cURL / Mailing Lists / curl-library / Single Mail


RE: A FIPS-capable libcurl - How To Mod libcurl to IncorporateOpenSSL built with the OSSI FIPS Object Module

From: Welling, Conrad Gerhart <>
Date: Wed, 25 Apr 2007 12:05:49 -0700

It may not be worth noting that the FOM User Guide on Page 59 makes the point of providing the following definition:

"A version of the OpenSSL product that is suitable for reference by an application along with the FIPS object module is a FIPS COMPATIBLE OpenSSL."

I take this to mean that "they" want me to refer to my app as a "FIPS compatible" app and not FIPS validated or certified, since, I suppose, only the FOM is FIPS 140-2 VALIDATED.

-----Original Message-----
[]On Behalf Of Dan Fandrich
Sent: Tuesday, April 24, 2007 10:11 PM
Subject: Re: A FIPS-capable libcurl - How To Mod libcurl to
IncorporateOpenSSL built with the OSSI FIPS Object Module

On Tue, Apr 24, 2007 at 08:39:44PM -0700, Welling, Conrad Gerhart wrote:
> Not sure if this is helpful, but, who cares. If I can help just one person in
> this crazy world, my life will have been fulfilled.


> Here are my mods to the curl library to incorporate the OSSI FIPS Object Module
> (FOM) in OpenSSL and the curl library (I'm developing a FIPS-capable Windows
> service using HTTPS). This is a terse posting of the changes I made to libcurl
> if(0 == (fipscode = FIPS_mode_set(data->set.ssl.fips.pre_state))) {

It looks like it all boils down to this line, which enables/disables FIPS
mode. Just what does FIPS mode really do, and is it likely to be turned
on and off during normal operation by an app or is it more likely to be
simply turned on and left on? Given that the only users of this are
government users with a long certification checklist, and are probably
going to have to build their libcurl anyway to get their app FIPS
certified, is it a valid possibility to turn this into a compile-time option
instead of a run-time one? That would mean those developers would need
to compile their own libcurl and configure it with --enable-fips, which
would unconditionally call FIPS_mode_set to always turn it on.

>>> Dan

--              The web change of address service
          Let webmasters know that your web site has moved
Received on 2007-04-25