Kyle Hamilton wrote:
The 1.2.0-test tarball IS NOT FIPS VALIDATED. You cannot make a
FIPS-validated module from it.
...
The 1.2.0-test tarball can be used to test the functionality of the
fully-validated 1.2.0 module, thus making it possible to build and
test and debug your application -- but the final FIPS-validated RTM
build cannot be built at this time.
We do not know how long it's going to take for the validation to
occur. When it is complete and fully-validated, Steve Marquess of the
Open Source Software Institute will post the announcement here.
Well put.
Based on my current reading of the tea leaves I'm guessing the v1.2
validation will likely be forthcoming in the next 2-3 weeks. No
guarantees, though, I've been way wrong before.
Not only is the currently available openssl-fips-test-1.2.0.tar.gz
tarball not validated, it won't have the official final SHA-1 HMAC
digest because we've already made some (minor cosmetic) changes during
the course of the validation process. For prior validations I've had to
made such changes at (almost literally) the last minute, so IMHO there
isn't any point in trying to continually update the test tarball. It is
provided only for prospective testing and evaluation.
As Kyle noted you can with reasonable expectation of technical accuracy
use the test tarball now for functional testing and for rehearsal of the
build process to be used for production software. But, you will need to
repeat that drill with the final One True Tarball *after* the validation
is formally awarded *before* you can represent the result as FIPS validated.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]