Thomas Francis, Jr. wrote:
...
The fastest way to get something that works for "FIPS" is to just follow
the instructions in the user's guide (which is based on the security
policy). Those instructions have worked for me every time on several
different UNIX platforms.
Thanks, that makes my day. I'd like to reinforce a point made by
previous posters: while the "fipscanisterbuild" option is present in the
0.9.8j+ baseline, there is no guarantee that you will be able to
successfully build it on all platforms. Or any, for that matter. That
FIPS specific code was merged to the baseline to provide a basis for
potential future validations, and hence is really only of academic
interest to any but the small set of people involved in those validations.
If you need to deploy to an environment requiring a FIPS validated
module then you need to use the one true openssl-fips-1.2.tar.gz tarball
and follow the Security Policy/User Guide; anything else cannot be
claimed as validated. If not then you should NOT be using the FIPS
build -- it presents several disadvantages over the standard baseline
without any offsetting technical or security advantages.
Some software vendors using the current validated module (v1.2) or
derivatives thereof may want to keep an eye on the 0.9.8j+ baseline in
anticipation of using future validations off of that baseline. That's
great, but please be aware that no such validation is currently planned
due to lack of any financial sponsors for the significant cash outlays
required. We want the "fips" option to work properly in 0.9.8j+, but
IMHO failure of "fipscanisterbuild" is a bug worthy of note but not
necessarily of prompt correction.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
