[openssl-users] Comments on the recent OpenSSL 3.0.0 specification

Jakob Bohm jb-openssl at wisemo.com
Tue Feb 19 00:19:39 UTC 2019

(Resend from correct account)

On 15/02/2019 18:35, Salz, Rich via openssl-users wrote:
>> (as for "possibly not the FIPS provider", that's exactly right. That
> one *will* be a loadable module and nothing else, and will only be
> validated as such... meaning that noone can stop you from hacking
> around and have it linked in statically, but that would make it
> invalid re FIPS)
> To be pedantic: this is true only *if you are using the OpenSSL 
> validation.* If you are getting your own validation (such as using 
> OpenSSL in an HSM device or whatnot), this is not true.
> > - If permitted by the CMVP rules, allow an option for
> > application provided (additional) entropy input to the RNG
> > from outside the module boundary.
> This is allowed, but it does not count toward the "minimum entropy" 
> requirements. Anything after the first seeding falls into that category.

Thanks, the document wording made it look like the OpenSSL 3 FIPS RNG would
only accept the system entropy source.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list