On 01/17/2013 10:05 AM, Jeffrey Walton wrote: > ... > >> - Why isn't the FIPS module simply built right into OpenSSL and for those >> who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)? > It is if you configure the FIPS Capable Library (openssl-1.0.1c.tar.gz) with: > > `config fips <config options>` > > It also assumes you built and installed the FIPS Object Module > (openssl-fips-2.0.2.tar.gz). > > If you did not build for FIPS, then you save on size since the code > base is smaller.
The OpenSSL FIPS Object Module also comes with mandatory procedural baggage that precludes treating it like a normal open source software product. If you don't need the FIPS module as a matter of policy then you don't want it at all, as it has no technical advantages over plain OpenSSL. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org