cURL / Mailing Lists / curl-library / Single Mail


Re: A FIPS-capable libcurl - How To Mod libcurl to Incorporate OpenSSL built with the OSSI FIPS Object Module

From: Dan Fandrich <>
Date: Tue, 24 Apr 2007 22:10:45 -0700

On Tue, Apr 24, 2007 at 08:39:44PM -0700, Welling, Conrad Gerhart wrote:
> Not sure if this is helpful, but, who cares. If I can help just one person in
> this crazy world, my life will have been fulfilled.


> Here are my mods to the curl library to incorporate the OSSI FIPS Object Module
> (FOM) in OpenSSL and the curl library (I'm developing a FIPS-capable Windows
> service using HTTPS). This is a terse posting of the changes I made to libcurl
> if(0 == (fipscode = FIPS_mode_set(data->set.ssl.fips.pre_state))) {

It looks like it all boils down to this line, which enables/disables FIPS
mode. Just what does FIPS mode really do, and is it likely to be turned
on and off during normal operation by an app or is it more likely to be
simply turned on and left on? Given that the only users of this are
government users with a long certification checklist, and are probably
going to have to build their libcurl anyway to get their app FIPS
certified, is it a valid possibility to turn this into a compile-time option
instead of a run-time one? That would mean those developers would need
to compile their own libcurl and configure it with --enable-fips, which
would unconditionally call FIPS_mode_set to always turn it on.

>>> Dan

--              The web change of address service
          Let webmasters know that your web site has moved
Received on 2007-04-25