> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Jakob Bohm via openssl-users > Sent: Thursday, May 16, 2019 02:21 > > On 16/05/2019 02:11, Paul Dale wrote: > > Just noting that any module built in this manner is *not* FIPS compliant. > > > Only deviations from the official process in creating the > fipscanister invalidates the FIPS validation. > > The FIPS-capable OpenSSL is "outside the boundary" of the > FIPS module and can be changed at will. This is why a new > FIPS validation is not needed every time OpenSSL releases > a bugfix to OpenSSL 1.0.x . That's my understanding too, though I don't deal with a FIPS-validated distribution myself. As the OpenSSL FIPS User Guide puts it, "OpenSSL itself is not validated,and never will be". For FIPS, what matters is the OpenSSL FIPS Object Module (the "canister"). However, in this case that's probably moot. The existing validations cover only a handful of Android releases (none later than 5.0, aka Lollipop) on specific hardware. So the best the OP can achieve is a FIPS 140-2 self-validation claim (or pay for a complete validation by some outside lab). Some customers may accept that, but it's weak. That's one of the problems with FIPS validation - platform restrictions means it has a short shelf life, at least in any market which actually cares about following the letter of the regulations. -- Michael Wojcik Distinguished Engineer, Micro Focus
