Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?
Eric Jacksch
eric at jacksch.com
Wed Jul 3 17:41:25 UTC 2019
Unless your product (application) is listed on the certificate, it is
not FIPS 140-2 certified.
Similarly, if you build your own car and drop in an OEM Ford engine,
your car does not become a Ford.
On Wed, 3 Jul 2019 at 13:35, Dipak B <deepak.redmi2 at gmail.com> wrote:
>
> Hi,
>
> Thank you for the quick answer.
> Both the questions have subtle difference. My apology they appear almost same.
>
> So, to clear my doubts, following is my understanding
>
> a) An application is FIPS 140-2 certified if and only if it links directly to 'fipscanister.lib'.
>
> b) Application which links to 'libcurl.lib' and has no direct called to OpenSSL can be called as FIPS 140-2 certified if and only if the
> libcurl.lib used is generated using 'fipscanister.lib'
>
>
> Not To be said / just repetition
> Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS 140-2 certified.
>
> Regards,
> Deepak
>
> On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich <rsalz at akamai.com> wrote:
>>
>> Didn’t you just ask this question? :)
>>
>>
>>
>> If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes.
>>
>>
>>
>> If you made changes to the process, then no.
>>
>>
--
Eric Jacksch, CPP, CISM, CISSP
eric at jacksch.com
Twitter: @EricJacksch
https://SecurityShelf.com
More information about the openssl-users
mailing list