Hi All, This relates to 'OpenSSL Security Advisory [05 Feb 2013]' and the accompanying CVEs. The bulletin did not address combinations of FIPS Object Module and FIPS Capable Library Combinations.
Please forgive my ignorance. I don't like to take a lot of latitude or license on these things. I'm trying to determine (1) what does OpenSSL recommend/require, and (2) what do I have to [possibly] fix in the field. Is it permissible to use openssl-1.0.1d.tar.gz with openssl-fips-2.0.1.tar.gz? Or should we be using openssl-fips-2.0.2.tar.gz? If we are only using cryptography from libcrypto.a - and not ssl/tls from libssl.a - is openssl-1.0.1c.tar.gz still permissible to use? Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
