On 1/17/13, Memmott, Lester <lester.memm...@landesk.com> wrote: > I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the > FIPS module 2.0.2. From a practical perspective I'm trying to sort out in > my mind the following: Be careful - its a bit dated and some information is not correct. I understand its going through a revision now. The revision includes a general cleanup of all material, expanded iOS instructions (Appendix E), and an iOS example program.
> - What is functionally different between the standard OpenSSL and OpenSSL > compiled with FIPS and _not_ in FIPS mode (i.e. FIPS_mode_set(1) _not_ > called)? There is no functional differences between vanilla OpenSSL and FIPS Capable OpenSSL when *not* oerating in FIPS Mode. When operating in FIPS Mode, you are using validated cryptography. Some (all?) non-approved algorithms are also disabled. > - Why isn't the FIPS module simply built right into OpenSSL and for those > who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)? It is if you configure the FIPS Capable Library (openssl-1.0.1c.tar.gz) with: `config fips <config options>` It also assumes you built and installed the FIPS Object Module (openssl-fips-2.0.2.tar.gz). If you did not build for FIPS, then you save on size since the code base is smaller. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org