The Security Policy is absolutely clear on this point. (If you haven't read it yet, you MUST, if you want to claim FIPS validation for whatever you're putting it into.) You can copy it from /usr/local to whereever you need it, but in that case you also have to edit the Makefile for OpenSSL to look for fipsld, fips_premain.c, and the associated files.
For what it's worth, there are only two ways you can build the FIPS-validated library on any UNIX-based system, each comprising three steps. Option 1: ./config fips make make install Option 2: ./config fips no-asm make make install -Kyle H On Fri, Dec 19, 2008 at 9:13 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Fri, Dec 19, 2008 at 03:22:17PM -0800, Kyle Hamilton wrote: > >> The distribution will ALWAYS look for the FIPS files in >> /usr/local/ssl/fips-1.0/lib/, since that is where they are put when >> you follow the commands given in the Security Policy precisely (as you >> must, if you want the validation to 'stick'). > > Can you elaborate on this point? We use AFS, software is never installed > in /usr/local. Rather there is a structured namespace for versioned > releases of software for a variety of system architectures. OpenSSL > libraries live in paths along the lines of: > > /afs/rdonly/sec/PROJ/openssl/0.9.8i/.exec/x86_64.linux.2.6.glibc.2.3/lib > > and multiple versions of OpenSSL are installed at the same time, each in > their own release tree. Is it really not possible to build the fips code > to reside in non-default locations? > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
