[pgeorgi]

So any change to openssl fips has to happen as compiler patches?

[danudey]

No, changing the source means you're not using FIPS-compliant source so you're breaking your terms.

This is why you might have to use old versions of OpenSSL for FIPS compliance - not all versions might be certified.

[eslaught]

I think the GP is talking about a trusting trust attack on OpenSSL: Change the compiler to compile OpenSSL differently, rather than change the source itself.