AES-cipher offload to engine in openssl-fips
Short, Todd
tshort at akamai.com
Wed Feb 27 11:53:36 UTC 2019
No.
The OpenSSL FIPS Module is not written that way. It should not be permitting any non-FIPS implementations (see Rich's email regarding a bug).
You could write your own engine, get that FIPS certified, and run it with plain, vanilla OpenSSL.
There's a design spec out for OpenSSL 3.0.0 that may allow you to have your own FIPS provider, which, I believe, would be the closest thing to what you want.
--
-Todd Short
// Sent from my iPhone
// "One if by land, two if by sea, three if by the Internet."
> On Feb 27, 2019, at 6:45 AM, suji <sujiknair at gmail.com> wrote:
>
> Thanks for the reply.
>
> With non-fips openssl, it is possible to write my own fips-module. I
> understood.
>
> But, is it possible for me to write a fips-compliant/fips validated "dynamic
> engine" with openssl-fips? Which allows me to offload "fips-compilant"
> functions to my engine "dynamically"?
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
More information about the openssl-users
mailing list