[openssl-users] Question about OpenSSL and FIPS 140-2 module

Steve Marquess marquess at openssl.com
Thu Aug 4 15:48:35 UTC 2016

On 08/04/2016 11:00 AM, o haya wrote:
> Hi,
> I've been tasked to look into FIPS 140-2 "compliance" for our
> systems, overall, and I know that there's a "FIPS 140-2 module" for
> OpenSSL, that needs to be built from source and then integrated into
> OpenSSL by building OpenSSL with the FIPS module.
> The User guide goes into how to integrate the resulting OpenSSL(+FIPS
> module) with applications, and also has an example of doing that.
> What I was wondering is:  Does that mean that EVERY application that
> we want to have use the OpenSSL(+FIPS module) would have be
> (slightly) modified and then rebuilt from source?

Yes, unless that product already has support for the "FIPS capable" OpenSSL.

> What about something like Apache?  Would we have to modify the Apache
> source and rebuild that together with the OpenSSL(+FIPS module)?

Apache httpd is an example of a product that supports the OpenSSL FIPS
module natively, if built using the right build-time options. Stunnel,
socat are others. Probably quite a few more but I don't try to keep track.

OpenSSH is an example of a product not easily adapted for (righteous)
use of the OpenSSL FIPS module, as it contains in-lined cryptographic code.

> Finally, what about COTS products, e.g., WebLogic, for which we
> cannot obtain the source?

You'll need to talk to the vendor(s) of those products. As a general
rule any product that is sold into the USG/DoD market will come in a
FIPS 140 flavor. If you don't have source you'll not be able to tell if
it's readily adaptable for FIPS 140 compliance.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list