Hello, I have been working on building a FIPS version of the Openssl libraries to link with my Windows application. I have succeeded in building the FIPS version of the libs and dlls, and have successfully managed to get it to go into FIPS mode. I have several questions:
1) Regarding the chain of SHA-1 signatures from the distributed source code to the executable, I could check the downloaded source against the posted signatures, and I was able to sign my executable (actually a dll which my program loads) which contains the openssl code and get it to pass the run-time tests, but on the middle step of verifying the built library against the one linked to my app, the build process did not create .sha1 files for the built libraries. Is this a hole in the Windows FIPS build process, or did I do something wrong? I could add a step to the build process to generate the .sha1 signature files, but then, I would have been technically altering the files, which is a FIPS no-no. 2) After entering FIPS mode, there appears to be no way to exit it. I had intended to have the ability to use the library either in FIPS mode or not, based on configuration settings, but this does not appear to be possible. I assume this is by design, and a separate FIPS build must be used, but I would like to confirm this. 3) Since FIPS mode must be entered programatically, what is the difference between using the FIPS version of the library w/o entering FIPS mode, and using the non-FIPS build? It appears that all the algorithms are included in the FIPS build, but marked as non-FIPS-capable, and only excluded from use when FIPS mode has been entered. Any help on these questions would be greatly appreciated. Additionally, does anybody know whether the delay in Openssl's FIPS certification is technical or political? There seems to be great mystery surrounding the reasons for the holdup. Jim Adams Principal Software Developer Seagull Software Systems, Inc. Voice: (540) 341-8440 x102, Fax: (540) 428-3473 <mailto: [EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
