Then is it correct to consider the code for FIPS 2.0 validation(in terms of the cryptographic algorithms, not including the FIPS specific stuff, such as CAVP/CMVP testing etc) is a subset of the FIPS capable OpenSSL?
The issue for us is that we need to use additional features in the FIPS capable version (not included in FIPS 2.0 validation), do we have to use both versions one for FIPS and the other for non-FIPS mode? Or if we can just use the FIPS capable version, then where is the boundary that we can claim for FIPS certified? Do you have documentations that detail all that are included in FIPS 2.0? Thanks a lot, -binlu -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, November 02, 2011 5:10 AM To: openssl-users@openssl.org Subject: Re: FW: FIPS validation and TLS 1.2 On Tue, Nov 01, 2011, William A. Rowe Jr. wrote: > On 11/1/2011 8:35 PM, Bin Lu wrote: > > > > Do you have an answer for my question below? Is the fips-2.0-test code > > branched off from a > > FIPS-capable version? Which version is it based on if yes? > > AIUI, fipscanister doesn't include TLS 1.2. Nor 1.0, nor SSLv3 or v2. > > That's the beauty of proper delineation. > Yes, the FIPS module only contains cryptographic algorithms. Protocols are handled by the FIPS capable OpenSSL and out of scope for the validation. The 2.0 validation does include AES-GCM though which is used in TLS 1.2. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
