Thanks for the clarification, a couple of short questions - We already have a "shim" to index into the function table that gets loaded after run-time selecting from the 0.9.8 FIPS vs non-FIPS dll to use. I imagined that we might have to "thicken" the shim to accommodate selection between 0.9.8-FIPS and 1.0.1 non-FIPS (unorthodox I know but a potential short term step forward). Couldn't they be made interchangeable with appropriate changes to the shim or is there some more fundamental incompatibility?
I looked at the link you provided for OpenSSL FIPS Object Module v2.0, validation certificate #1747 (thanks very much for that); another interesting consideration but I was surprised to notice that omitted from the list of supported algorithms was any mention of SHA, is no variant of SHA supported at all? Thanks again ... N -----Original Message----- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Steve Marquess Sent: January-20-15 8:17 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1) On 01/19/2015 12:42 PM, Nou Dadoun wrote: > The scenario that we're contemplating is having FIPS based on 0.9.8?? > coexist with 1.0.1?? so the remapping at runtime would have to account > for api differences within the two. This was really the upshot of my > question. The 1.2 FIPS module ("FIPS based on 0.9.8") is not compatible with OpenSSL 1.0.1. You need the 2.0 FIPS module for that. > But I think I'm still a little confused about the FIPS-certification > of OpenSSL 1.0.1??,... It's "validation", not "certification". > I remember reading that some of the FIPS power on self-test > requirements precluded a general FIPS certification, is that the case? > ... I think you're conflating several issues here. What you're probably referring to is the fact that some new requirements for *new* FIPS 140-2 validations (IG 9.10 among them) mean that the source code for the 2.0 FIPS module can no longer be used as-is for new validations. Those new requirements have impacted those vendors desiring to pursue such "private label" or "copycat" validations, but has not affected the original 2.0 FIPS module that was used as the model for such private label validations. > What is the status of FIPS OpenSSL certification? > (Is this written up anywhere?) The OpenSSL FIPS Object Module v2.0, validation certificate #1747, remains available for use with (to date) 102 formally tested platforms: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
