OpenSSL itself is not FIPS-validated and is not on the list. However, the "OpenSSL FIPS Object Module (software version 1.2)" is on that list, with certificate number 1051. (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1051.pdf) The reason you're not seeing it is likely because there are several versions of the list, and you are perhaps looking at one of the year-specific ones. You should look at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm for all validated modules.
Regarding the (OpenSSL FIPS Object Module" (we simply call it openssl-fips): you *must* read the Security Policy (available from http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf) in order to learn how to ensure that you have a validated module, and a version of the OpenSSL library that uses it. If you do not follow the instructions in the Security Policy *exactly* (including "you cannot do anything to start the process except untar it, run your choice of ONE of the four configuration lines, and build it" constraints), you will not build a validated module. You *should* read the User Guide at http://openssl.org/docs/fips/UserGuide-1.2.pdf in order to figure out how to use it properly, as a pragmatic matter. The User Guide is not part of the validated package, and thus can be revised; if you find anything that is unclear in it please send the location of the text, the text, and the question you have about it to r...@openssl.org so that it can be clarified in the next revision. -Kyle H On Fri, Jun 12, 2009 at 8:56 AM, Lovette, Steve<steve.love...@lmco.com> wrote: > Team > In the NIST list of FIPS 140-2 certified products & algorithms I do not see > OpenSSL on that list. Are you embedding (hope) a certified product and/or > algorithm that I am unaware of. This for us has become a hot item. Is it > possible that I could get an answer from someone today or over the weekend? > Any insight you can provide is greatly appreciated. > > Steve Lovette > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess > Sent: Monday, March 09, 2009 7:23 AM > To: openssl-users@openssl.org > Subject: Re: FIPS > > Kyle Hamilton wrote: >> On Mon, Mar 2, 2009 at 1:49 PM, Dr. Stephen Henson >> <st...@openssl.org> wrote: >> > ... The set of FIPS comparible ciphersuites is represented by the >> > string "FIPS". >> > >> > In FIPS mode you cannot select any other ciphersuites: non FIPS >> > ciphersuites are disabled. >> >> Would it make any sense to allow an administrator to attempt to >> ensure FIPS-compliant mode via the use of the "FIPS" protocol string, >> making it an error if the library is not in FIPS mode? > > Ummm, I'd say no. I've found the FIPS designation handy for checking to > see if applications work with FIPS compatible algorithms, without being > in FIPS mode or using validated software. Ironically I was doing that > very check on a DoD web server just as your message arrived. > > Note that while procurement of FIPS validated software is formally > mandated in DoD, compliance is spotty. But even where non-validated > crypto is used the FIPS compatible algorithms should still be utilized. > Compliance in that regard is better, though still far from universal. I > configure all crypto I work on for my DoD clients to use only the FIPS > compatible algorithms. If nothing else that will ease an eventual > transition to validated software. > >> In FIPS mode, can specific FIPS-validated ciphers be enabled or >> disabled after the "FIPS" protocol string is provided? > > Yes, and I'd argue that is as it should be. The "FIPS" label in that > context is just shorthand for a set of algorithms. > > -Steve M. > > -- > Steve Marquess > Veridical Systems, Inc. > marqu...@veridicalsystems.com > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
