Uhm, I'm confused. I thought we were talking about 3.0? "Dr. Matthias St. Pierre" <Matthias.St.Pierre@xxxxxxxxx> skrev: (27 februari 2019 23:34:23 CET) > >> -----Ursprüngliche Nachricht----- >> > > I always understood "FIPS-capable OpenSSL" to refer >specifically to an >> > OpenSSL compiled with the options to incorporate the FIPS >canister >> > module, not just any OpenSSL build that might be used in FIPS >compliant >> > applications (as that would be any OpenSSL at all). >> > >> > Yes, that is historically correct. I don't believe the project >uses >> > the term "FIPS-capable OpenSSL" any more. Instead, the design and >> > such talk about a FIPS module which OpenSSL can use. >> >> Correct. > >I disagree: The term "FIPS Capable OpenSSL" is a technical term from >the OpenSSL FIPS 2.0 >User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) and >has a very clear and >precise meaning: > >It refers to an OpenSSL 1.0.2 (or 1.0.1) library configured and built >with `./configure fips ...` >in order to integrate the FIPS Object Module. Until FIPS 3.0 has been >released and FIPS 2.0 >is history, we should stick to that definition and not confuse FIPS >users by reinterpreting it >or pretend that it is not used anymore or has a different meaning >nowadays. > >Matthias > >-- > >You find the details in Sections 4.2.3 resp. 4.3.3 of >https://www.openssl.org/docs/fips/UserGuide-2.0.pdf. > > 4.2.3 Building a FIPS Capable OpenSSL (Unix/Linux) > 4.3.3 Building a FIPS Capable OpenSSL (Windows) > >Here a brief excerpt: > >Once the validated FIPS Object Module has been generated it is usually >combined with an >OpenSSL distribution in order to provide the standard OpenSSL API. Any >1.0.1 or 1.0.2 release >can be used for this purpose. The commands > ./config fips <...other options...> > make <...options...> > make install >will build and install the new OpenSSL without overwriting the >validated FIPS Object Module >files. The FIPSDIR environment variable or the --withfipsdir command >line option can >be used to explicitly reference the location of the FIPS Object Module >(fipscanister.o). > >The combination of the validated FIPS Object Module plus an OpenSSL >distribution built in this >way is referred to as a FIPS capable OpenSSL, as it can be used either >as a drop-in replacement for >a non-FIPS OpenSSL or for use in generating FIPS mode applications. -- Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.
