I'm just saying that there are options to allow this and it just doesn't seem to work.
#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest * in FIPS mode */ /* Allow non FIPS cipher in FIPS mode */ #define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000 Obviously the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag handling works, since the SSL/TLS processing uses this to allow MD5 during the handshake. Erik -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Thor Lancelot Simon Sent: Friday, February 10, 2012 10:08 AM To: openssl-dev@openssl.org Subject: Re: FIPS Module 2.0 -- using non-FIPS ciphers On Fri, Feb 10, 2012 at 10:01:43AM -0500, Erik Tkal wrote: > Yes, I understand all that; we currently have our own certified FIPS module > that I wired into OpenSSL via the engine APIs. Assuming that the module > boundary is the code in the FIPS canister, I want that module to perform all > FIPS-compliant operations, but still need the "outer" OpenSSL to perform > other operations. Personally, I think if they're in the same address space (or, at least, namespace) this is dubious. But you probably have people advising you (or available to advise you) who know a lot better than I do! Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org