Re: Will my application be FIPS 140-2 Certified under following conditions?

["openssl@xxxxxxxxxxxx" <openssl@xxxxxxxxxxxx>]

Deepak

Just take note of the FIPS 140-2 sunset, and rise of FIPS 140-3

140-3 Takes Effect: 9/22/19

140-3 New Testing Begins: 9/22/20

140-2 Sunset: 9/21/21

140-3 Mandated: 9/22/21

And best of luck ;)

https://www.federalregister.gov/documents/2019/05/01/2019-08817/announcing-issuance-of-federal-information-processing-standard-fips-140-3-security-requirements-for

-- 

Regards,

Mark A. Lane   

© Mark A. Lane 1980 - 2019, All Rights Reserved.
© FooCrypt 1980 - 2019, All Rights Reserved.
© FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2019, All Rights Reserved.
© Cryptopocalypse 1980 - 2019, All Rights Reserved.

On 4 Jul 2019, at 12:09, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:

Also, on question b: No.  You need to build a compatible version of openssl as specified in the User Guide, and link that version.  FIPS_mode_set() tells the library to always and only use the implementations in the FIPS canister; the canister does not replace the library entirely.

-Kyle H

On Wed, Jul 3, 2019, 11:55 Dipak B <deepak.redmi2@xxxxxxxxx> wrote:

Dear Experts,

Can you please help me with the following question?

My win32 desktop application uses 'libcurl' to interact with web service, in order to get my application FIPS 140-2 certified, following is the plan which I arrived at after going through the 'User Guide' and 'Security Policy' pdfs.

Plan:

a. After verifying HMAC-SHA1 of openssl-fips-2.0.16.tar.gz, build it to generate fipscanister.lib (FOM) as windows static library.

b. Build libcurl as windows static library using above fipscanister.lib

c. Link my desktop application with above libcurl.lib after adding FIPS_mode_set()

Questions:

a. On following points a, b,c, can I confirm that my application is FIPS 140-2 certified?

b.  fipscanister.lib is always static library and it can be substituted for libssl.lib / ssleay.lib?

Thank you,

Deepak