<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Tom, thanks for looking this up.  I believe that this particular
    piece of guidance was removed in 140-3.<br>
    <br>
    <br>
    Pauli<br>
    <br>
    <div class="moz-cite-prefix">On 15/2/22 10:57, Thomas Dwyer III
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CADqc48SfUts9jr48hdcKtav2jx-OccHwJQPpYm=mhrRCri-1aw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>I believe the relevant standard is described in the
          Implementation Guidance for FIPS 140-2: <a
href="https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf"
            moz-do-not-send="true" class="moz-txt-link-freetext">https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf</a>
          (see IG 9.11 beginning on page 179). I searched briefly for
          similar text in FIPS 140-3 IG but didn't see anything
          relevant.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Tom.III<br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Mon, Feb 14, 2022 at 3:31
            PM Dr Paul Dale <<a href="mailto:pauli@openssl.org"
              moz-do-not-send="true" class="moz-txt-link-freetext">pauli@openssl.org</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div> Yes, this has to do with the FIPS standards.  I forget
              which standard it is but the self tests are mandated to be
              run on each device independently.<br>
              <br>
              The fipsinstall process runs the self tests before
              generating the configuration file.  If the self tests
              fail, the module doesn't install.  Copying the
              configuration file across avoids the self tests and
              therefore isn't compliant.<br>
              <br>
              <br>
              Pauli<br>
              <br>
              <br>
              <div>On 15/2/22 02:25, Richard Dymond wrote:<br>
              </div>
              <blockquote type="cite">
                <div dir="ltr">
                  <div style="font-size:small">Hi</div>
                  <div style="font-size:small"><br>
                  </div>
                  <div style="font-size:small">Probably a dumb question,
                    but why must the FIPS module configuration file for
                    OpenSSL 3.0 be generated on every machine that it is
                    to be used on (i.e. must not be copied from one
                    machine to another)?</div>
                  <div style="font-size:small"><br>
                  </div>
                  <div style="font-size:small">I just ran 'openssl
                    fipsinstall' on two different machines with the same
                    FIPS module and it produced exactly the same output
                    each time, so presumably the reason has nothing to
                    do with the config file being unique to the machine.</div>
                  <div style="font-size:small"><br>
                  </div>
                  <div style="font-size:small">Does it have something to
                    do with the FIPS standard itself?</div>
                  <div style="font-size:small"><br>
                  </div>
                  <div style="font-size:small">Richard<br>
                  </div>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>