Hi,

I found that in the codebase we have the ability to turn on fips_mode with a flag set. Do we have a certificate for that from NIST? Specifically if my application depends on this library, set fips_mode to be true and use it properly, am I FIPS-certificate?

As far as I know, if you use OpenSSL 3.0.0 or 3.0.8, these are FIPS certificates. This repository is a Ruby OpenSSL library (openssl gem) using the C API provided by OpenSSL. So, my guess is if you use this Ruby OpenSSL library on OpenSSL 3.0.0 or 3.0.8, these can be FIPS certificates.

https://www.openssl.org/source/

The following OpenSSL version(s) are FIPS validated:

But I think it's better to ask it at OpenSSL discussions or the OpenSSL mailing list "openssl-users".

Technically you can build the FIPS module in FIPS-certificated OpenSSL 3.0.0 or 3.0.8, and then you can use the FIPS module with a newer version of OpenSSL. My guess is this case is still FIPS-certificated. The installation document is here. My guess is the status of the Ruby OpenSSL library doesn't affect the status of the FIPS-certificated. The matter is if you use the FIPS module in OpenSSL 3.0.0 or 3.0.8.

Note that if you use enterprise Linux distributions, they may have FIPS-certifications for necessary components to make their entire OS FIPS-certificated. You can ask their customer support for that.

This repository is a Ruby OpenSSL library (openssl gem) using the C API provided by OpenSSL.

Yes, this repository does not implement the cryptographic algorithms but only provide access to that in OpenSSL, so it's not a subject to validation.