Uh, Steve,
crypto/opensslv.h
#define OPENSSL_VERSION_NUMBER 0x10100000L
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0-fips-dev xx XXX xxxx"
#else
#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0-dev xx XXX xxxx"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Jack D. Pond
"To share often and much; to leave the world a little better; to know even one
life has breathed easier because you have lived. That is to have succeeded." --
Ralph Waldo Emerson, (1803-1882)
> -----Original Message-----
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
> On Behalf Of Steve Marquess
> Sent: Thursday, November 03, 2011 9:44 AM
> To: openssl-...@openssl.org; openssl-users@openssl.org
> Subject: OpenSSL FIPS Module 2.0 status update
>
> The FIPS 140-2 validation effort for the OpenSSL FIPS Object Module 2.0 has
reached
> an important milestone. We have declared "code freeze", a little later than
originally
> planned, and have submitted formal software distributions to the accredited
testing
> laboratory.
>
> Those distributions can be found at
>
> http://opensslfoundation.com/testing/validation-2.0/source/
>
> There are two separate versions because some sponsors have requested testing
with a
> module that contains only prime curve EC. The "1.9"
> notation accommodates a test lab versioning scheme. Please note that these
source
> code distributions *cannot* be used to generate validated modules for two
reasons.
> First, nothing has been validated yet, and secondly the distributions still
deliberately
> identify the contents as suitable for testing purposes only. After the test
lab has finished
> its review we will with their oversight and approval generate new final
distributions of
> production code.
>
> Also note that we have already been requested to make some changes to the test
suite
> utilities used by the test lab for their test and review activities. Those
interested parties
> wishing to examine the software as it is being tested are encouraged to
reference the
> OpenSSL-fips-2_0-stable branch in the OpenSSL CVS repository.
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marqu...@opensslfoundation.com
>
> ____________________________________________________________________
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
--- Begin Message ---
I recently ran into keystone cops like series of issues where multiple other
open source providers (including OpenCA) who build their products on top of
OpenSSL were unable to identify the version of OpenSSL, and thus rejected it in
their build process. The easiest way around it was to void the FIPS
Compatibility and change the definition which is obviously NOT a desired
solution.
For compatibility with existing tools, would it be possible to change the text
versioning approach as follows? This way we can see both the OpenSSL Version,
the status of that build, and the FIPS version (if necessary), and it would be
compatible with the way current applications are looking for it.
For future consistency, may I make a small recommendation?
In openssl/crypto/opensslv.h,
30,32c30,32
< #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips-dev xx XXX xxxx"
< #else
< #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-dev xx XXX xxxx"
---
> #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f xx XXX xxxx Development FIPS
Object Module 1.3"
> #elseFIPS
> #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f xx XXX xxxx Development"
Jack D. Pond
"If you must speak ill of another, do not speak it, write it in the sand near
the water's edge" -- Napoleon Hill(1883-1970)
--- End Message ---
