Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

Dipak B
Dear Experts,

Can you please help with the following questions?
All inputs are appreciated.

a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS 140-2 Certified in strict sense?
where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib)

I am seeking clarity although read through both Users Guide and Security Policy.

Thank you,
Deepak
Reply | Threaded
Open this post in threaded view
|

Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

OpenSSL - User mailing list

Didn’t you just ask this question? :)

 

If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes.

 

If you made changes to the process, then no.

 

Reply | Threaded
Open this post in threaded view
|

Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

Dipak B
Hi,

Thank you for the quick answer.
Both the questions have subtle difference. My apology they appear almost same.

So, to clear my doubts, following is my understanding

a) An application is FIPS 140-2 certified if and only if it links directly to 'fipscanister.lib'.

b) Application which links to 'libcurl.lib' and has no direct called to OpenSSL can be called as FIPS 140-2 certified if and only if the 
libcurl.lib used is generated using 'fipscanister.lib'


Not To be said / just repetition 
Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS 140-2 certified.

Regards,
Deepak

On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich <[hidden email]> wrote:

Didn’t you just ask this question? :)

 

If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes.

 

If you made changes to the process, then no.

 

Reply | Threaded
Open this post in threaded view
|

Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

Eric Jacksch
In reply to this post by Dipak B
No, strictly speaking, you cannot. Just because you use a FIPS 140-2
certified cryptographic module doesn't mean that your application is
FIPS 140-2 certified. It means that your application includes (or
uses) a FIPS 140-2 certified cryptographic module. Or, as it is
sometimes called, "FIPS Inside".

Any organization that cares will ask for the CMVP certificate number
and look it up. The certificate will identify the validated
configuration.

On Wed, 3 Jul 2019 at 13:05, Dipak B <[hidden email]> wrote:

>
> Dear Experts,
>
> Can you please help with the following questions?
> All inputs are appreciated.
>
> a) Can we call an Win32 application built with FIPS Capable OpenSSL as FIPS 140-2 Certified in strict sense?
> where FIPS Capable OpenSSL is OpenSSL built using the FOM (fipscanister.lib)
>
> I am seeking clarity although read through both Users Guide and Security Policy.
>
> Thank you,
> Deepak



--
Eric Jacksch, CPP, CISM, CISSP
[hidden email]
Twitter: @EricJacksch
https://SecurityShelf.com
Reply | Threaded
Open this post in threaded view
|

Re: Can applications built with 'FIPS Capable OpenSSL' be called as 'FIPS 140-2' certified?

Eric Jacksch
In reply to this post by Dipak B
Unless your product (application) is listed on the certificate, it is
not FIPS 140-2 certified.

Similarly, if you build your own car and drop in an OEM Ford engine,
your car does not become a Ford.


On Wed, 3 Jul 2019 at 13:35, Dipak B <[hidden email]> wrote:

>
> Hi,
>
> Thank you for the quick answer.
> Both the questions have subtle difference. My apology they appear almost same.
>
> So, to clear my doubts, following is my understanding
>
> a) An application is FIPS 140-2 certified if and only if it links directly to 'fipscanister.lib'.
>
> b) Application which links to 'libcurl.lib' and has no direct called to OpenSSL can be called as FIPS 140-2 certified if and only if the
> libcurl.lib used is generated using 'fipscanister.lib'
>
>
> Not To be said / just repetition
> Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS 140-2 certified.
>
> Regards,
> Deepak
>
> On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich <[hidden email]> wrote:
>>
>> Didn’t you just ask this question? :)
>>
>>
>>
>> If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes.
>>
>>
>>
>> If you made changes to the process, then no.
>>
>>



--
Eric Jacksch, CPP, CISM, CISSP
[hidden email]
Twitter: @EricJacksch
https://SecurityShelf.com