[openssl-users] What version of OpenSSL source can be built with FIPS modules?

Steve Marquess marquess at openssl.com
Tue Jan 19 19:17:14 UTC 2016


On 01/19/2016 01:54 PM, security veteran wrote:
> Hi All:
> 
> What version of OpenSSL source can be built with FIPS modules?

Stock OpenSSL 0.9.8 is compatible with the 1.2 module only
(openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the end of
this month.

Stock OpenSSL 1.0.N is compatible with the 2.0 module only
(openssl-fips-2.0.N.tar.gz).

OpenSSL 1.1 is not compatible with any FIPS module.

> We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04
> packaged their openssl .deb from different version of openssl source. 
> 
> e.g. Ubuntu 12.04 uses openssl_1.0.1
> <http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz> and
> Ubuntu 14.04 uses openssl_1.0.1f
> <https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz>
> 
> Can the OpenSSL FIPS modules be built with both of these two different
> version of OpenSSL?

Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL,
and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible
it will be to rebuild those Ubuntu sources with the "fips" option to
make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
modifications. Try it and see.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list