Will my application be FIPS 140-2 Certified under following conditions?

Jakob Bohm jb-openssl at wisemo.com
Thu Jul 4 09:21:53 UTC 2019


Is the use of OpenSSL an actual legal requirement of the certification of
the FIPS object module, or just the easiest way to use it?

Difference would be particularly significant in case someone created code
to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
enhancements (as the project itself has indicated no desire to do so).

On 04/07/2019 04:09, Kyle Hamilton wrote:
> Also, on question b: No.  You need to build a compatible version of 
> openssl as specified in the User Guide, and link that version.  
> FIPS_mode_set() tells the library to always and only use the 
> implementations in the FIPS canister; the canister does not replace 
> the library entirely.
>
> -Kyle H
>
> On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.redmi2 at gmail.com 
> <mailto:deepak.redmi2 at gmail.com>> wrote:
>
>     Dear Experts,
>
>     Can you please help me with the following question?
>
>     My win32 desktop application uses 'libcurl' to interact with web
>     service, in order to get my application FIPS 140-2 certified,
>     following is the plan which I arrived at after going through the
>     'User Guide' and 'Security Policy' pdfs.
>
>     Plan:
>     a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build
>     it to generate fipscanister.lib (FOM) as windows static library.
>     b. Build libcurl as windows static library using above
>     fipscanister.lib
>     c. Link my desktop application with above libcurl.lib after adding
>     FIPS_mode_set()
>
>     Questions:
>     a. On following points a, b,c, can I confirm that my application
>     is FIPS 140-2 certified?
>     b.  fipscanister.lib is always static library and it can be
>     substituted for libssl.lib / ssleay.lib?
>



More information about the openssl-users mailing list