Re: Which tar.gz file I need for OpenSSL FIPS Object Module?
The Security Policy is the document you need. Please see Steve Marquess's link to the official copy at NIST. The Security Policy explains everything, including what file you need to obtain, its HMAC, how to verify it, what you must do to retain validation of the canister, how to build the canister, and how to build a FIPS-valid version of OpenSSL using the canister built from the verified FIPS code. -Kyle H On Fri, Jul 15, 2011 at 11:06 AM, Tatiana Evers tev...@tet.com.br wrote: Hi, I'm using openssl (openssl-0.9.8r.tar.gz ) in a project, and now we want certificate the software with FIPS certification, my question is if we must have openssl-fips-1.2.3.tar.gz to use OpenSSL FIPS Object Module? In openssl-0.9.8r.tar.gz project we already some fips files. What is the difference between openssl-fips-1.2.3.tar.gz and openssl-0.9.8r.tar.gz? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. Regards, Tatiana Evers tatiana.ev...@tet.com.br +55 51 3220 3433 = Tools Technologies - TT The Software Development Expert Rua Riachuelo, 1098 Conj. 1103 Centro - Porto Alegre - CEP 90010-272 Fone: +55 51 3220-3220 http://www.tet.com.br = __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Which tar.gz file I need for OpenSSL FIPS Object Module?
Hi, I'm using openssl (openssl-0.9.8r.tar.gz ) in a project, and now we want certificate the software with FIPS certification, my question is if we must have openssl-fips-1.2.3.tar.gz to use OpenSSL FIPS Object Module? In openssl-0.9.8r.tar.gz project we already some fips files. What is the difference between openssl-fips-1.2.3.tar.gz and openssl-0.9.8r.tar.gz? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. Regards, Tatiana Evers tatiana.ev...@tet.com.br +55 51 3220 3433 = Tools Technologies - TT The Software Development Expert Rua Riachuelo, 1098 Conj. 1103 Centro - Porto Alegre - CEP 90010-272 Fone: +55 51 3220-3220 http://www.tet.com.br =
Which tar.gz file I need for OpenSSL FIPS Object Module?
Hi, I'm using openssl (*openssl-0.9.8r.tar.gz *) in a project, and now we want certificate the software with FIPS certification, my question is if we must have *openssl-fips-1.2.3.tar.gz* to use OpenSSL FIPS Object Module? In * openssl-0.9.8r.tar.gz* project we already some fips files. What is the difference between *openssl-fips-1.2.3.tar.gz* and *openssl-0.9.8r.tar.gz*? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. Regards, Tatiana
Which tar.gz file I need for OpenSSL FIPS Object Module?
Hi, I'm using openssl (openssl-0.9.8r.tar.gz ) in a project, and now we want certificate the software with FIPS certification, my question is if we must have openssl-fips-1.2.3.tar.gz to use OpenSSL FIPS Object Module? In openssl-0.9.8r.tar.gz project we already some fips files. What is the difference between openssl-fips-1.2.3.tar.gz and openssl-0.9.8r.tar.gz? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. Regards, Tatiana Evers
Re: Which tar.gz file I need for OpenSSL FIPS Object Module?
Hi, I'm using openssl (*openssl-0.9.8r.tar.gz *) in a project, and now we want certificate the software with FIPS certification, my question is if we must have *openssl-fips-1.2.3.tar.gz* to use OpenSSL FIPS Object Module? In * openssl-0.9.8r.tar.gz* project we already some fips files. What is the difference between *openssl-fips-1.2.3.tar.gz* and *openssl-0.9.8r.tar.gz*? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. If you just want to experiment with the source then you will find code relevant to FIPS 140-2 relevant functionality in most recent distributions. If you want to build a FIPS module and claim that it is FIPS 140-2 validated (n.b.: validated not certified), that is something else entirely. To make that claim you must follow the procedures outlined in the relevant Security Policy document (for instance, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf) where you will see the source code you must start with is uniquely identified. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: Which tar.gz file I need for OpenSSL FIPS Object Module?
Hi Steve, I want my software be FIPS 140-2 validated, not just experiment with source. The Security Policy document point me to use openssl-fips-1.2.3.tar.gz. Should I remove openssl-0.9.8r.tar.gz? Regards, Tatiana 2011/7/15 Steve Marquess marqu...@opensslfoundation.com ** Hi, I'm using openssl (*openssl-0.9.8r.tar.gz *) in a project, and now we want certificate the software with FIPS certification, my question is if we must have *openssl-fips-1.2.3.tar.gz* to use OpenSSL FIPS Object Module? In * openssl-0.9.8r.tar.gz* project we already some fips files. What is the difference between *openssl-fips-1.2.3.tar.gz* and *openssl-0.9.8r.tar.gz*? In User Guide I read the following: The FIPS Object Module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. If you just want to experiment with the source then you will find code relevant to FIPS 140-2 relevant functionality in most recent distributions. If you want to build a FIPS module and claim that it is FIPS 140-2 validated (n.b.: validated not certified), that is something else entirely. To make that claim you must follow the procedures outlined in the relevant Security Policy document (for instance, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf) where you will see the source code you must start with is uniquely identified. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: Which tar.gz file I need for OpenSSL FIPS Object Module?
On 7/15/2011 6:48 PM, Tatiana Evers wrote: Hi Steve, I want my software be FIPS 140-2 validated, not just experiment with source. The Security Policy document point me to use openssl-fips-1.2.3.tar.gz. Should I remove openssl-0.9.8r.tar.gz? You cannot build the FIPS canister from openssl-0.9.8r. You may combine the validated FIPS canister generated from openssl-fips-1.2.3 with the openssl-0.9.8r package. Please stop to read the documentation, because if you don't follow it, you don't have a FIPS validated solution. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org