From this thread, it sounds like relying on the OpenSSL-FIPS canister for cryptography means you can't use hardware cryptographic accelerators through the engine interface, because the crypto would be done in h/w and NOT within the
canister?I'm assuming if the h/w cryptographic module itself is FIPS-certified, and is accessed through the OpenSSL engine interface, then you could say this "solution" is FIPS certifiable.
Randy On May 8, 2009, at 6:22 AM, Bill Colvin wrote:
Try: export OPENSSL_FIPS=1 <your command line> unset OPENSSL_FIPS Bill -----Original Message-----From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org ] On Behalf Of Carl AndersonSent: May 8, 2009 8:39 AM To: openssl-users@openssl.org Subject: Re: relationship between FIPS module and OpenSSL I was using openssl to encrypt files at the command line and I was wondering if the FIPS mode could be enabled for doing that. Carl AndersonOn Thu, May 7, 2009 at 6:26 PM, Kyle Hamilton <aerow...@gmail.com> wrote:OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister).If the OpenSSL library is not in FIPS mode, then it's essentially ignored.-Kyle H On Thu, May 7, 2009 at 1:31 PM, <carlyo...@keycomm.co.uk> wrote:Hi,Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself?Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here?Thanks for any assistance or pointers. Thanks, Carl ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org______________________________________________________________________OpenSSL Project http:// www.openssl.org User Support Mailing List openssl- us...@openssl.org Automated List Manager majord...@openssl.org______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME cryptographic signature