FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file
The latest of the OpenSSL FIPS Object Module ("FIPS module") FIPS 140-2 validations saw the introduction of a new requirement by the CMVP:
The distribution tar file, shall be verified using an independently acquired FIPS 140-2 validated cryptographic module...Some prospective users of the OpenSSL FIPS Object Module 2.0 already have ready access to an existing securely installed1 software product using FIPS 140-2 validated cryptography that is capable of calculating the HMAC-SHA-1 digest of a file on disk, in which case satisfying this requirement is easy (simply calculate the HMAC-SHA-1 digest of the source distribution file using the key "etaonrishdlcupfm" and confirm it is that same as documented in the Security Policy document (e.g. "2cdd29913c6523df8ad38da11c342b80ed3f1dae" for openssl-fips-2.0.tar.gz).
For most prospective users the identification, acquisition, installation1, and configuration of a suitable product may be a non-trivial challenge. The requirement for this verification with an independendly acquired FIPS 140-2 validated cryptographic module does not apply when the distribution file is distributed using a "secure" means. Distribution on physical media is considered secure in this context, so as a convenience for users a copy of the distribution files can be obtained from OSF on physical media (a CD-ROM disk) via snail-mail (USPS).
Until and if the postage costs get out of hand we will send those CDs on request at no cost (we'd rather not bother with invoicing for the approximately US$5 it costs to generate and mail each disk). Please include a full postal address in your request and send it with a subject line of "FIPS module CD request" to firstname.lastname@example.org. We can mail internationally (the CD contains only open source code and so may be exported under the TSU exception of EAR ECCN 5D002).
We have received a number of requests with residential addresses from throw-away E-mail addresses; preference will be given to institutional destinations on the assumption that anonymous individuals are less likely to be creating validated products requiring formal FIPS 140-2 validation.
Note that the files you will receive on these CDs will be identical in every respect (except for formal FIPS 140-2 compliance) with the files you can download from:
NOTE: we have received several donations along with requests for CDs, and a suggestion that the donation link be referenced here. Donations or payment of any kind in exchange for the CD mailing are entirely optional, but if desired can be made via the donations page.
1The "secure installation" turns out to be a surprisingly tricky issue. See Section 6.6 of the User Guide for a discussion.