[openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

Jeremy Farrell jeremy.farrell at oracle.com
Tue Mar 15 23:37:21 UTC 2016


On 15/03/2016 21:24, Satya Das wrote:
> Even if a vendor letter is good for CMVP, how is the vendor supposed to know ?

By remembering whether or not he followed the required procedure; it's 
the only way for him to know.

> I would say openssl should give such a tool so that vendor and the testing Lab can know such things. It is more than critical that the applications link to the intended crypto module.

You miss the point. It is no more or less critical that 'the application 
link to the intended crypto module' than countless other things. Many of 
the other things cannot be checked by running a tool. How would a tool 
check that the vendor had executed 'make' at the appropriate stage as 
opposed to (say) '/usr/bin/make'? How would a tool check that the vendor 
had got the original tar file from the OSF CD rather than by downloading it?

> This convoluted and complex object module linking etc. with 207 page user guide is specific to openssl's approach to FIPS, and therefore should be addressed by the project. It should not come down to some vendor document written in good faith.

How can it come down to anything else? What other possible means are 
there for a customer to know that an OpenSSL-based product is FIPS 140-2 
validated?

-- 
J. J. Farrell
Not speaking for Oracle.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160315/9378caa8/attachment.html>


More information about the openssl-users mailing list