You're looking at the User Guide. This isn't the right thing to look at; the relevant document (and indeed the controlling document) is the Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf , and the relevant section is Appendix A, "Installation Instructions".
It's very likely that the User Guide was updated from the 1.1.x series, and that particular section didn't get revised properly. But, the User Guide is not the be-all and end-all; it doesn't get validated, and indeed wasn't even released for v1.2 for several weeks after the validated v1.2 module was released. The Security Policy, however, is validated in conjunction with the software. To reiterate the warning at the end of the configuration process: the result is not and cannot be claimed to be validated if you do not follow the Security Policy *exactly*. You have two choices for the configuration, but everything else must be followed to the letter. -Kyle H On Fri, Jan 9, 2009 at 3:44 PM, PGNet <pgnet.trash+...@gmail.com> wrote: > On Fri, Jan 9, 2009 at 3:29 PM, Kyle Hamilton <aerow...@gmail.com> wrote: >> If you read it, you too will see this. :) > > Actually, I HAD already read section 4.2.1 of the UserGuide for *v1.2*, > > "4.2.1Building the FIPS Object Module from Source > The specification of any other options on the command line, such as > ./config fipscanisterbuild shared > is specifically not permitted" > > which seemed pretty clear and unequivocal to me. > > There was an exception for WIndows, > > "4.3.1Building the FIPS Object Module from Source > Next build the FIPS Object Module from source: > ms\do_fips [no-asm] > where the no-asm option may or may not be present depending on the > platform (see ยง3.2.1)" > > which, NOT being on Windows I'd ignored. > > But, yes, now reading the SecurityPolicy.pdf, "no-asm" is mentioned in > *usage* a numebr of times ... but never specifically "allowed", and > the apparent contradiction is never mentioned, afaict. > > Again, my mistake -- no suprise :-/ But sure seems confusing when you > read it ... > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
