OpenSSL 1.0 now with FIPS certification
A FIPS 140-2 certificate is an entry requirement for many projects: there is often no way around the US government's "Security Requirements for Cryptographic Modules", particularly for government contractors. The American National Institute of Standards and Technology (NIST), as the responsible certifying body, has now, at least to an extent, approved version 1.0 of the popular OpenSSL crypto library.
The certificate doesn't cover the OpenSSL library itself, it is only valid for the OpenSSL FIPS Object Module, which offers a specific subset of OpenSSL features. Among other things, it disables various widely used but not FIPS-compliant algorithms such as Blowfish, CAST, IDEA and RC4/5. Migrating software which uses OpenSSL to FIPS-compliant libraries is, however, meant to be relatively easy.
The OpenSSL certification is special because this type of certificate usually applies to ready-to-use, executable program packages; in this case, NIST has certified the source code. The certificate, however, is only valid if executable code is generated from the validated, unchanged source code according to a precisely documented method
. Problems may arise if security holes are found in the certified code; even if the developers release a patch to close a hole, users could lose their certification by installing it. A similar situation already occurred with a previous version of the OpenSSL FIPS Object Module.
(fab)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
