FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file

image of CD label The latest of the OpenSSL FIPS Object Module ("FIPS module") FIPS 140-2 validations saw the introduction of a new requirement by the CMVP:

The distribution tar file, shall be verified using an independently acquired FIPS 140-2 validated cryptographic module...
Some prospective users of the OpenSSL FIPS Object Module 2.0 already have ready access to an existing securely-installed software product using FIPS 140-2 validated cryptography that is capable of calculating the HMAC-SHA-1 digest of a file on disk, in which case satisfying this requirement is easy (simply calculate the HMAC-SHA-1 digest of the source distribution file using the key "etaonrishdlcupfm" and confirm it is that same as documented in the Security Policy document (e.g., "2cdd29913c6523df8ad38da11c342b80ed3f1dae" for openssl-fips-2.0.tar.gz).

For most prospective users the identification, acquisition, installation, and configuration of a suitable product may be a challenge. (See Section 6.6 of our FIPS User Guide) The requirement for this verification with an independently acquired FIPS 140-2 validated cryptographic module does not apply when the distribution file is distributed using a "secure" means. Distribution on physical media is considered secure in this context, so as a convenience a copy of the distribution files can be obtained from OSS as a CD-ROM disks via postal mail.

The fee for this is $100 in US Dollars. Mail a check, your email contact, and your postal address to address on the OpenSSL Software Services main page. If you prefer to do a wire transfer, email us at verifycd@openssl.com and we will send you are ABA and account information. We cannot do credit cards, purchase orders, or anything other than a check or US-based bank transfer. We can mail internationally (the CD contains only open source code and so may be exported under the TSU exception of EAR ECCN 5D002). It will take a week or two to process your order.

Note that the files you will receive on these CDs will be identical in every respect (except for formal FIPS 140-2 compliance) with the files you can download from http://www.openssl.org/source/ Once the distribution files have been received on this CD they can be redistributed internally within an organizational entity (corporation, institution, or agency) by normal means.