OpenSSL

Cryptography and SSL/TLS Toolkit

FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file

image of CD label The latest of the OpenSSL FIPS Object Module ("FIPS module") FIPS 140-2 validations saw the introduction of a new requirement by the CMVP:

The distribution tar file, shall be verified using an independently acquired FIPS 140-2 validated cryptographic module...
Some prospective users of the OpenSSL FIPS Object Module 2.0 already have ready access to an existing securely-installed software product using FIPS 140-2 validated cryptography that is capable of calculating the HMAC-SHA-1 digest of a file on disk, in which case satisfying this requirement is easy (simply calculate the HMAC-SHA-1 digest of the source distribution file using the key "etaonrishdlcupfm" and confirm it is that same as documented in the Security Policy document (e.g., "2cdd29913c6523df8ad38da11c342b80ed3f1dae" for openssl-fips-2.0.tar.gz).

For most prospective users the identification, acquisition, installation, and configuration of a suitable product may be a challenge. (See Section 6.6 of our FIPS User Guide) The requirement for this verification with an independently acquired FIPS 140-2 validated cryptographic module does not apply when the distribution file is distributed using a "secure" means. Distribution on physical media is considered secure in this context, so as a convenience a copy of the distribution files can be obtained from OSS as a CD-ROM disks via postal mail.

The fee for this is $100 in US Dollars. At this time we are only able to accept US wire transfers. Email us at osf-contact@openssl.org and we will send you our ABA and account information. We cannot do credit cards, purchase orders, or anything other than a US-based bank transfer at this time. We can mail internationally (the CD contains only open source code and so may be exported under the TSU exception of EAR ECCN 5D002). It will take a week or two to process your order.

Note that the files you will receive on these CDs will be identical in every respect (except for formal FIPS 140-2 compliance) with the files you can download from https://www.openssl.org/source/ Once the distribution files have been received on this CD they can be redistributed internally within an organizational entity (corporation, institution, or agency) by normal means.

[an error occurred while processing this directive]