On 9/6/2013 7:11 PM, Walter H. wrote:
Hello,
can someone please tell me the difference between
OpenSSL x.x.x any date
and
OpenSSL x.x.x-fips any date
is there a difference in functionality?
is there a difference in legality?
what does it tell to me, when
openssl version
shows fips, and what does it tell, when
openssl version
doesn't show fips?
Big question, short summary:
The FIPS versions are special versions for use by the US government and
US government contractors.
Each FIPS version consists of two parts:
- A "FIPS module" which has (at great expense) been tested to comply
with the letter and spirit both sane and not so sane US government
standards known as FIPS. US Government institutions are required by
law to only use crypto which has passed this testing (unless they are
super-secret military agencies that use super-secret NSA provided
crypto).
- A "FIPS capable" version of OpenSSL, that is a copy of OpenSSL which
has been compiled with a special option so it can, if requested, pass
all the crypto operations through the certified "FIPS module" and refuse
to do any non-approved crypto (meaning any crypto which is
worse, better or just different from the Government standard).
When the "Use FIPS" flag is not set, a "FIPS capable" OpenSSL behaves
just like a "not FIPS capable" OpenSSL with the same version number,
and neither may be legally used by US government employees and
contractors.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
