From e8241fb6fe4e73bb337c9068e5a2421948ee40ad Mon Sep 17 00:00:00 2001 From: slontis Date: Mon, 7 Nov 2022 15:32:07 +1000 Subject: [PATCH] Update FIPS related build instructions. This also links back to the new location that lists the cert and security policy. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19617) --- README-FIPS.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/README-FIPS.md b/README-FIPS.md index 36d9390fa7..e9c81e2c2c 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -1,13 +1,29 @@ OpenSSL FIPS support ==================== -This release of OpenSSL includes a cryptographic module that is intended to be +This release of OpenSSL includes a cryptographic module that can be FIPS 140-2 validated. The module is implemented as an OpenSSL provider. A provider is essentially a dynamically loadable module which implements cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file for further details. -The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix) +A cryptographic module is only FIPS validated after it has gone through the complex +FIPS 140 validation process. As this process takes a very long time, it is not +possible to validate every minor release of OpenSSL. +If you need a FIPS validated module then you must ONLY generate a FIPS provider +using OpenSSL versions that have valid FIPS certificates. A FIPS certificate +contains a link to a Security Policy, and you MUST follow the instructions +in the Security Policy in order to be FIPS compliant. +See for information related to OpenSSL +FIPS certificates and Security Policies. + +Newer OpenSSL Releases that include security or bug fixes can be used to build +all other components (such as the core API's, TLS and the default, base and +legacy providers) without any restrictions, but the FIPS provider must be built +as specified in the Security Policy (normally with a different version of the +source code). + +The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or resp. `fips.dll` (on Windows). The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the `enable-fips` option. @@ -15,6 +31,9 @@ the `enable-fips` option. Installing the FIPS module ========================== +The following is only a guide. +Please read the Security Policy for up to date installation instructions. + If the FIPS provider is enabled, it gets installed automatically during the normal installation process. Simply follow the normal procedure (configure, make, make test, make install) as described in the [INSTALL](INSTALL.md) file.