On Tue, Mar 8, 2011 at 8:25 AM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Mon, Mar 07, 2011, Kyle Hamilton wrote: > >> In order to achieve compliance, you must follow the instructions in the >> Security Policy to the letter. >> >> This means that you must: >> - download and read the security policy >> - download the openssl-fips-1.2.0.tar.gz >> - verify its integrity according to the security policy >> - follow the precise instructions to build it, from the security policy >> >> You should also go to NIST and look at its certificate, to verify that it >> hasn't been revoked. >> >> To use it, you must obtain sources for the latest 0.9.8 release and >> compile/link it against the fipscanister. You may be able to do this from >> your ports tree -- the instructions and requirements apply only to >> fipscanister.o and several of its companion files. As long as the >> requirements of the security policy are upheld, the implementation will be >> compliant.
Thanks for this, that was what I needed. >> Note that compliance cannot be truly determined programmatically. So, it's >> also a good idea to generate multiple hashes (sha-1, sha-256, ripemd160, >> etc) over the fipscanister and associated files, print them out, and commit >> to them (physically sign them) as a statement of compliance with the build >> process. I do understand this but I just want to get the bits part right first. > Note that version openssl-fips-1.2.2.tar.gz is the current version. It has a > few bug fixes and enhancements over the 1.2.0 version. Specifically fixes for > Win64+ASM and support for cross compilation. Thank you all for clarifying the process. I believe I'm good. Based on the spec ONCE the process has been followed to the letter, it seems I can use that to build the integrated version of OpenSSL in the FreeBSD tree which is my goal. One thing that is NOT clear to me is why isn't OpenSSL FIPS *capable* by default? Or is that process underway for 1.x.x? (I thought I saw a note about this on the project page) -aps ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
