I am reconfirming my understandings since there is some confusion around openssl and fips certification. -We are using OPENSSL FIPS object module 2.0, generates fipscanister.lib which is linked to libeay32.dll. When we build fips capable openssl, it generates two dlls a.libeay32.dll and b.ssleay32.dll. Our fips validation is done on libeay32.dll generated. -Now we are in a situation where we need to upgrade openssl to 1.0.1f, leaving fips object module version as it was. But we are not aware of whether we would need to do FIPS validation again for newer version of openssl. -We have done FIPS validation from a private lab, but before discussing with them we want to hear from openssl.
Few more questions: 1.Patch current version(1.0.1c) of openssl library (ssleay32.dll) with new fix only. It means we would keep version unchanged by importing the one liner fix from openssl 1.0.1f. Can we do that ? Any suggestions ? As well as do you have any tests that can be run against openssl source code to confirm the vulnerabilty CVE-2013-4353 fix ? 2.Build openssl 1.0.1f and ship product using different version of libeay32.dll (1.0.1c) and ssleay32.dll(1.0.1f). Can we do that ? Thanks, -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-revalidation-after-openssl-vulnerability-fix-tp48343p48354.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
