[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: FIPS mode
From:       Ben Laurie <ben () algroup ! co ! uk>
Date:       2004-03-28 14:19:26
Message-ID: 4066DEEE.1040909 () algroup ! co ! uk
[Download RAW message or body]

Steven Reddie wrote:

> Hi Steve,
>  
> I take it that dynamically linking the FIPS OpenSSL into an executable 
> means that the FIPS certification is void for that application.  So as 
> you have stated, static linking is required.  However, if I'm producing 
> a security library that uses OpenSSL and I statically link the FIPS 
> OpenSSL into that security library but applications dynamically link 
> against my security library what does this mean as far as the FIPS 
> certification is concerned?

IMO, if you can implement a check that the DSO matches the one you 
linked against (and that that matches the one compiled from the FIPS 
certified source), then you are FIPS compliant - however, we do not 
provide that facility out-of-the-box. We should, perhaps, modify the 
security policy to this effect.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]