diff options
| author | slontis <shane.lontis@oracle.com> | 2022-11-07 06:32:07 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-12-16 19:08:49 +0100 |
| commit | e8241fb6fe4e73bb337c9068e5a2421948ee40ad (patch) | |
| tree | 7f44579c21a5ad473f8389da7d5291ae459b8630 /README-FIPS.md | |
| parent | Refine the documents of several APIs (diff) | |
| download | openssl-e8241fb6fe4e73bb337c9068e5a2421948ee40ad.tar.xz openssl-e8241fb6fe4e73bb337c9068e5a2421948ee40ad.zip | |
Update FIPS related build instructions.
This also links back to the new location that lists the cert and
security policy.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19617)
Diffstat (limited to 'README-FIPS.md')
| -rw-r--r-- | README-FIPS.md | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/README-FIPS.md b/README-FIPS.md index 36d9390fa7..e9c81e2c2c 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -1,13 +1,29 @@ OpenSSL FIPS support ==================== -This release of OpenSSL includes a cryptographic module that is intended to be +This release of OpenSSL includes a cryptographic module that can be FIPS 140-2 validated. The module is implemented as an OpenSSL provider. A provider is essentially a dynamically loadable module which implements cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file for further details. -The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix) +A cryptographic module is only FIPS validated after it has gone through the complex +FIPS 140 validation process. As this process takes a very long time, it is not +possible to validate every minor release of OpenSSL. +If you need a FIPS validated module then you must ONLY generate a FIPS provider +using OpenSSL versions that have valid FIPS certificates. A FIPS certificate +contains a link to a Security Policy, and you MUST follow the instructions +in the Security Policy in order to be FIPS compliant. +See <https://www.openssl.org/source/> for information related to OpenSSL +FIPS certificates and Security Policies. + +Newer OpenSSL Releases that include security or bug fixes can be used to build +all other components (such as the core API's, TLS and the default, base and +legacy providers) without any restrictions, but the FIPS provider must be built +as specified in the Security Policy (normally with a different version of the +source code). + +The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or resp. `fips.dll` (on Windows). The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the `enable-fips` option. @@ -15,6 +31,9 @@ the `enable-fips` option. Installing the FIPS module ========================== +The following is only a guide. +Please read the Security Policy for up to date installation instructions. + If the FIPS provider is enabled, it gets installed automatically during the normal installation process. Simply follow the normal procedure (configure, make, make test, make install) as described in the [INSTALL](INSTALL.md) file. |