[openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

Steve Marquess marquess at openssl.com
Tue Jan 20 16:16:31 UTC 2015

On 01/19/2015 12:42 PM, Nou Dadoun wrote:
> The scenario that we're contemplating is having FIPS based on 0.9.8??
> coexist with 1.0.1?? so the remapping at runtime would have to
> account for api differences within the two.  This was really the
> upshot of my question.

The 1.2 FIPS module ("FIPS based on 0.9.8") is not compatible with
OpenSSL 1.0.1. You need the 2.0 FIPS module for that.

> But I think I'm still a little confused about the FIPS-certification
> of OpenSSL 1.0.1??,...

It's "validation", not "certification".

> I remember reading that some of the FIPS power on
> self-test requirements precluded a general FIPS certification, is
> that the case? ...

I think you're conflating several issues here. What you're probably
referring to is the fact that some new requirements for *new* FIPS 140-2
validations (IG 9.10 among them) mean that the source code for the 2.0
FIPS module can no longer be used as-is for new validations. Those new
requirements have impacted those vendors desiring to pursue such
"private label" or "copycat" validations, but has not affected the
original 2.0 FIPS module that was used as the model for such private
label validations.

>  What is the status of FIPS OpenSSL certification?
> (Is this written up anywhere?)

The OpenSSL FIPS Object Module v2.0, validation certificate #1747,
remains available for use with (to date) 102 formally tested platforms:


-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list