Tom, thanks for looking this up. I believe that this particular piece
of guidance was removed in 140-3.
Pauli
On 15/2/22 10:57, Thomas Dwyer III wrote:
I believe the relevant standard is described in the Implementation
Guidance for FIPS 140-2:
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf
(see IG 9.11 beginning on page 179). I searched briefly for similar
text in FIPS 140-3 IG but didn't see anything relevant.
Tom.III
On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale <pa...@openssl.org> wrote:
Yes, this has to do with the FIPS standards. I forget which
standard it is but the self tests are mandated to be run on each
device independently.
The fipsinstall process runs the self tests before generating the
configuration file. If the self tests fail, the module doesn't
install. Copying the configuration file across avoids the self
tests and therefore isn't compliant.
Pauli
On 15/2/22 02:25, Richard Dymond wrote:
Hi
Probably a dumb question, but why must the FIPS module
configuration file for OpenSSL 3.0 be generated on every machine
that it is to be used on (i.e. must not be copied from one
machine to another)?
I just ran 'openssl fipsinstall' on two different machines with
the same FIPS module and it produced exactly the same output each
time, so presumably the reason has nothing to do with the config
file being unique to the machine.
Does it have something to do with the FIPS standard itself?
Richard
