It's probably a combination of my misunderstanding and not wording
things correctly :-/
Let's say I want to use the function RSA_X931_generate_key(). Currently
it is surround by an #ifdef OPENSSL_FIPS conditional. Therefore with
the current build system I MUST specify the -fips option to obtain that
functionality.
I don't really have a problem with this other than I want to build
openssl shared libraries but it fails for me with -fips option.
I was just wondering if there is an easier way to build a shared version
of openssl to get access to all functions. I would have thought this
should be achievable with or without the -fips configure option.
Particularly since the same functions seem to exist in opensslfips-1.1.1
and openssl-0.9.7m.
One solution is to fix the issue building openssl with -fips and
-shared, but that requires building the fips-module separately.
The other solution is to allow openssl to build without using the
without using the -fips option (i.e. not use the fips-cansiter) but
still have access to all those functions that the fips-canister has :)
I guess this is much like the fips snapshot before the fips code was
segragated to the opensslfips-1.1.1 code base.
Does that make sense ???
Cheers and thanks, Brendan.
PS wrote:
You are contradicting yourself. If you link against the
openssl-fips-1.1.1 library, and are in FIPS_mode, then you have FIPS
functionality. If you are not in FIPS mode, then the fips library
trivially behaves as the traditional openssl (with all
functionalities). The former is called FIPS-validated App and latter
is FIPS-capable App.
On Nov 29, 2007 4:22 PM, Brendan Simon <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi,
I require FIPS functionality in OpenSSL but I do NOT have a
requirement
to run in FIPS mode.
What I would like is to build OpenSSL and have ALL functions
available
to me so I can choose which ones I want to use. At the moment
there are
some functions that are only available if the -fips configure
switch is
used in both the openssl-fips module and openssl itself.
Unfortunately
I can't get OpenSSL to build with shared libraries if -fips is
specified.
My logic is just because -fips is not specified, should not mean
that I
can't have access those functions. To me the -fips means to use the
fips module which has been fips140-2 certified.
Should -fips enable fips approved algorithms/methods or should it
disable use of non-fips approved algorithm/methods ???
Is there a way to build OpenSSL and have ALL functions available
(fips
or otherwise) so that my application can use any of the functions
I require.
Cheers, Brendan.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org <mailto:openssl-users@openssl.org>
Automated List Manager
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
