Will my application be FIPS 140-2 Certified under following conditions?

Kyle Hamilton aerowolf at gmail.com
Thu Jul 4 02:09:08 UTC 2019


Also, on question b: No.  You need to build a compatible version of openssl
as specified in the User Guide, and link that version.  FIPS_mode_set()
tells the library to always and only use the implementations in the FIPS
canister; the canister does not replace the library entirely.

-Kyle H

On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.redmi2 at gmail.com> wrote:

> Dear Experts,
>
> Can you please help me with the following question?
>
> My win32 desktop application uses 'libcurl' to interact with web service,
> in order to get my application FIPS 140-2 certified, following is the plan
> which I arrived at after going through the 'User Guide' and 'Security
> Policy' pdfs.
>
> Plan:
> a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build it to
> generate fipscanister.lib (FOM) as windows static library.
> b. Build libcurl as windows static library using above fipscanister.lib
> c. Link my desktop application with above libcurl.lib after adding
> FIPS_mode_set()
>
> Questions:
> a. On following points a, b,c, can I confirm that my application is FIPS
> 140-2 certified?
> b.  fipscanister.lib is always static library and it can be substituted
> for libssl.lib / ssleay.lib?
>
> Thank you,
> Deepak
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190703/3e16ca10/attachment.html>


More information about the openssl-users mailing list