Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
Unless your product (application) is listed on the certificate, it is not FIPS 140-2 certified. Similarly, if you build your own car and drop in an OEM Ford engine, your car does not become a Ford. On Wed, 3 Jul 2019 at 13:35, Dipak B wrote: > > Hi, > > Thank you for the quick answer. > Both the questions have subtle difference. My apology they appear almost same. > > So, to clear my doubts, following is my understanding > > a) An application is FIPS 140-2 certified if and only if it links directly to > 'fipscanister.lib'. > > b) Application which links to 'libcurl.lib' and has no direct called to > OpenSSL can be called as FIPS 140-2 certified if and only if the > libcurl.lib used is generated using 'fipscanister.lib' > > > Not To be said / just repetition > Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS > 140-2 certified. > > Regards, > Deepak > > On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich wrote: >> >> Didn’t you just ask this question? :) >> >> >> >> If you followed the Win32 build instructions *exactly* and you build your >> application to turn on FIPS mode and link against the canister, then yes. >> >> >> >> If you made changes to the process, then no. >> >> -- Eric Jacksch, CPP, CISM, CISSP e...@jacksch.com Twitter: @EricJacksch https://SecurityShelf.com
Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
No, strictly speaking, you cannot. Just because you use a FIPS 140-2 certified cryptographic module doesn't mean that your application is FIPS 140-2 certified. It means that your application includes (or uses) a FIPS 140-2 certified cryptographic module. Or, as it is sometimes called, "FIPS Inside". Any organization that cares will ask for the CMVP certificate number and look it up. The certificate will identify the validated configuration. On Wed, 3 Jul 2019 at 13:05, Dipak B wrote: > > Dear Experts, > > Can you please help with the following questions? > All inputs are appreciated. > > a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS > 140-2 Certified in strict sense? > where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib) > > I am seeking clarity although read through both Users Guide and Security > Policy. > > Thank you, > Deepak -- Eric Jacksch, CPP, CISM, CISSP e...@jacksch.com Twitter: @EricJacksch https://SecurityShelf.com
Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
Hi, Thank you for the quick answer. Both the questions have subtle difference. My apology they appear almost same. So, to clear my doubts, following is my understanding a) An application is FIPS 140-2 certified if and only if it links directly to 'fipscanister.lib'. b) Application which links to 'libcurl.lib' and has no direct called to OpenSSL can be called as FIPS 140-2 certified if and only if the libcurl.lib used is generated using 'fipscanister.lib' Not To be said / just repetition Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS 140-2 certified. Regards, Deepak On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich wrote: > Didn’t you just ask this question? :) > > > > If you followed the Win32 build instructions **exactly** and you build > your application to turn on FIPS mode and link against the canister, then > yes. > > > > If you made changes to the process, then no. > > >
Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
Didn’t you just ask this question? :) If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes. If you made changes to the process, then no.
Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
Dear Experts, Can you please help with the following questions? All inputs are appreciated. a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS 140-2 Certified in strict sense? where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib) I am seeking clarity although read through both Users Guide and Security Policy. Thank you, Deepak