Unless your product (application) is listed on the certificate, it is not FIPS 140-2 certified. Similarly, if you build your own car and drop in an OEM Ford engine, your car does not become a Ford. On Wed, 3 Jul 2019 at 13:35, Dipak B <deepak.redmi2@xxxxxxxxx> wrote: > > Hi, > > Thank you for the quick answer. > Both the questions have subtle difference. My apology they appear almost same. > > So, to clear my doubts, following is my understanding > > a) An application is FIPS 140-2 certified if and only if it links directly to 'fipscanister.lib'. > > b) Application which links to 'libcurl.lib' and has no direct called to OpenSSL can be called as FIPS 140-2 certified if and only if the > libcurl.lib used is generated using 'fipscanister.lib' > > > Not To be said / just repetition > Application linking with ssleay.lib from FIPS capable OpenSSL is not FIPS 140-2 certified. > > Regards, > Deepak > > On Wed, Jul 3, 2019 at 10:37 PM Salz, Rich <rsalz@xxxxxxxxxx> wrote: >> >> Didn’t you just ask this question? :) >> >> >> >> If you followed the Win32 build instructions *exactly* and you build your application to turn on FIPS mode and link against the canister, then yes. >> >> >> >> If you made changes to the process, then no. >> >> -- Eric Jacksch, CPP, CISM, CISSP eric@xxxxxxxxxxx Twitter: @EricJacksch https://SecurityShelf.com
