We are currently using FIPS and non-FIPS builds of 0.9.8 where a configuration setting can select FIPS or non-FIPS mode, loads the appropriate build and populates a function table which is used by the code for OpenSSL functionality. We would like to update the non-FIPS build to a later version (e.g. 1.0.1) which has support for TLS 1.1/1.2 (etc.) which could then co-exist with the increasingly insecure but certified FIPS build in this way. Has anybody tried this? Any gotchas come to mind? E.g. does a canister need to be used for the non-FIPS? Are there any major API changes between the two (besides APIs and/or parameter values which have been added or extended)? Is this a crazy thing to do? Thanks in advance for any relevant comments! ... N
