In order to achieve compliance, you must follow the instructions in the Security Policy to the letter.
This means that you must: - download and read the security policy - download the openssl-fips-1.2.0.tar.gz - verify its integrity according to the security policy - follow the precise instructions to build it, from the security policy You should also go to NIST and look at its certificate, to verify that it hasn't been revoked. To use it, you must obtain sources for the latest 0.9.8 release and compile/link it against the fipscanister. You may be able to do this from your ports tree -- the instructions and requirements apply only to fipscanister.o and several of its companion files. As long as the requirements of the security policy are upheld, the implementation will be compliant. Note that compliance cannot be truly determined programmatically. So, it's also a good idea to generate multiple hashes (sha-1, sha-256, ripemd160, etc) over the fipscanister and associated files, print them out, and commit to them (physically sign them) as a statement of compliance with the build process. -Kyle H On Thu, Mar 3, 2011 at 9:19 AM, Alexander Sack <pisym...@gmail.com> wrote:
Hello openssl-users: I asked on the FreeBSD security list but perhaps this one is more apropos. Our company has been tasked to ship a FIPS compliant version of openssl on top of our FreeBSD based product. I am confused on what distribution I am allowed to use to create a FIPS compliant release. Here is what I don't understand after reading the FIPS 140-2 User Guide: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree. There is no tarball of openssl that I can validate it against. The source is already integrated in the official FreeBSD source trees. However, its based on the openssl distribution found in the official repos. I have not done a complete diff, but there maybe small build changes to incorporate the openssl distribution into the FreeBSD *world* build. So, can I build a FIPS compliant product using the FreeBSD openssl distribution OR do I need to build the official openssl distribution tarball (a la ports)? If this has been answered before, I apologize. Some basic Googling got me mixed answers.... Thanks! -aps ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
