Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

Eric Jacksch eric at jacksch.com
Wed Jul 3 17:36:10 UTC 2019


No, strictly speaking, you cannot. Just because you use a FIPS 140-2
certified cryptographic module doesn't mean that your application is
FIPS 140-2 certified. It means that your application includes (or
uses) a FIPS 140-2 certified cryptographic module. Or, as it is
sometimes called, "FIPS Inside".

Any organization that cares will ask for the CMVP certificate number
and look it up. The certificate will identify the validated
configuration.

On Wed, 3 Jul 2019 at 13:05, Dipak B <deepak.redmi2 at gmail.com> wrote:
>
> Dear Experts,
>
> Can you please help with the following questions?
> All inputs are appreciated.
>
> a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS 140-2 Certified in strict sense?
> where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib)
>
> I am seeking clarity although read through both Users Guide and Security Policy.
>
> Thank you,
> Deepak



-- 
Eric Jacksch, CPP, CISM, CISSP
eric at jacksch.com
Twitter: @EricJacksch
https://SecurityShelf.com


More information about the openssl-users mailing list