You're looking at the User Guide. This isn't the right thing to look
at; the relevant document (and indeed the controlling document) is the
Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
and the relevant section is Appendix A, "Installation Instructions".

It's very likely that the User Guide was updated from the 1.1.x
series, and that particular section didn't get revised properly.  But, the
User Guide is not the be-all and end-all; it doesn't get validated, and
indeed wasn't even released for v1.2 for several weeks after the
validated v1.2 module was released.  The Security Policy, however,
is validated in conjunction with the software.

To reiterate the warning at the end of the configuration process: the
result is not and cannot be claimed to be validated if you do not
follow the Security Policy *exactly*.  You have two choices for the
configuration, but everything else must be followed to the letter.

-Kyle H

On Fri, Jan 9, 2009 at 3:44 PM, PGNet <pgnet.trash+...@gmail.com> wrote:
> On Fri, Jan 9, 2009 at 3:29 PM, Kyle Hamilton <aerow...@gmail.com> wrote:
>> If you read it, you too will see this. :)
>
> Actually, I HAD already read section 4.2.1 of the UserGuide for *v1.2*,
>
> "4.2.1Building the FIPS Object Module from Source
> The specification of any other options on the command line, such as
> ./config fipscanisterbuild shared
> is specifically not permitted"
>
> which seemed pretty clear and unequivocal to me.
>
> There was an exception for WIndows,
>
> "4.3.1Building the FIPS Object Module from Source
> Next build the FIPS Object Module from source:
> ms\do_fips [no-asm]
> where the no-asm option may or may not be present depending on the
> platform (see ยง3.2.1)"
>
> which, NOT being on Windows I'd ignored.
>
> But, yes, now reading the SecurityPolicy.pdf, "no-asm" is mentioned in
> *usage* a numebr of times ... but never specifically "allowed", and
> the apparent contradiction is never mentioned, afaict.
>
> Again, my mistake -- no suprise :-/  But sure seems confusing when you
> read it ...
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to