[openssl-users] Configure and config in openssl source folder

Kyle Hamilton aerowolf at gmail.com
Wed Feb 10 20:56:14 UTC 2016



On 2/10/2016 12:47 PM, Steve Marquess wrote:
> Since you're required to start with the official tarball, and aren't
> allowed to change the contents of the tarball, not even a teeny tiny
> little bit, there is no point in dumping the tarball contents into
> your local source code management/version control system. My
> recommendation is that one time only you conduct a solemn candlelit
> ceremony in which the build is manually performed in profound and
> reverential observance of the mandated procedure. Then take the
> resulting fipscanister.* and fips_premain.* files and version control
> those from then on out. Don't try to continually rebuild the FIPS
> module from source that cannot be modified anyway. -Steve M. 

And once you build them, make sure to get SHA-256 and SHA-512 digests of
them, print them out on a piece of paper along with an "I,
______________________, do certify that I built the OpenSSL FIPS version
_______ distribution in accordance with its Security Policy under FIPS
Certificate #_____ and generated these files with the following digests,
on ____________." statement.  Then sign the statement.  Everything
related to FIPS is related to being able to document it, if you want to
sell to a government agency... and if you don't want to sell to a
government agency, there's no real reason for you to bother with it.

-Kyle H


More information about the openssl-users mailing list