Are you sure that is true? Where in that doc does it say a product or the crypto part of the product inherits FIPS certified if you compile it correctly? I'm pretty sure our products with open source code still goes to a lab to be FIPS certified. Can't see how you can get a FIPS certificate w/out being formally tested. You're product might run FIPS certified code but it won't be FIPS certified. At 11:49 AM 11/10/2010, AMuse wrote: >Paul: When you compile OpenSSH against OpenSSL in FIPS mode, your OpenSSH will inherit the FIPS 140-2 certification which applies to OpenSSL. > >More info here: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf > >On 11/10/10 8:32 AM, Hrolenok, Paul wrote: >>I have an application where I have to implement SFTP file transfers with FIPS 140-2 certified encryption. >>I've been trying to find out if I can use Open SSH for this or if I have to buy a commercial solution. >>Essentially I have two questions. >> >>1) Can I compile Open SSH from source using the Open SSL Fips sources and "inherit" the Fips certification? >>2) Has anybody compiled Open SSH using the Fips Open SSL sources and can they give me any pointers on how to do that? >> >>Any data on the difficulty or time involved would be appreciated since I have to justify the final decision to >>my $BOSS. I would be doing this on a Sun SPARC system running Solaris 10. I have access to both gcc and the >>Sun Workshop compilers and would appreciate any insight on either or both. >> >>TIA >>Paul >> >>Paul S. Hrolenok >>Senior Consultant >>ID Services Group >>http://www.intelligent.net >>Recognized on Washingtonian Magazine's 50 Great Places to Work list - 2009