIPS mode as being all that important to their potential users. Are they thinking most users are intersted in developing their own applications that link against fips_canister.o? That environment variable is just what I need, BTW. Please don't remove it in the future. I am tasked with backing up logs with sensitive information to DVD media in a unix environment. I have to encrypt the logs with AES 256 and am only allowed to use FIPS 140-2 certified software to do that (I'm working as a contractor at DHS, actually). Using the openssl command line utility in a FIPS certified mode to encrypt the logs would solve my problem simply and elegantly. If I can't do that, I have to use commercial encryption software running on a Windows machine (my main choices seem to be WinMagic SecureDoc and WinZip) and transfer the logs to it from the unix server they originate on over the local network. That is many times more complicated than using the openssl utility compiled from openssl-fips-1.1.1 (with "config fips") after setting the environment variable OPENSSL_FIPS. Thanks for all your help, BTW, and to the other people on the list who have replied to me. You are all being very helpful. Chris Marshall ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
