Okay. Let's see if I can piece together everything I've learned about the FIPS experience so far...
FIPS-1.1.2 only generates a static fipscanister, which can only be used to generate a static library. (except on Windows, where it can be built into a shared library.) This version will only work with OpenSSL mainline 0.9.7. FIPS-1.2.0 will allow generation of a static fipscanister which can be used to generate a dynamic library, on all platforms that support dynamic libraries. This version will work with OpenSSL mainline 0.9.8. FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is currently submitted for review, but there is no timeframe (other than 'it could take until the end of the next ice age') for its validation. If you want to test the functionality of FIPS-1.2.0, you need to download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz from the same location. If you want a currently-validated solution, you need openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. Anyone got any comments on whether I've gotten this right? -Kyle H On Thu, Oct 9, 2008 at 2:45 AM, joshi chandran <[EMAIL PROTECTED]> wrote: > Is this means windows can generate shared library of openssl 9.7m with > openssl fips 1.1.2 but i was not able to make the shared library of openssl > 9.7m when i am compiled with openssl fips 1.1.2 object module in Unix(AIX) > system .Does it means the coming fips version 1.2 will allow shared library > generation of openssl 9.8 version > > Thanks > Joshi > > On Fri, Oct 3, 2008 at 6:45 PM, Thomas J. Hruska > <[EMAIL PROTECTED]> wrote: >> >> Dr. Stephen Henson wrote: >>> >>> On Thu, Oct 02, 2008, Thomas J. Hruska wrote: >>> >>>> Thomas J. Hruska wrote: >>>> >>>> Needless to say, given the lack of response and further web searching >>>> reveals issues with older VC++ linkers core dumping(?) against the latest >>>> MinGW and I've already put forth 30+ hours (not counting the preparation >>>> time of several months!), two CD-Rs, and who knows how much money into an >>>> attempted production of a default OpenSSL FIPS 140-2 compliant binary build >>>> for Windows (complete with fancy installer), I'm going to simply hold off >>>> until 1.2.0 becomes available and then try again at that time. Mixing >>>> together binaries from two totally different compilers is not only a bad >>>> idea, it is a horrifically terrible idea. The fact that this supposedly >>>> works at all for some people is a miracle. >>>> >>> >>> The 1.1.2 module (which I only became involved with towards the end) was >>> designed round a Unix build system. >>> >>> For the 1.1.2 module it was a choice of mixing compilers or not having >>> any >>> Windows build at all. It was decided that was better than nothing. >>> >>> What version of gcc do you have with MSYS? There are issues with some >>> versions >>> of gcc. >> >> $ gcc --version >> gcc.exe (GCC) 3.4.5 (mingw-vista special r3) >> Copyright (C) 2004 Free Software Foundation, Inc. >> This is free software; see the source for copying conditions. There is NO >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. >> >> >> Not that it really matters... >> >> >>>> Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. >>>> That should significantly clean things up. Assuming, of course, "not >>>> mixing compilers" allows the use of VC++. If I have to use MinGW, I will >>>> be >>>> very annoyed. I'm also hoping I can compile against 0.9.8x instead of >>>> 0.9.7m. >>>> >>> >>> The 1.2 module (which I was involved with from the start) has Windows as >>> a >>> standard platform. It can be built using VC++ only. >>> >>> Steve. >> >> Excellent. I'll just wait for the 1.2 module then. I know that it could >> be a long wait of many months since FIPS validation takes a while. >> >> BTW, during the FIPS creation process that I used (a set of steps that I >> plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 'PGP >> sign' links next to the source code download links at: >> >> https://www.openssl.org/source/ >> >> Are broken (not really 'broken' per se, but blank). I had to go out to >> the FTP site to get the signatures. >> >> -- >> Thomas Hruska >> Shining Light Productions >> >> Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. >> http://www.slproweb.com/ >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] > > > > -- > Regards > Joshi Chandran > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
