On Wed, Nov 6, 2013, Dr. Stephen Henson wrote: > On Tue, Nov 05, 2013, Vuille, Martin (Martin) wrote: > > > > > Another approach I am considering is to have both a FIPS-capable and > > non-FIPS capable version of OpenSSL installed on the system (with > > suitable adjustments to .so file names to avoid conflicts) with the > > application using the former when FIPS mode is required and the latter > > otherwise (perhaps by dynamically loading the appropriate one, or by > using a different LD_LIBRARY_PATH). > > > > Any thoughts on the viability of that approach? > > > > The FIPS capable version of OpenSSL outside FIPS mode should be > compatible with the non-FIPS build of the same version of OpenSSL so there > shouldn't be a need to do this. > > Any incompatibilities would be regarded as bugs which should be fixed. >
Understood, but my understanding is that even in non-FIPS mode the code from the FIPS Object Module is used. Is that understanding incorrect? When not using FIPS mode, I do not want to suffer a performance penalty, as I am running on a very CPU-constrained platform, and want the ability to use patches provided by my platform vendor to leverage their hardware crypto acceleration, which obviously cannot be applied to the FIPS Object Module. MV ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
