[openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

Steve Marquess marquess at openssl.com
Tue Jan 19 19:11:59 UTC 2016

On 01/19/2016 01:41 PM, security veteran wrote:
> Thanks Steve.
> So basically the idea is to allow companies build the OpenSSL with FIPS
> modules in their product and ship only this version of OpenSSL to all
> their customers. For the customers who don't need FIPS, then just simply
> keep the FIPS mode disabled and then the OpenSSL will behave just like
> there's no FIPS module exist. Is that correct?
> ...

That is correct.

After the #1747 validation was approved the CMVP introduced a new
requirement that the POST be unconditional, which would conflict with
that objective (to some extent anyway, by forcing the POST to even in
the more common case where FIPS 140-2 was not desired). So that design
objective will not be fully achievable in future validations.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list