On Tue, 27 Jan 2015 14:13:57 -0500 Steve Marquess <marquess at openssl.com> wrote: > The user guide documents that correctly. For the OpenSSL FIPS Object > Module 2.0 (#1747) the FIPS mode of operation is enabled with > FIPS_mode_set(). There is no "library startup"; you keep confusing > past validations with new ones. OK. > Note that we would update that existing module to comply with the new > I.G. 9.10 guidance, but that falls in the class of changes that are > not permitted under the "change letter" update process (similarly, we > weren't allowed to update the module to address security > vulnerabilities such as "Lucky 13"). Yes, FIPS is what it is. I'm short of describing words now, and I prefer not to search too long :-) > We have not done any validations that satisfy the various new > requirements introduced in late 2013 and early 2014. New validations > are very expensive, in dollars, time, and grief, and we don't have the > necessary financial backing. Something I don't understand. Does validation prevent any software development ? Eg. why not develop a newer version that is not validated (until further notice) but will include for instance the automatic library load that would perform transparently all the FIPS checks ? In our case, our system as a whole will be validated. And that includes OpenSSL, as well as anything else that's relevant to FIPS, including stickers on the units. OpenSSL will be validated anyways. We are looking at adding the automatic load hence the running of FIPS tests at library load time. But then, this might change depending on the assessment of other FIPS-aware modifications to popular Open Source packages. Otherwise, if they (most) have already FIPS mode options, then we would add the automatic hooks to OpenSSL. And the unit will be sent to the consultants who will run their SSL tests and others, and then to the NIST labs, as such. Regards.
