Gatewood (Woody) Green wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
I noticed in trying to build OpenSSL 1.0.0 that Configure no longer
accepts the fips and --with-fipslibdir= arguments (as does all 0.9.8
version since "j" for building in conjunction and with inclusion of
openssl-fips-1.2).
Are we awaiting another certification pass of an updated canister beyond
openssl-fips-1.2?
Yes.
Is there something significant in the 1.0.0 that fundamentally changes
the API? Or is this more of a case of dual branch development and the
changes make since 0.9.8j just did not get merged into the 0.9.9/1.0.0
branch?
Yes, 1.0.0 is sufficiently different that the existing OpenSSL FIPS
Object Module isn't compatible.
We'd like to implement the FIPS module functionality into 1.0.0 but just
as for the past validations we're pretty much stuck until and if
sponsor(s) step forward to fund that effort. In addition to the
substantial amount of coding work the test lab fees are far beyond our
means without such financial backing.
Note also that the rules for FIPS 140-2 validations are changing and
even the original 0.9.8 compatible validated module won't be suitable as
the basis for new validations beyond 2010.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
