Re: openssl 098j + fips 1.2 fails @ 'make test', but only for target 'linux-generic32'

Sat, 10 Jan 2009 06:21:11 -0800 

On Fri January 9 2009, Kyle Hamilton wrote:
> You're looking at the User Guide. This isn't the right thing to look
> at; the relevant document (and indeed the controlling document) is the
> Security Policy, http://openssl.org/docs/fips/SecurityPolicy-1.2.pdf ,
> and the relevant section is Appendix A, "Installation Instructions".
> 
> It's very likely that the User Guide has been updated from the 1.1.x
> series, and that particular section wasn't.  But, the User Guide is
> not the be-all and end-all; it doesn't get validated, and indeed
> wasn't even released for v1.2 for several weeks after the validated
> v1.2 module was released.  The Security Policy, however, is validated
> in conjunction with the software.
> 
> To reiterate the warning at the end of the configuration process: the
> result is not and cannot be claimed to be validated if you did not
> follow the Security Policy *exactly*.
> 

Now there is an interesting read.
Check the last entry of Table 2.2 -

The newest machine added to my collection uses a higher density
power connector to the motherboard than that specified.
Which means the module is not validated when used on that machine.

_I_ don't have any need to run in FIPS mode - but other people
do, and they need to examine the motherboard power connector
in use to be sure it meets the policy requirements.

Don't we all just love dealing with government regulations? ;)

Mike
> -Kyle H
> 
> On Fri, Jan 9, 2009 at 3:44 PM, PGNet <pgnet.trash+...@gmail.com> wrote:
> > On Fri, Jan 9, 2009 at 3:29 PM, Kyle Hamilton <aerow...@gmail.com> wrote:
> >> If you read it, you too will see this. :)
> >
> > Actually, I HAD already read section 4.2.1 of the UserGuide for *v1.2*,
> >
> > "4.2.1Building the FIPS Object Module from Source
> > The specification of any other options on the command line, such as
> > ./config fipscanisterbuild shared
> > is specifically not permitted"
> >
> > which seemed pretty clear and unequivocal to me.
> >
> > There was an exception for WIndows,
> >
> > "4.3.1Building the FIPS Object Module from Source
> > Next build the FIPS Object Module from source:
> > ms\do_fips [no-asm]
> > where the no-asm option may or may not be present depending on the
> > platform (see §3.2.1)"
> >
> > which, NOT being on Windows I'd ignored.
> >
> > But, yes, now reading the SecurityPolicy.pdf, "no-asm" is mentioned in
> > *usage* a numebr of times ... but never specifically "allowed", and
> > the apparent contradiction is never mentioned, afaict.
> >
> > Again, my mistake -- no suprise :-/  But sure seems confusing when you
> > read it ...
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    openssl-users@openssl.org
> > Automated List Manager                           majord...@openssl.org
> >
> :��I"Ϯ��r�m����
> (����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to