On Tue, Nov 5, 2013, Dr. Stephen Henson wrote: > On Tue, Nov 05, 2013, Vuille, Martin (Martin) wrote: > > > Hi, > > > > I have some questions about this change: > > > > > http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dded7f7e8e9f7 > > 37ef9d7e3c3ef165a78fd7fa1d > > > > I am interested in using this functionality and wondering whether it > > would be feasible and reasonably safe for me to back-port it on top of > 1.0.1e? > > > > You can backport it to 1.0.1e but it will never be officially part of the > 1.0.1 release as it includes new features. The first version of OpenSSL it > will > appear in in 1.0.2. > > > What is it about this change that makes it "experimental"? > > > > It hasn't been widely tested and the tecnique of having mutiple > implementations of the same algorithm in EVP hasn't been used in OpenSSL > before. In 1.0.1 the more cautious approach of not having non-FIPS EVP > implementations was taken instead. >
Another approach I am considering is to have both a FIPS-capable and non-FIPS capable version of OpenSSL installed on the system (with suitable adjustments to .so file names to avoid conflicts) with the application using the former when FIPS mode is required and the latter otherwise (perhaps by dynamically loading the appropriate one, or by using a different LD_LIBRARY_PATH). Any thoughts on the viability of that approach? MV ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
