[openssl-users] Question about OpenSSL and FIPS 140-2 module

o haya ohaya at yahoo.com
Thu Aug 4 15:00:36 UTC 2016


I've been tasked to look into FIPS 140-2 "compliance" for our systems, overall, and I know that there's a "FIPS 140-2 module" for OpenSSL, that needs to be built from source and then integrated into OpenSSL by building OpenSSL with the FIPS module.

The User guide goes into how to integrate the resulting OpenSSL(+FIPS module) with applications, and also has an example of doing that.  

What I was wondering is:  Does that mean that EVERY application that we want to have use the OpenSSL(+FIPS module) would have be (slightly) modified and then rebuilt from source?

What about something like Apache?  Would we have to modify the Apache source and rebuild that together with the OpenSSL(+FIPS module)?

Finally, what about COTS products, e.g., WebLogic, for which we cannot obtain the source?  


More information about the openssl-users mailing list