FIPS compliant openssl possible within the FreeBSD build systems?

[Alexander Sack]

Hello:

I am a bit confused!  I am reading the FIPS user guide and the
following document:

http://www.openssl.org/docs/fips/fipsnotes.html

I quote

"If even the tiniest source code or build process changes are required
for your intended application, you cannot use the open source based
validated module directly. You must obtain your own validation. This
situation is common; see "Private Label" validation, below. "

Also, the openssl distribution has to match the right PGP keys.

So to those who are more of Openssl/FIPS experts than I, I have some
basic questions:

1)  I assume if it impossible to make a FIPS capable openssl
distribution straight out of the FreeBSD source tree without "Private
Validation" as defined in the document above? (i.e. you can certainly
build it this way but you are violating the guidelines for FIPS
Compliance or do the maintainers out of src/crypto/openssl ENSURE that
the distro in that tree is equivalent to the openssl distro, even for
PGP key checks?)

2)  Can you make a FIPS capable openssl port?

i.e. use the stock distro, write some script to validate keys, create
a separate FIPS port or part of hte openssl port, etc. case in point,
RHEL I believe has a FIPS compliant RPM which does this in its spec
file.

3)  Does anyone know if common openssl consumers with FIPS mode set
breaks them?  :-)  (i.e. the Apache/mod_ssl's of the world)

My organization is investigating what it will take to make a fully
FIPS compliant system (capable first, but in a compliant way).  I have
been assigned this most fantastic assignment.

Any advice (other than run), would be appreciated!

Thanks!

-aps