Will my application be FIPS 140-2 Certified under following conditions?

Dr Paul Dale paul.dale at oracle.com
Thu Jul 4 10:03:17 UTC 2019


The FOM is stand alone in theory.  I.e. it isn’t mandatory to use OpenSSL 1.0 but the two are designed to work together and are very closely intertwined.

Moving the FIPS canister forward to 1.1 would be a lot of effort.


Pauli
-- 
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia



> On 4 Jul 2019, at 7:21 pm, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
> 
> Is the use of OpenSSL an actual legal requirement of the certification of
> the FIPS object module, or just the easiest way to use it?
> 
> Difference would be particularly significant in case someone created code
> to use the validated FOM 2.0 module with the OpenSSL 1.1.x feature
> enhancements (as the project itself has indicated no desire to do so).
> 
> On 04/07/2019 04:09, Kyle Hamilton wrote:
>> Also, on question b: No.  You need to build a compatible version of openssl as specified in the User Guide, and link that version.  FIPS_mode_set() tells the library to always and only use the implementations in the FIPS canister; the canister does not replace the library entirely.
>> 
>> -Kyle H
>> 
>> On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.redmi2 at gmail.com <mailto:deepak.redmi2 at gmail.com>> wrote:
>> 
>>    Dear Experts,
>> 
>>    Can you please help me with the following question?
>> 
>>    My win32 desktop application uses 'libcurl' to interact with web
>>    service, in order to get my application FIPS 140-2 certified,
>>    following is the plan which I arrived at after going through the
>>    'User Guide' and 'Security Policy' pdfs.
>> 
>>    Plan:
>>    a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build
>>    it to generate fipscanister.lib (FOM) as windows static library.
>>    b. Build libcurl as windows static library using above
>>    fipscanister.lib
>>    c. Link my desktop application with above libcurl.lib after adding
>>    FIPS_mode_set()
>> 
>>    Questions:
>>    a. On following points a, b,c, can I confirm that my application
>>    is FIPS 140-2 certified?
>>    b.  fipscanister.lib is always static library and it can be
>>    substituted for libssl.lib / ssleay.lib?
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190704/1c01e92d/attachment.html>


More information about the openssl-users mailing list