fips 140-2 module conditions and compilation target app

Dr Paul Dale pauli at
Mon Oct 4 23:42:10 UTC 2021

I think you've got the fist of the restriction.  You cannot make any 
changes to the source code, build files or the commands you use to build 
the FOM.  None are acceptable if you want a FIPS validate outcome.  I.e. 
you will lose the FIPS 140-2 validation state if you change anything.


On 5/10/21 5:42 am, Artem Goussev wrote:
>  hi,
> I develop my application and I need to use OpenSSL 1.0.2 with the 
> OpenSSL FIPS Object Module 2.0. I know that OpenSSL 3.0 was 
> released, but unfortunately I must use OpenSSL 1.0.2.
> I have read   OpenSSL FIPS Object Module 2.0 documentation and I have 
> one misunderstanding.
> *"note that as a condition of the FIPS 140-2 validation no other user 
> specified configuration options may be specified."*
> *
> *
> Does it mean that I can't make any changes in the build configuration 
> files? For example, can I change some compilation flags(CFLAGS) or 
> change the list of linked libraries in makefile or others? If I do it 
> will I lose some FIPS-140-2 validation or as a result, will I get an 
> incorrect FIPS 140-2 library or will I lose some FIPS 140-2 compliance 
> ? Can you explain it to me please ?
> i already know that i can't change any configuration settings in make 
> files.
> it means that command
>       ms\do_fips
> build fips module with CFLAG /MD
> and I can't change it, corect? i can't build a fips module with option 
> /MT, correct?
> So it means I can use openssl only in /MD mode, correct? so my target 
> windows console app\dll can be only in /MD mode, correct?
> can you help me to understand plz?
> thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list