> Thus, if > you are selling to an entity that requires FIPS, all OpenSSL (and > other encryption) libraries must be put into FIPS mode, or FIPS is not > satisfied and thus the application is not FIPS compliant.
As of Wednesday, June 21, the FIPS certification for OpenSSL has been withdrawn; see http://csrc.nist.gov/cryptval/140-1/1401val2006.htm#642 The Open Source Software Institute has an update dated June 16 (http://www.oss-institute.org/index.php?option=content&task=blogcategory&id=62&Itemid=99) that says the "FIPS 1.0" is being withdrawn by request (of NIST), and that "FIPS 1.1" is available. Unfortunately, this is incorrect as both ftp://ftp.openssl.org/source/ and http://www.openssl.org/source/ list the 1.0 version and not the 1.1 version. I don't know that the plans are for the OpenSSL team, but as things stand right now there is *no* FIPS version available. /r$ -- SOA Appliances Application Integration Middleware ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
