Hello Everyone, I am using OpenSSL FIPS 1.2 object module and OpenSSL 0.9.8 Stable distribution. When I build OpenSSL libraries using the 0.9.8 stable version, I see the following files in the output libeaycompat32.lib libeayfips32.lib When I do a Dumpbin on above library files, I see that they are same. Could anyone answer my questions below? 1) Why the two library files generated? Is there any difference between them? 2) Which library should I be using to make my OpenSSL application FIPS compliant? 3) Can I use the libraries as is or should I rename them to libeay32.lib.
Thanks much, Manjula -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Wednesday, December 17, 2008 6:46 PM To: openssl-users@openssl.org Subject: Re: openssl-fips 1.2 questions Victor Duchovni wrote: > > FYI, on page 35, Example 5.2b and the text below it are somewhat garbled, > at least in the MacOSX PDF viewer... > > - OPENSSL(config(...) instead of OPENSSL_config(...) in the example > Had several reports on that, fixing now. > - In the PDF view, the closing ")" of the OPENSSL_config(...) call > is not visible. It is only visible when one uses copy/paste to > yank the text. > Hmm, looks OK to me in XPDF on Linux. The source document is an ODF file and I have had some PDF rendering issues before which went away with OO upgrades. > - The 0.9.8i man page for OPENSSL_config, ... I'll defer to the OpenSSL team but will try to put together some strawman documentation. > > This likely will need to wait for Postfix 2.7 snapshots in the Spring of > '09, because 0.9.8j is not out yet to validate this approach, and the > documentation is rather incomplete... > > The strategy for Postfix would likely be an optional load of an > administrator-specified XXXX_conf section (not performed if not explicitly > set in main.cf), via an administrator specified openssl.cnf file (default > system-wide openssl.cnf). This can enable FIPs mode provided fipscanister > is linked-in, which would be a build-time option. If the "exit on error" > language for OPENSSL_config() is correct, I can't use that, and have to > use CONF_modules_load_file(3) instead. > > Does this sound about right? > Yes it does. Note also that fipscanister can be referenced via a shared library (provided automatically with the FIPS capable 0.9.8j+ OpenSSL). I'm checking with Steve Henson on the "exit on error" behavior. It's a tricky business disabling disallowed functionality in FIPS mode and the existing API doesn't always provide a means to indicate that new type of failure. I remember at one point he was pondering both "hard" and "soft" error handling. I'd like to encourage the use of OPENSSL_config() as the preferred method for enabling FIPS mode. Perhaps a subsequent API call to test if FIPS mode was configured but FIPS mode failed...? But IMHO the hard failure should still be the default, so we'd need a "Don't exit on me, I'll check for failure" call before invoking OPENSSL_config(). Hmmm... -Steve M. -- Steve Marquess Open Source Software institute marqu...@oss-institute.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
