On Tue, Sep 06, 2011, ricardo brillon wrote: > I am new to openssl and have to created a OpennSSl Fips application in > windows. > I downloaded the openssl-fips-1.2.3.tar.gz and the 140sp1051.pdf which is for > Fips 1.2.3 > I ranned the do_fips bat which build with no problem on VS2008. I ran the > fips_test_suite.exe which ran without error(see below). > I then created a test application that connect to existing SSL enable > server. Which is connecting with no problem. I am also calling > FIPS_mode_set(1) function and it is returning 1. So all look to be working. > But on the document there is the section on "Linking the Runtime Executable > Application" (show below)which I am not sure on. > Do I need to do any thing special to my application. Any help will be great. > Thanks Ricky > > Linking the Runtime Executable Application > Note that applications interfacing with the FIPS Object Module are outside of > the cryptographic > boundary. When linking the application with the FIPS Object Module two steps > are necessary: > 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated > and verified against > the installed digest to ensure the integrity of the FIPS object module. > 2. A HMAC-SHA1 digest of the FIPS Object Module must be generated and > embedded in the FIPS > Object Module for use by the FIPS_mode_set() function at runtime > initialization. >
Two things, don't use the version of OpenSSL that comes with the 1.2.3 module: it is hopelessly out of date. Create a FIPS capable OpenSSL instead against OpenSSL 0.9.8r. As regards the other issue. If you are linking against the FIPS capable DLLs you can ignore the comments about special linking because that has already been done for you in the build process. You only need to use the special linking process for static builds. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
