[openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

Nou Dadoun ndadoun at teradici.com
Tue Jan 20 20:00:39 UTC 2015

Thanks for the clarification, a couple of short questions - 

We already have a "shim" to index into the function table that gets loaded after run-time selecting from the 0.9.8 FIPS vs non-FIPS dll to use.  I imagined that we might have to "thicken" the shim  to accommodate selection between 0.9.8-FIPS and 1.0.1 non-FIPS (unorthodox I know but a potential short term step forward).   Couldn't they be made interchangeable with appropriate changes to the shim or is there some more fundamental incompatibility?

I looked at the  link you provided for OpenSSL FIPS Object Module v2.0, validation certificate #1747 (thanks very much for that); another interesting consideration but I was surprised to notice that omitted from the list of supported algorithms was any mention of SHA, is no variant of SHA supported at all?

Thanks again ... N

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Steve Marquess
Sent: January-20-15 8:17 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

On 01/19/2015 12:42 PM, Nou Dadoun wrote:
> The scenario that we're contemplating is having FIPS based on 0.9.8??
> coexist with 1.0.1?? so the remapping at runtime would have to account 
> for api differences within the two.  This was really the upshot of my 
> question.

The 1.2 FIPS module ("FIPS based on 0.9.8") is not compatible with OpenSSL 1.0.1. You need the 2.0 FIPS module for that.

> But I think I'm still a little confused about the FIPS-certification 
> of OpenSSL 1.0.1??,...

It's "validation", not "certification".

> I remember reading that some of the FIPS power on self-test 
> requirements precluded a general FIPS certification, is that the case? 
> ...

I think you're conflating several issues here. What you're probably referring to is the fact that some new requirements for *new* FIPS 140-2 validations (IG 9.10 among them) mean that the source code for the 2.0 FIPS module can no longer be used as-is for new validations. Those new requirements have impacted those vendors desiring to pursue such "private label" or "copycat" validations, but has not affected the original 2.0 FIPS module that was used as the model for such private label validations.

>  What is the status of FIPS OpenSSL certification?
> (Is this written up anywhere?)

The OpenSSL FIPS Object Module v2.0, validation certificate #1747, remains available for use with (to date) 102 formally tested platforms:


-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list