AES-cipher offload to engine in openssl-fips

Richard Levitte levitte at
Wed Feb 27 22:53:53 UTC 2019

Uhm, I'm confused. I thought we were talking about 3.0?

"Dr. Matthias St. Pierre" <Matthias.St.Pierre at> skrev: (27 februari 2019 23:34:23 CET)
>> -----Ursprüngliche Nachricht-----
>> > >    I always understood "FIPS-capable OpenSSL" to refer
>specifically to an
>> >     OpenSSL compiled with the options to incorporate the FIPS
>> >     module, not just any OpenSSL build that might be used in FIPS
>> >     applications (as that would be any OpenSSL at all).
>> >
>> > Yes, that is historically correct.  I don't believe the project
>> > the term "FIPS-capable OpenSSL" any more.  Instead, the design and
>> > such talk about a FIPS module which OpenSSL can use.
>> Correct.
>I disagree: The term "FIPS Capable OpenSSL" is a technical term from
>the OpenSSL FIPS 2.0
>User Guide ( and
>has a very clear and
>precise meaning:
>It refers to an OpenSSL 1.0.2 (or 1.0.1) library configured and built
>with `./configure fips ...`
>in order to integrate the FIPS Object Module. Until FIPS 3.0 has been
>released and FIPS 2.0
>is history, we should stick to that definition and not confuse FIPS
>users by reinterpreting it
>or pretend that it is not used anymore or has a different meaning
>You find the details in Sections 4.2.3 resp. 4.3.3 of 
>    4.2.3 Building a FIPS Capable OpenSSL  (Unix/Linux)
>    4.3.3 Building a FIPS Capable OpenSSL  (Windows)
>Here a brief excerpt:
>Once the validated FIPS Object Module has been generated it is usually
>combined with an
>OpenSSL distribution in order to provide the standard OpenSSL API. Any
>1.0.1 or 1.0.2 release
>can be used for this purpose. The commands
>	./config fips <...other options...>
>	make <...options...>
>	make install
>will build and install the new OpenSSL without overwriting the
>validated FIPS Object Module
>files. The FIPSDIR environment variable or the --with­fipsdir command
>line option can
>be used to explicitly reference the location of the FIPS Object Module
>The combination of the validated FIPS Object Module plus an OpenSSL
>distribution built in this
>way is referred to as a FIPS capable OpenSSL, as it can be used either
>as a drop-in replacement for
>a non-FIPS OpenSSL or for use in generating FIPS mode applications.

Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.

More information about the openssl-users mailing list