[openssl-users] What version of OpenSSL source can be built with FIPS modules?
security veteran
security.veteran at gmail.com
Tue Jan 19 19:30:37 UTC 2016
Thanks Steve.
I believe the OpenSSL bundled with Ubuntu basically just added some Ubuntu
packaging stuffs such as the package installation scripts, the dependency
information, etc. The main source code should be pretty much the same and
all the patches should still come from the OpenSSL community.
Another option I was thinking was, build the FIPS modules with the openssl
source in Ubuntu package, and then just replace the original Ubuntu
libcrypto.so file with the libcrypto.so which integrated with the FIPS
modules. Ideally this should work, or do you see any possible issues of
doing this way?
Thanks.
On Tue, Jan 19, 2016 at 11:17 AM, Steve Marquess <marquess at openssl.com>
wrote:
> On 01/19/2016 01:54 PM, security veteran wrote:
> > Hi All:
> >
> > What version of OpenSSL source can be built with FIPS modules?
>
> Stock OpenSSL 0.9.8 is compatible with the 1.2 module only
> (openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the end of
> this month.
>
> Stock OpenSSL 1.0.N is compatible with the 2.0 module only
> (openssl-fips-2.0.N.tar.gz).
>
> OpenSSL 1.1 is not compatible with any FIPS module.
>
> > We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04
> > packaged their openssl .deb from different version of openssl source.
> >
> > e.g. Ubuntu 12.04 uses openssl_1.0.1
> > <
> http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz>
> and
> > Ubuntu 14.04 uses openssl_1.0.1f
> > <
> https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz
> >
> >
> > Can the OpenSSL FIPS modules be built with both of these two different
> > version of OpenSSL?
>
> Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL,
> and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible
> it will be to rebuild those Ubuntu sources with the "fips" option to
> make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
> modifications. Try it and see.
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Software Foundation
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160119/65114244/attachment.html>
More information about the openssl-users
mailing list