[openssl-users] FIPS: Common method executed in case of error

jonetsu jonetsu at teksavvy.com
Tue Mar 10 12:20:58 UTC 2015


Hello,

  Is there a method that is always in the path of execution when a crypto error occurs ?  The reason for asking is that I would like to very slightly modify the OpenSSL FIPS version so that it will write a file in tmpfs when an error occurs.  That place will be observed by another app using inotify.  Granted, modifying OpenSSL FIPS will void its FIPS certification.  But then, the whole unit will be validated.  Having a single place to modify would be quite an extraordinary thing.  I have asked recently about a related topic and got some replies regarding the modification of applications, although modifying the library would provide a single package to modify.  Steve has replied that indeed the validation will be lost - I wonder if that would have any impact on the total validation costs for a whole unit, OS and apps ?  Would a non-modified FIPS OpenSSL library reduce the
validation costs ?

Any comments and suggestions welcomed, regards.





More information about the openssl-users mailing list