Hi guys,

We used to use 0.9.8 Openssl on Linux platform. We want to use FIPS now.

We did following to make FIPS mode work:
- library is linked statically because FIPS cannot be implemented as shared
library
- we had to make little work around to link FIPS using C compiler because
c++ compiler doesn't work with it.
- Once it was working we had to regenerate keys. With FIPS they have to be
in PCKS8 format.
- Because MD5 is not supported in FIPS mode consequently 3DES to encrypt
private key didn't work. We used function OpenSSL_add_all_algorithms(); that
enabled it and it does work now.

We use EVP_des_ede3_cbc() to encrypt private RSA key, this function was
failing. We found in the mail archive discrussion about the problem where
someone explained that MD5 is not supported in FIPS and consequently
EVP_des_ede3_cbc() didn't work. But OpenSSL_add_all_algorithms(); made it
work anyway.
Does anyone know what has changed by calling OpenSSL_add_all_algorithms()?
Does it brake FIPS certification in any way?
If that is not correct what private key encryption is supposed to be used
with FIPS?


Thanks
Stan

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org