Jeffrey Walton wrote: > On Thu, Dec 23, 2010 at 3:35 PM, <aerow...@gmail.com> wrote: >> Export the environment variable OPENSSL_FIPS=1, and then try >> openssl md5? >> > I am aware of two companies which are (were?) claiming a FIPS > validated module via OpenSSL sources, but not building the canister. > For completeness, the companies may have fixed the issues with their > internal build and compliance processes. > > I believe something stronger is needed to audit vendor provided > binaries.
And while this was several years ago, I'm aware of a commercial software vendor with a product *not* based on OpenSSL that was claiming validation but was shipping an obviously unvalidated product. When I complained (their product was cheerfully using RC4) they sent me the "right" software on a hand labeled CD-RW. This was a major company that prominently advertised FIPS 140-2 compliance on their web site. It is not unreasonable to suspect that problem is rather widespread. The CMVP is well aware of the difficulty a program manager has in verifying that procured products are actually using validated cryptography. If you ask them they will advise you to obtain a written certification from the vendor for such procurements, specifically naming the validation certificate number(s). Good advice. -Steve M. -- Steve Marquess Open Source Software institute marqu...@oss-institute.org -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
