Will my application be FIPS 140-2 Certified under following conditions?

Salz, Rich rsalz at akamai.com
Mon Jul 8 12:29:47 UTC 2019


    > It seems to me that the easiest thing to do is maintain that release of OpenSSL by themselves.
    
>    Which would be another variation of such unofficial work.
  
You could look at things like that.  I consider it to be more like "your free FIPS ride is done, time to pay up"

>    That policy page is half the problem, the other half being the decision
    not to make a FIPS module for the current 1.1.x series.
  
There are many problems with the current FOM.  One notable example, is that you cannot have a single executable that handles both FIPS and non-FIPS TLS connections at the same time.  Another is the way the whole integrity check is done. I could go on and on, but won't.  The project spent a long time discussing and considering alternatives and decided a new start was the best way to move forwards. It was a carefully-considered decision.  The fact that it "left a coverage gap" in FIPS/1.0.2 was also discussed.

It's too bad not everyone is pleased. Probably those who didn't plan well, and/or who just got "FIPS for free" and expected that to last forever seem to be among those particular unhappy. Speaking for myself, AND NOT THE PROJECT, too bad.




More information about the openssl-users mailing list