Sibasis Panigrahi wrote: > We have a requirement for making our product FIPS 140-2 level 2 > compliant. From internet i found out that OpenSSL 0.9.8 is FIPS 140-2 > level 1 compliant. So just wanted to check whether any version of > OpenSSL library is supporting FIPS 140-2 level 2 or its on the > roadmap.
First of all please note that OpenSSL proper has never been, and never will be, FIPS 140-2 validated. You're thinking of the OpenSSL FIPS Object Module which is derived from, and designed to be utilized with, standard OpenSSL distributions. However, it is a separate and distinct product. Roughly speaking there are two different approaches to satisfying the additional requirements of level 2 versus level 1 (things like role based authentication, auditing, and protection of CSPs). One approach is to validate on an eligible Common Criteria certified operating system, where the O/S satisfies those additional requirements. The other is to enhance the cryptographic module to provide the required services directly. The first approach is more or less directly compatible with the existing OpenSSL FIPS Object Module v1.2 level 1 validation, for platforms compatible with that validation. As far as I know the second hasn't been done for any OpenSSL FIPS Object Module derivative. Take a look at the following recent validations for some ideas: #1104: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1104 #1103: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1103 #1080: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1080 -Steve M. -- Steve Marquess Veridical Systems, Inc. marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
