> On Jan 20, 2015, at 3:00 PM, Nou Dadoun <ndad...@teradici.com> wrote: > > Thanks for the clarification, a couple of short questions - > > We already have a "shim" to index into the function table that gets loaded > after run-time selecting from the 0.9.8 FIPS vs non-FIPS dll to use. I > imagined that we might have to "thicken" the shim to accommodate selection > between 0.9.8-FIPS and 1.0.1 non-FIPS (unorthodox I know but a potential > short term step forward). Couldn't they be made interchangeable with > appropriate changes to the shim or is there some more fundamental > incompatibility?
Probably, but I’d strongly recommend against what you’re doing. You should instead link only ONE library, and call FIPS_mode_set() when you want to use FIPS Approved mode, and do not call that when you do not want to use FIPS Approved mode. I’m not sure why you would do so much excess work for something that was provided for already with a single function call. If it’s because you want to switch between use of FIPS or not within the same process, then you’ve misunderstood what FIPS 140 validation is for, and you’re doing it wrong. Even with the strange (and loose) interpretations of FIPS 140 the government auditors approve. :) > I looked at the link you provided for OpenSSL FIPS Object Module v2.0, > validation certificate #1747 (thanks very much for that); another interesting > consideration but I was surprised to notice that omitted from the list of > supported algorithms was any mention of SHA, is no variant of SHA supported > at all? That’s the reference to SHS — Secure Hashing Standard. See http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm for more info if you’d like. :) > Thanks again … N TOM > -----Original Message----- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Steve Marquess > Sent: January-20-15 8:17 AM > To: openssl-users@openssl.org > Subject: Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS > (1.0.1) > > On 01/19/2015 12:42 PM, Nou Dadoun wrote: >> The scenario that we're contemplating is having FIPS based on 0.9.8?? >> coexist with 1.0.1?? so the remapping at runtime would have to account >> for api differences within the two. This was really the upshot of my >> question. > > The 1.2 FIPS module ("FIPS based on 0.9.8") is not compatible with OpenSSL > 1.0.1. You need the 2.0 FIPS module for that. > >> But I think I'm still a little confused about the FIPS-certification >> of OpenSSL 1.0.1??,... > > It's "validation", not "certification". > >> I remember reading that some of the FIPS power on self-test >> requirements precluded a general FIPS certification, is that the case? >> ... > > I think you're conflating several issues here. What you're probably referring > to is the fact that some new requirements for *new* FIPS 140-2 validations > (IG 9.10 among them) mean that the source code for the 2.0 FIPS module can no > longer be used as-is for new validations. Those new requirements have > impacted those vendors desiring to pursue such "private label" or "copycat" > validations, but has not affected the original 2.0 FIPS module that was used > as the model for such private label validations. > >> What is the status of FIPS OpenSSL certification? >> (Is this written up anywhere?) > > The OpenSSL FIPS Object Module v2.0, validation certificate #1747, remains > available for use with (to date) 102 formally tested platforms: > > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
