On 1/17/13, Memmott, Lester <lester.memm...@landesk.com> wrote:
> I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the
> FIPS module 2.0.2.  From a practical perspective I'm trying to sort out in
> my mind the following:
Be careful - its a bit dated and some information is not correct. I
understand its going through a revision now. The revision includes a
general cleanup of all material, expanded iOS instructions (Appendix
E), and an iOS example program.

> - What is functionally different between the standard OpenSSL and OpenSSL
> compiled with FIPS and _not_ in FIPS mode (i.e. FIPS_mode_set(1) _not_
> called)?
There is no functional differences between vanilla OpenSSL and FIPS
Capable OpenSSL when *not* oerating in FIPS Mode.

When operating in FIPS Mode, you are using validated cryptography.
Some (all?) non-approved algorithms are also disabled.

> - Why isn't the FIPS module simply built right into OpenSSL and for those
> who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)?
It is if you configure the FIPS Capable Library (openssl-1.0.1c.tar.gz) with:

    `config fips <config options>`

It also assumes you built and installed the FIPS Object Module
(openssl-fips-2.0.2.tar.gz).

If you did not build for FIPS, then you save on size since the code
base is smaller.

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to