Does Ruby's OpenSSL library have a FIPS certificate?
yweiy10 opened this issue · comments
Hi,
I found that in the codebase we have the ability to turn on fips_mode with a flag set. Do we have a certificate for that from NIST? Specifically if my application depends on this library, set fips_mode to be true and use it properly, am I FIPS-certificate?
As far as I know, if you use OpenSSL 3.0.0 or 3.0.8, these are FIPS certificates. This repository is a Ruby OpenSSL library (openssl
gem) using the C API provided by OpenSSL. So, my guess is if you use this Ruby OpenSSL library on OpenSSL 3.0.0 or 3.0.8, these can be FIPS certificates.
https://www.openssl.org/source/
The following OpenSSL version(s) are FIPS validated:
But I think it's better to ask it at OpenSSL discussions or the OpenSSL mailing list "openssl-users".
Technically you can build the FIPS module in FIPS-certificated OpenSSL 3.0.0 or 3.0.8, and then you can use the FIPS module with a newer version of OpenSSL. My guess is this case is still FIPS-certificated. The installation document is here. My guess is the status of the Ruby OpenSSL library doesn't affect the status of the FIPS-certificated. The matter is if you use the FIPS module in OpenSSL 3.0.0 or 3.0.8.
Note that if you use enterprise Linux distributions, they may have FIPS-certifications for necessary components to make their entire OS FIPS-certificated. You can ask their customer support for that.
This repository is a Ruby OpenSSL library (
openssl
gem) using the C API provided by OpenSSL.
Yes, this repository does not implement the cryptographic algorithms but only provide access to that in OpenSSL, so it's not a subject to validation.