Henrik Grindal Bakken wrote:
Hello. I'm working on getting FIPS 140-2 certification on a product which uses OpenSSL-1.0.0 for its crypto stuff. The crypto module in my case is the entire product, so using the OpenSSL FIPS module is not an option, but I'd still need to run self-tests on poweron (+ some RNG tests, etc). Now, these tests have been removed in the 1.0.0 branch from what I can see. Is there a reason for that? I realize that re-certifying the 1.0.0 release is hard work, but are the tests alone much work as well?
The validated OpenSSL FIPS Object Module isn't compatible with OpenSSL 1.0.0. You have a choice between:
1) using 1.0.0 with no FIPS validation (n.b.: validation, not certification).
2) using 0.9.8x (FIPS "capable" 0.9.8x OpenSSL plus the OpenSSl FIPS Object Module v1.2).
3) obtaining your own from-scratch validation starting with the 1.0.0 baseline. Good luck with that, you have a long row to hoe.
Incidentally, unless you're seeking a Level 2 validation for a non-CC certified environment you'll regret defining the crypto module boundary to include your entire application.
-Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
