[openssl-users] FIPS: Which DRBG ?

Steve Marquess marquess at openssl.com
Tue Mar 24 16:37:07 UTC 2015

On 03/24/2015 09:53 AM, jonetsu wrote:
> ...
>> Now the code for the OpenSSL FIPS module can no longer be used
>> as-is for new "private label" or copycat validations, but that's
>> for different reasons and not because of the DRBGs.
> I've read the User Guide bit on private label validations.  In the
> case of a product that consists of a dedicated unit, what would be
> the best approach ?  So far I have considered using the OpenSSL FIPS
> module as is, in the hope that its FIPS validation would save costs
> at the testing lab.  Is this still feasible ?

No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early
2014) for use as-is in doing copycat validations. Some non-trivial code
hacks will be necessary.

We'll do a new open source based validation to succeed the 2.0 FIPS
module (#1747 validation) at the first opportunity, but that opportunity
has not yet presented itself.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list