I recently ran into keystone cops like series of issues where multiple other open source providers (including OpenCA) who build their products on top of OpenSSL were unable to identify the version of OpenSSL, and thus rejected it in their build process. The easiest way around it was to void the FIPS Compatibility and change the definition which is obviously NOT a desired solution.
For compatibility with existing tools, would it be possible to change the text versioning approach as follows? This way we can see both the OpenSSL Version, the status of that build, and the FIPS version (if necessary), and it would be compatible with the way current applications are looking for it. For future consistency, may I make a small recommendation? In openssl/crypto/opensslv.h, 30,32c30,32 < #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips-dev xx XXX xxxx" < #else < #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-dev xx XXX xxxx" --- > #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f xx XXX xxxx Development FIPS Object Module 1.3" > #elseFIPS > #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f xx XXX xxxx Development" Jack D. Pond "If you must speak ill of another, do not speak it, write it in the sand near the water's edge" -- Napoleon Hill(1883-1970)
