> Hello All,
> I came to know that OpenSSL is in its final stage of getting FIPS
> http://trends.newsforge.com/trends/06/01/23/0429219.shtml >
> Congrats to all the developers and contributors from the OpenSource
> community for making this happen.
> I have a couple of question in this regard.
> 1. Once OpenSSL is FIPS certified will a new version be released or an
> existing version (eg 0.9.7i) can be called FIPS certified.
> 2. Are there any security policy document that have been published, which
> contains steps to be followed while creating an application from FIPS
> certified OpenSSL.
> What are the most popular cars? Find out at Yahoo! Autos
I downloaded and built the 20060124 stable snapshot and built the FIPS
version for Windows. It built w/o errors, but it did not create a SHA1
signature file for fipscanister.obj. I built my application linking with
libeay32.lib and ssleay32.lib. When I tried to enter FIPS mode with
FIPS_mode_set(1), it failed with error FIPS_F_FIPS_CHECK_DSO,
FIPS_R_FINGERPRINT_DOES_NOT_MATCH. The build procedures have
changed since 0.9.7i, as a result of the certification back-and-forth, and
I understand the Users Guide will be released soon with the FIPS build
procedures. But I was able to enter FIPS mode with 0.9.7i by generating
a SHA1 signature file of my app and passing the path to it to FIPS_mode_set,
which has now dropped that parameter.
My question is, has the current snapshot changed since the 0124 snapshot
with regards to building FIPS versions for Windows and entering FIPS mode?
Or am I doing something wrong, or is there an additional step in the build
process that is not yet documented?
Principal Software Developer
Seagull Software Systems, Inc.
Voice: (540) 341-8440 x102, Fax: (540) 428-3473
<mailto: [hidden email]>
Are you going to support not only 0.9.7 branch, but also 0.9.8 branch?
----- Original Message -----
From: "Dr. Stephen Henson" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 30, 2006 10:07 PM
Subject: Re: OpenSSL FIPS Certification
> On Sun, Jan 29, 2006, Kyle Hamilton wrote:
>> 0.9.7h is FIPS certified, as long as you build with unmodified sources
>> (and this is checked with an SHA check on the sources in question).
> Err no IT IS NOT. The version submitted for validation included various
> to sequestered code (the stuff under fips/). No released version of
> currently includes these changes.
> The current 0.9.7-stable snapshot sequestered code matches the submitted
> version. 0.9.7j (not yet released) and later releases will also match it.
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________
> OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > Automated List Manager [hidden email] >
> My question is, has the current snapshot changed since the 0124 snapshot
> with regards to building FIPS versions for Windows and entering FIPS mode?
> Or am I doing something wrong, or is there an additional step in the build
> process that is not yet documented?
There are several steps in the Windows build process for FIPS which are
currently not documented but that is being worked on. The requirements mean
that this differs quite a lot from the normal Windows builds.