Hello openssl-users: I asked on the FreeBSD security list but perhaps this one is more apropos. Our company has been tasked to ship a FIPS compliant version of openssl on top of our FreeBSD based product. I am confused on what distribution I am allowed to use to create a FIPS compliant release.
Here is what I don't understand after reading the FIPS 140-2 User Guide: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree. There is no tarball of openssl that I can validate it against. The source is already integrated in the official FreeBSD source trees. However, its based on the openssl distribution found in the official repos. I have not done a complete diff, but there maybe small build changes to incorporate the openssl distribution into the FreeBSD *world* build. So, can I build a FIPS compliant product using the FreeBSD openssl distribution OR do I need to build the official openssl distribution tarball (a la ports)? If this has been answered before, I apologize. Some basic Googling got me mixed answers.... Thanks! -aps ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
