On 01/19/2016 04:33 AM, security veteran wrote: > Hi, > > I am trying to build a system with both the non-FIPS OpenSSL and the > OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules > actually only affect libcrypto.so? Yes and no. The "FIPS enabled" OpenSSL consists of OpenSSL 1.0.N built with the "fips" option, in the presence of an OpenSSL FIPS module. That module (which is basically the fipscanister.o file) is embedded within the libcrypto shared library. If you don't enable FIPS mode (no FIPS_mode_set() call) then that libcrypto behaves just like the usual libcrypto from a non-FIPS enabled OpenSSL build; the FIPS module is just dead weight. But once you enable FIPS mode then the cryptographic operations that are not allowed by FIPS 140-2 (which is many of the algorithms supported by OpenSSL) are automagically disabled. Those cryptographic operations which are allowed are routed to the FIPS module. Note that those separate crypto implementations in the FIPS module will always necessarily be "behind" the ones on OpenSSL proper (in terms of performance, security, general robustness). Note we designed the "FIPS enabled" mechanism just so that vendors would not need to ship two different sets of binaries to their customers who do and don't care about FIPS 140-2. Ship the "FIPS enabled" OpenSSL libraries to all your customers, and those who don't explicitly enable FIPS mode won't see the FIPS part. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc