[openssl-users] 1.0.2 FIPS help

Steve Marquess marquess at openssl.com
Thu Mar 5 16:04:50 UTC 2015

On 03/05/2015 10:05 AM, Steve d wrote:
> Hi,
> We are trying to upgrade from 0.9.8 to 1.0.2 and it seems that the fips
> process has changed.
> Based on the user guide if I can get the canister to build on any
> platform with no changes, I can make the the user affirmation from page
> 59 even if that platform is not on the supported platform list?

Yes, that's a typical use of the I.G. G.5 "user affirmation".

Note that not all USG/DoD customers will accept user affirmation, but it
is a legitimate option per FIPS 140-2 scripture.

> We need to build a 32 bit FIPS canister for some legacy code but we
> don't have any 32 bit hardware. The way I'm reading the section on
> cross-compiling is that I can set whatever environment variables I want
> to get the configure script to take the right branch as long as I don't
> modify it. If the resulting platform is not supported then I can add an
> affirmation to my documentation and be on my way?

The "32-bit" and "64-bit" references you see in the list of platforms
("Operational Environments") are to the object code word size, not
necessarily the processor word size. Note the multiple 32-bit platform
entries for 64-bit x86-64 processors.

Also note the nature of the build system used for cross-compilations
(processor, OS, etc.) is irrelevant. What does matter is that during
that build process you use the canonical incantation, e.g.:

  gunzip -c openssl-fips-2.0.9.tar.gz | tar xf -
  cd openssl-fips-2.0.9
  make install

exactly as documented.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list