FIPS and new releases of openssl
In appendix B of the openssl FIPS security policy it is stated that the module must be built with a particular tar file (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar file is specified. Furthermore it is statedthat there shall be no additions, deletions, or alterations of the setof files in the tar file as used during module build.
The way I read this is that if you modify for instance the ASN.1 or SSL code (in order to fix a bug), then the FIPS validation is canceled. This does not make sense to me. Why can't higher level code be bug fixed without FIPS validation being canceled?
Var sommaren för kort? Här hittar du solen!
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]