The FOM is stand alone in theory. I.e. it isn’t mandatory to use OpenSSL 1.0 but the two are designed to work together and are very closely intertwined.
Moving the FIPS canister forward to 1.1 would be a lot of effort. Pauli -- Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia > On 4 Jul 2019, at 7:21 pm, Jakob Bohm via openssl-users > <openssl-users@openssl.org> wrote: > > Is the use of OpenSSL an actual legal requirement of the certification of > the FIPS object module, or just the easiest way to use it? > > Difference would be particularly significant in case someone created code > to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature > enhancements (as the project itself has indicated no desire to do so). > > On 04/07/2019 04:09, Kyle Hamilton wrote: >> Also, on question b: No. You need to build a compatible version of openssl >> as specified in the User Guide, and link that version. FIPS_mode_set() >> tells the library to always and only use the implementations in the FIPS >> canister; the canister does not replace the library entirely. >> >> -Kyle H >> >> On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.red...@gmail.com >> <mailto:deepak.red...@gmail.com>> wrote: >> >> Dear Experts, >> >> Can you please help me with the following question? >> >> My win32 desktop application uses 'libcurl' to interact with web >> service, in order to get my application FIPS 140-2 certified, >> following is the plan which I arrived at after going through the >> 'User Guide' and 'Security Policy' pdfs. >> >> Plan: >> a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build >> it to generate fipscanister.lib (FOM) as windows static library. >> b. Build libcurl as windows static library using above >> fipscanister.lib >> c. Link my desktop application with above libcurl.lib after adding >> FIPS_mode_set() >> >> Questions: >> a. On following points a, b,c, can I confirm that my application >> is FIPS 140-2 certified? >> b. fipscanister.lib is always static library and it can be >> substituted for libssl.lib / ssleay.lib? >> >