Roger Boden wrote:
> We are including openssl in a development platform. We are seeing more
> and more requests from our customers for the FIPS validated version of
> OpenSSL. I am now trying to understand what it would mean to include
> the FIPS validated platform in our development platform.

That's great, we hope you're able to use the validated module for your
application(s). Sometime early next year we hope to have a new
validation for a 0.9.8 based module, incidentally.

> Currently, the FIPS validated openssl version is based on 0.9.7 (I
> believe it is based on 0.9.7i). How are newer releases of Openssl
> 0.9.7 handled? Is it possible to upgrade to the latest openssl 0.9.7
> without voiding the FIPS certification? This FAQ,
> http://oss-institute.org/fips-faq.html, claims upgrades can be made
> without affecting the validation. However, the FAQ is quite old, last
> update in July 2004. Is this valid?

You're confusing two different things. The validated module, "OpenSSL
FIPS Object Module v1.1.1", cannot be changed. That validated module is
designed for use with the standard OpenSSL 0.9.7 distributions that you
are familiar with, versions 0.9.7m and greater. You can upgrade or
modify the latter.
>
> Can you change some #include statements in header files in the fips
> module without voiding the certification?

It's validation, not certification, and you cannot change *anything* in
the source code used to generate the validated module. That is spelled
out clearly in the the Security Policy
(http://csrc.nist.gov/cryptval/140-1/140sp/140sp733.pdf) and in even
more detail in the User Guide
(http://openssl.org/docs/fips/UserGuide-1.1.1.pdf). Please read them
and you'll find many of your questions will be answered.

-Steve M.

--
Steve Marquess
Open Source Software Institute
marquess@oss-institute.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org