Hi Doctor, Thanks very much for a reply (I did not expect one for a suggestion).
> It should be possible to exclude algorithms from the FIPS capable > version of OpenSSL, apart from the DES related algorithms. If not that's > a bug that will be fixed. Please don't take this as a bug report. I was watching the output of ./config fipscanisterbuild and noticed some unneeded algorithms fly by. Jeff On Fri, Dec 17, 2010 at 7:31 AM, Stephen Henson via RT <[email protected]> wrote: >> [[email protected] - Fri Dec 17 11:56:52 2010]: >> >> When the OpenSSL source code is re-validated, please consider allow >> folks to remove the algorithms. There are a few reasons to allow the >> removal of unused algorithms: >> > > There is no real need to do this. The validated tarball is there only to > produce the validated module fipscanister.o, that contains only FIPS > validated algorithms and of those you listed above only contains 2DES > and 3DES. > > It should be possible to exclude algorithms from the FIPS capable > version of OpenSSL, apart from the DES related algorithms. If not that's > a bug that will be fixed. > > We didn't exclude no-xxx and other command line options (such as the > install path) from the validated build procedure out of choice. We were > required to enforce this in the security policy. The only way to have > them supported in future would treat every no-xxx combination as a > separate module. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
