@paulidale to write up a question to send to the lab with regards to the CRNG Tests issue (see openssl/openssl#24498)

The primary question is where should the SP 800-90B section 4 health tests be located:

1. The original advice we received was: they needs to be done inside the FIPS boundary before any entropy is fed into the DRBGs and this is what was done for our FIPS 140-2 validation.
2. RedHat has had different advice from their lab: it should be performed on the output of the noise source. In our case, could this happen outside the boundary since we use an external entropy source (with associated caveat)?

With an external non-validated entropy source, which is correct or can either be used?
Is the answer the same for our FIPS 140-2 and FIPS 140-3 validations?

A secondary question is: are the health tests we implemented for our FIPS 140-2 sufficient for our FIPS 140-3 validation or do they need to be modified? SP 800-90B section 4.4 outlines two approved heath tests, neither of which match what was done in the FIPS 140-2 validation. However, section 4.5 allows developer defined alternatives -- would this cover the FIPS 140-2 tests?
Essentially, do we need to implement the 4.4 approved heath tests for our FIPS 140-3 validation or not?

FTR. I'm not sure the advice Red Hat got looked exactly this way

Just reopening this, because although @paulidale has done the requested task its not clear to me if anything has been done with the result of this. Has anyone actually sent this question to the lab?

Question(s) were sent to lab.

The rough consensus seems to be that the health check should be done on the raw output of the noise source which is not inside our FIPS module boundary.

@paulidale can you please confirm that the above answers the questions and close this?