All cryptography used by the US Federal Government must be done in compliance with FIPS 140-2. (Other entities may choose to require FIPS compliance for their cryptographic functions as well.) Thus, if you are selling to an entity that requires FIPS, all OpenSSL (and other encryption) libraries must be put into FIPS mode, or FIPS is not satisfied and thus the application is not FIPS compliant.
(In order to understand what FIPS compliance is, you first need to understand what FIPS is, and what it requires. I'd suggest that you download and read the FIPS 140-2 specification, from http://csrc.nist.gov/publications/fips/index.html , to understand why it was specified and what its purpose is.) Cheers, -Kyle H On 6/22/06, Tinnerello, Richard <[EMAIL PROTECTED]> wrote:
Our application consists of multiple Unix processes each of which creates its own OpenSSL instance. Does it violate the Security Policy if some of those processes set OpenSSL into FIPS mode while others do not? In other words, does the existence of non-FIPS mode toolkit instances invalidate the FIPS mode of the other instances where FIPS mode is desired and has been set. Thanks, Richard
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
