One thing should be noticed.. If your product uses a FIPS-validated OpenSSL and wants to be claimed as a FIPS-validated product, then you cannot make any changes to the OpenSSL code. Many vendors I've seen use OpenSSL as the code base but have to make certain changes to OpenSSL or add other level of API in order to have OpenSSL work with their products. In that case, the FIPS validation of OpenSSL does not apply to the products. Therefore, it does not really matter if you use 0.9.7 or 0.9.8, because your product needs to under the FIPS validation process anyway.
-Xiaoyu Kevin: First OpenSSL has received FIPS certification (See Cert #733 at http://csrc.nist.gov/cryptval/140-1/1401val2007.htm) Second, if you require a version of OpenSSL that is FIPS capable, then you must stick with the 0.9.7 stream. You must first build openssl-fips-1.1.1 according to the instructions in the Security Policy document. Then you can build openssl-0.9.7m with the fips config parameter to get a FIPS capable version of OpenSSL (BTW 0.9.7m is the only version of the 0.9.7 stream that will build a FIPS capable openssl against openssl-fips-1.1.1). It is my understanding that 0.9.8 streams cannot be used to build FIPS capable OpenSSL modules. The User Guide (http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf)has clear definitions for the FIPS object module, a FIPS compatible OpenSSL and A FIPS capable OpenSSL. The FIPS object module is created when openssl-fips-1.1.1 is built. openssl-0.9.7mis a FIPS compatible version of OpenSSL. When openssl-0.9.7m is built in combination with openssl-fips-1.1.1, a FIPS capable OpenSSL is the result. It still requires that applications using openssl be modified to activate FIPS mode to ensure that the applications are FIPS compliant. I have seen a reference that Apache is resurrecting previous work to allow https sessions to use openssl in FIPS mode. I have not seen any indications yet that previously posted patches for OpenSSH are being reworked for the current version to allow it to operate in FIPS mode. Regards Bill ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
