Re: openssl-0.9.8za fips compliance

Fri, 08 Aug 2014 09:17:49 -0700 

Use of -no-ec when building the FIPS capable openssl doesn’t affect the FIPS 
module at all, and therefore doesn’t affect any statements you can make 
regarding FIPS 140 compliance.  The -no-ec option will prevent elliptic curve 
cryptography from being used in OpenSSL when NOT using the FIPS module, and 
does not affect OpenSSL when using the FIPS module.  The FIPS module is used 
only when FIPS mode is enabled by calling FIPS_mode_set().

I’m somewhat concerned, though, by your questions in a previous thread, so I’d 
like to clarify: elliptic curve cryptography cannot be used in FIPS mode (it’s 
not part of the FIPS module), no matter which version of OpenSSL you use with 
the 1.2 OpenSSL FIPS module.  If you were previously using ECDSA keys in your 
application, you were not using the FIPS module, and any statements about the 
application being FIPS 140 compliant were mistaken, at best.

TOM

On Aug 8, 2014, at 1:59 AM, Gayathri Manoj <gayathri.an...@gmail.com> wrote:

> Hi Jeffrey,
> 
> I used  openssl_fips 1.2 with openssl 0.9.8l. and planning to upgrade 
> openssl-0.9.8l to 0.9.8za with -no-ec option. Please let me know is it break 
> my fips compliance.
> 
> Thanks,
> Gayathri
> 
> 
> On Fri, Aug 8, 2014 at 11:09 AM, Jeffrey Walton <noloa...@gmail.com> wrote:
> On Fri, Aug 8, 2014 at 1:11 AM, Gayathri Manoj <gayathri.an...@gmail.com> 
> wrote:
> >
> > Please let me know openssl-0.9.8za with -no-ec option is fips compliant or
> > not.
> No. If you want FIPS validated crypto, then you need one of the
> openssl-fips-*-tar.gz downloads. They produce the FIPS Object Module.
> 
> openssl-0.9.8xxx is FIPS capable. It can use the validated
> cryptography if the FIPS Object Module is available.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
> 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to