Patrik Slouk wrote:
Hi, I do not understand, what means "runtime module" in FIPS certificate #1111? Are anywhere available these runtime modules, i.e. compiled libosslfips.dll and libfips.so ?
Most FIPS 140-2 software validations are for binary code, with the OpenSSL FIPS Object Module validations such as 1051 (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051) the glaring exception. When we started on that validation we anticipated a long wait based on our experience with the previous source code based validations. One of our sponsors, the U.S. DoD, wanted something they could use in the meantime. So, we submitted a typical proprietary-style validation of the binary library (two platforms) built from the FIPS Object Module v1.2 source code, anticipating that the binary validation would come through months faster. In fact it took far longer.
I wrote about it in more detail here: http://veridicalsystems.com/blog/index.php/2009/04/the-fickleness-of-fips/.
So the #1111 validation was just an experiment that demonstrated that the FIPS validation process is a crapshoot; something many commercial vendors are all too keenly aware of already.
Security policy - Installation instructions: 1. Copy the shared library file to the appropriate location on the host system. But where can I download this "shared library file"?
No need to download it, you can build your own per the above referenced validation #1051. See also the User Guide at http://www.openssl.org/docs/fips/UserGuide-1.2.pdf.
Note the binary validation (#1111) does not include the platform specific assembler optimizations, so if you're using a common platform then you're better off with using #1051. If you're not using a common platform you'd have to build from source anyway.
If you're with the U.S. DoD and want a pre-built binary contact John Weathersby of OSSI (j...@oss-institute.org) and he'll help you out.
If you're not with DoD and just want assistance creating binary modules then either OSSI or the OpenSSL team can help you out, but expect to be asked about consultancy or sponsorship support in return. Not (just) because we're money-grubbing meanies, but because our efforts are focused on the source code validations that everyone can use. Time spent creating one-off binaries for individual end users is time lost to supporting the community as a whole.
-Steve M. -- Steve Marquess Veridical Systems, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 301-524-9915 cell 301-887-2571 land/fax marqu...@veridicalsystems.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
