Kevin: First OpenSSL has received FIPS certification (See Cert #733 at http://csrc.nist.gov/cryptval/140-1/1401val2007.htm)
Second, if you require a version of OpenSSL that is FIPS capable, then you must stick with the 0.9.7 stream. You must first build openssl-fips-1.1.1 according to the instructions in the Security Policy document. Then you can build openssl-0.9.7m with the fips config parameter to get a FIPS capable version of OpenSSL (BTW 0.9.7m is the only version of the 0.9.7 stream that will build a FIPS capable openssl against openssl-fips-1.1.1). It is my understanding that 0.9.8 streams cannot be used to build FIPS capable OpenSSL modules. The User Guide (http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf)has clear definitions for the FIPS object module, a FIPS compatible OpenSSL and A FIPS capable OpenSSL. The FIPS object module is created when openssl-fips-1.1.1 is built. openssl-0.9.7mis a FIPS compatible version of OpenSSL. When openssl-0.9.7m is built in combination with openssl-fips-1.1.1, a FIPS capable OpenSSL is the result. It still requires that applications using openssl be modified to activate FIPS mode to ensure that the applications are FIPS compliant. I have seen a reference that Apache is resurrecting previous work to allow https sessions to use openssl in FIPS mode. I have not seen any indications yet that previously posted patches for OpenSSH are being reworked for the current version to allow it to operate in FIPS mode. Regards Bill ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
