Thanks for the input, all. Those are basically the responses I was expecting, I just wanted to see it in writing as I couldn't find a clear answer during a short internet search. On Thu, Feb 4, 2016 at 10:57 AM, Dr. Stephen Henson <steve at openssl.org> wrote: > On Thu, Feb 04, 2016, Thomas Francis, Jr. wrote: > > > > > AFAIK, you could limit it to the appropriate cipher suites, but be aware > > that FIPS 140 is all about proving that only certain known and tested > > [implementations of] algorithms are used. It???s unlikely that another > > version of OpenSSL would use exactly the same implementations (after all, > > fixes and performance enhancements have been added), and there???d still > be > > nothing to prove those are the approved algorithms, even if they were the > > exact same. So I can???t imagine any auditor approving such a setup. > > > > That's correct: when you enter FIPS mode OpenSSL switches algorithm > implementations to those in the validated FIPS module and changes several > other things such as the use of DRBGs for random number generation instead > of > the usual OpenSSL PRNG. If you're not in FIPS mode this wont happen and you > wont be using validated versions of algorithms. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160204/3a7d3bf5/attachment.html>
