[openssl-users] Using FIPS mode and modifying apps

Steve Marquess marquess at openssl.com
Wed Jan 28 14:43:21 UTC 2015

On 01/28/2015 08:31 AM, jonetsu at teksavvy.com wrote:
> ...
>> We have not done any validations that satisfy the various new
>> requirements introduced in late 2013 and early 2014. New validations
>> are very expensive, in dollars, time, and grief, and we don't have the
>> necessary financial backing.
> Something I don't understand.  Does validation prevent any software
> development ?  Eg.  why not develop a newer version that is not
> validated (until further notice) but will include for instance the
> automatic library load that would perform transparently all the FIPS
> checks ?
> ...

Why should we? Frankly the FIPS 140-2 stuff is of interest to only a
small portion of the overall OpenSSL user base: basically just those
commercial vendors who sell to the U.S. government market. The FIPS
validated software itself is necessarily inferior to the stock OpenSSL
by any "real world" metric (security, performance, maintainability and
usability), and so has no value for the rest of the world or the private
sector in the U.S.

The fully validated module (OpenSSL FIPS Object Module) is at least of
use to all those commercial vendors selling to the USG and DoD;
speculative code that would make it easier for vendors like you to
pursue private proprietary validations would be of interest to a far
smaller subset. We have enough demands on our limited resources as it is
to expend them on such a limited constituency.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list