Steve Marquess <[email protected]> writes: > Henrik Grindal Bakken wrote: >> Hello. I'm working on getting FIPS 140-2 certification on a >> product which uses OpenSSL-1.0.0 for its crypto stuff. The crypto >> module in my case is the entire product, so using the OpenSSL FIPS >> module is not an option, but I'd still need to run self-tests on >> poweron (+ some RNG tests, etc). Now, these tests have been >> removed in the 1.0.0 branch from what I can see. Is there a reason >> for that? I realize that re-certifying the 1.0.0 release is hard >> work, but are the tests alone much work as well? > > The validated OpenSSL FIPS Object Module isn't compatible with > OpenSSL 1.0.0. You have a choice between: > > 1) using 1.0.0 with no FIPS validation (n.b.: validation, not > certification). > > 2) using 0.9.8x (FIPS "capable" 0.9.8x OpenSSL plus the OpenSSl FIPS > Object Module v1.2). > > 3) obtaining your own from-scratch validation starting with the > 1.0.0 baseline. Good luck with that, you have a long row to hoe.
We're going for 3), but as I said, our crypto module is not OpenSSL, it's the entire product, so the OpenSSL FIPS Object Module isn't interesting for me. What is interesting, however, are the self-tests. > Incidentally, unless you're seeking a Level 2 validation for a > non-CC certified environment you'll regret defining the crypto > module boundary to include your entire application. I am seeking a level 2 validation. It's not really an application, it's a hardware device. -- Henrik Grindal Bakken <[email protected]> PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
