On 01/16/2015 04:23 PM, Nou Dadoun wrote: > We are currently using FIPS and non-FIPS builds of 0.9.8 where a > configuration setting can select FIPS or non-FIPS mode, loads the > appropriate build and populates a function table which is used by > the code for OpenSSL functionality. > > We would like to update the non-FIPS build to a later version (e.g. > 1.0.1) which has support for TLS 1.1/1.2 (etc.) which could then > co-exist with the increasingly insecure but certified FIPS build in > this way. > > Has anybody tried this? Any gotchas come to mind? E.g. does a > canister need to be used for the non-FIPS? Are there any major API > changes between the two (besides APIs and/or parameter values which > have been added or extended)? Is this a crazy thing to do? > > Thanks in advance for any relevant comments! ... N If I'm following here, you want to deploy something that uses OpenSSL 1.0.1 either with or without the FIPS module, as decided at runtime. That's a common enough scenario: those customers who must use FIPS will want that, all others either won't want or don't care about FIPS (some of them very specifically won't want it, for understandable reasons). You don't need two separate builds, a single build of one set of libraries can be used for both purposes. We call that the "FIPS capable" OpenSSL: build openssl 1.0.1 with the "fips" build time option in the presence of a FIPS module. You wind up with the same libcrypto and libssl libraries that you know and love. That one set of libraries can be used for either purpose: use them without calling FIPS_mode_set() and they behave like stock 1.0.1. Call FIPS_mode_set() to enable the FIPS module of operation and your application will automatically be using the embedded FIPS module (with non-approved crypto operations disabled). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc