On Thu, Feb 04, 2016, Thomas Francis, Jr. wrote: > > AFAIK, you could limit it to the appropriate cipher suites, but be aware > that FIPS 140 is all about proving that only certain known and tested > [implementations of] algorithms are used. It???s unlikely that another > version of OpenSSL would use exactly the same implementations (after all, > fixes and performance enhancements have been added), and there???d still be > nothing to prove those are the approved algorithms, even if they were the > exact same. So I can???t imagine any auditor approving such a setup. > That's correct: when you enter FIPS mode OpenSSL switches algorithm implementations to those in the validated FIPS module and changes several other things such as the use of DRBGs for random number generation instead of the usual OpenSSL PRNG. If you're not in FIPS mode this wont happen and you wont be using validated versions of algorithms. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
