On Mon, Mar 07, 2011, Kyle Hamilton wrote: > In order to achieve compliance, you must follow the instructions in the > Security Policy to the letter. > > This means that you must: > - download and read the security policy > - download the openssl-fips-1.2.0.tar.gz > - verify its integrity according to the security policy > - follow the precise instructions to build it, from the security policy > > You should also go to NIST and look at its certificate, to verify that it > hasn't been revoked. > > To use it, you must obtain sources for the latest 0.9.8 release and > compile/link it against the fipscanister. You may be able to do this from > your ports tree -- the instructions and requirements apply only to > fipscanister.o and several of its companion files. As long as the > requirements of the security policy are upheld, the implementation will be > compliant. > > Note that compliance cannot be truly determined programmatically. So, it's > also a good idea to generate multiple hashes (sha-1, sha-256, ripemd160, etc) > over the fipscanister and associated files, print them out, and commit to > them (physically sign them) as a statement of compliance with the build > process.
Note that version openssl-fips-1.2.2.tar.gz is the current version. It has a few bug fixes and enhancements over the 1.2.0 version. Specifically fixes for Win64+ASM and support for cross compilation. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
