3 <!--#include virtual="/inc/head.shtml" -->
5 <!--#include virtual="/inc/banner.shtml" -->
8 <div class="blog-index">
10 <header><h2>FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file</h2></header>
11 <div class="entry-content">
14 <img src="./verifycd.jpg" align="left" border="0" alt="image of CD label" width="200" height="200">
15 The latest of the OpenSSL FIPS Object Module ("FIPS module")
16 FIPS 140-2 validations saw the introduction of a new requirement
19 <em>The distribution tar file, shall be verified using an
20 independently acquired FIPS 140-2 validated cryptographic
23 Some prospective users of the OpenSSL FIPS Object Module 2.0 already
24 have ready access to an existing securely-installed software product
25 using FIPS 140-2 validated cryptography that is capable of calculating
26 the HMAC-SHA-1 digest of a file on disk, in which case satisfying this
27 requirement is easy (simply calculate the HMAC-SHA-1 digest of the
28 source distribution file using the key <code>"etaonrishdlcupfm"</code>
29 and confirm it is that same as documented in the <a
30 href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">Security Policy</a>
31 document (e.g., <code>"2cdd29913c6523df8ad38da11c342b80ed3f1dae"</code> for
32 <em>openssl-fips-2.0.tar.gz</em>).
35 <p>For most prospective users the identification, acquisition,
36 installation, and configuration of a suitable product may be a challenge.
37 (See Section 6.6 of our FIPS
38 <a href="/docs/fips/UserGuide-2.0.pdf">User
40 The requirement for this verification with an independently acquired
41 FIPS 140-2 validated cryptographic module does not apply when the
42 distribution file is distributed using a "secure" means. Distribution
43 on physical media is considered secure in this context so you can
44 verify by obtaining a copy of the distribution files on CD-ROM disks via
47 <p>OpenSSL are not providing disks directly at this time. However we have
48 an arrangement with KeyPair Consulting who will
49 <a href="https://keypair.us/2018/05/cd/">send a disk to you at no
52 <blockquote>Important Disclaimer: The listing of these third party products does not
53 imply any endorsement by the OpenSSL project, and these organizations are not
54 affiliated in any way with OpenSSL other than by the reference to their
55 independent web sites here.</blockquote>
57 <p>Note that the files you will receive on these CDs will be
58 <em>identical</em> in every respect (except for formal FIPS 140-2
59 compliance) with the files you can download from <a
60 href="/source/">https://www.openssl.org/source/</a>
61 Once the distribution files have been received on this CD
62 they can be redistributed internally within an organizational
63 entity (corporation, institution, or agency) by normal means.
68 You are here: <a href="/">Home</a>
69 : <a href="../">Docs</a>
70 : <a href="../fips.html">FIPS</a>
71 : <a href="">FIPS-140 Verify CD</a>
72 <br/><a href="/sitemap.txt">Sitemap</a>
78 <!--#include virtual="/inc/footer.shtml" -->