Re: Will my application be FIPS 140-2 Certified under following conditions?

[Salz, Rich via openssl-users]

>> They would have to get their own validation, their own lab to verify, 
etc., etc.
>That seems to contradict the other answer, which is that legally, the
>FIPS cannister (properly built) can be used with any software outside
>the cryptographic boundary, the soon-to-be-deprecated OpenSSL 1.0.2
>library just being the normal default.
  
You are correct.  My statement, which was technically incorrect, is more likely 
to be realistic :)
  
>The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.
  
It seems to me that the easiest thing to do is maintain that release of OpenSSL 
by themselves.

If someone is thinking of fitting OpenSSL 1.1.x to become a user of the 
existing FOM, then they will probably find it easier to, well, just maintain 
what currently works.

Just because something is past "end of life" does not mean that anyone's 
ability to use it is revoked.  It just means that keeping it working is their 
responsibility.  Anyone can use the FOM until it expires (sunsets is the term 
used), which lasts one year beyond 1.0.2 as I recall.  See 
https://www.openssl.org/blog/blog/2018/05/18/new-lts/ for some more information 
on this.

Re: Will my application be FIPS 140-2 Certified under following conditions?

[Jakob Bohm]

On 04/07/2019 16:44, Salz, Rich wrote:

Is the use of OpenSSL an actual legal requirement of the certification of

 the FIPS object module, or just the easiest way to use it?
   
I'm not sure who you are asking this.


The exiting FIPS validations for OpenSSL only cover the 1.0.2 based source code.
   

Difference would be particularly significant in case someone created code

 to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
 enhancements (as the project itself has indicated no desire to do so).
   
They would have to get their own validation, their own lab to verify, etc., etc.





That seems to contradict the other answer, which is that legally, the
FIPS cannister (properly built) can be used with any software outside
the cryptographic boundary, the soon-to-be-deprecated OpenSSL 1.0.2
library just being the normal default.

If the other answer is correct, it should be perfectly OK (legally) for
someone to modify OpenSSL 1.1.1 source code to call the FIPS canister
for everything, and the result should be an application that is as FIPS
"compliant" as an application that runs something unrelated (such as
Apache mod_ssl) on top of OpenSSL-1.0.2 on top of FOM 2.x , thus no new
validation required.

The point is that some people may soon be in a desperate need to find a
FIPS-capable replacement for OpenSSL 1.0.x.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded