The Security Policy for the FIPS Object Module 2.0 states: 5.1 Exclusive Use of the FIPS Object Module for Cryptography In order for the referencing application to claim FIPS 140-2 validation, all cryptographic functions utilized by the application must be provided exclusively by the FIPS Object Module. The OpenSSL API used in conjunction with the FIPS Object Module in FIPS mode is designed to automatically disable all non-FIPS cryptographic algorithms.
Question: Does this also prelude the use of other FIPS-validated cryptographic modules in an application using OpenSSL FIPS? If an app has an option to use either OpenSSL-FIPS or MS-CAPI, in FIPS mode, for SSL functionality, does that somehow invalidate the claim that the OpenSSL use is validated? Jim Adams Manager, Software Engineering Rocket Software 70 Main St., Suite 51 * Warrenton, VA 20186 * USA Tel: +1.404.364.1735 * Fax: +1.540.428.3473 Email: jad...@rocketsoftware.com<mailto:jad...@rocketsoftware.com> Web: www.rocketsoftware.com<http://www.rocketsoftware.com>
