No fips and --with-fipsdir arguments in OpenSSL 1.0.0l configure script

Question

I noticed in trying to build OpenSSL 1.0.0l that, Configure doesn't accept the fips and --with-fipsdir= arguments. But, the OpenSSl 1.0.1f and OpenSSL 0.9.8y accepts the same.

Does that mean that the OpenSSL 1.0.0l wont support fips mode ? is the branch OpenSSL 1.0.0 still under fips validation ?

Answer 1

Does that mean that the OpenSSL 1.0.0l wont support fips mode ? is the branch OpenSSL 1.0.0 still under fips validation ?

I don't believe 1.0.0 was ever validated. Or if it was, it was a private label validation.

From the OpenSSL FIPS User Guide 1.2 (page 9 of 79):

The FIPS Object Module provides an API for invocation of FIPS approved cryptographic functions from calling applications, and is designed for use in conjunction with standard OpenSSL 0.9.8 distributions beginning with 0.9.8j. Note: OpenSSL 1.0.0 is not supported for use with the OpenSSL FIPS Object Module. These standard OpenSSL 0.9.8 source distributions support the original non-FIPS API as well as a FIPS mode in which the FIPS approved algorithms are implemented by the FIPS Object Module and non-FIPS approved algorithms other than DH are disabled by default. These non-validated algorithms include, but are not limited to, Blowfish, CAST, IDEA, RC-family, and non-SHA message digest and other algorithms.