OpenSSL 3.0

Walter Paley walt at safelogic.com
Thu Feb 27 21:51:33 UTC 2020


To clarify an important distinction - SafeLogic Extended Support for 1.0.2 architecture will not keep the OpenSSL FOM validated past 9/1/2020. SafeLogic does offer a compatible drop-in replacement module that is validated, will remain validated past the 186-2 deprecation on 9/1/2020, and is available with RapidCert, an accelerated validation in your company’s name, but that is a separate offering.

- Walt



Walter Paley
Walt at SafeLogic.com

> On Feb 27, 2020, at 12:59 PM, openssl-users-request at openssl.org wrote:
> 
> Send openssl-users mailing list submissions to
>    openssl-users at openssl.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>    openssl-users-request at openssl.org
> 
> You can reach the person managing the list at
>    openssl-users-owner at openssl.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: OpenSSL 3.0 (Salz, Rich)
>   2. Re: OpenSSL 3.0 (Neptune)
>   3. Re: OpenSSL 3.0 (Salz, Rich)
>   4. Re: OpenSSL 3.0 (Jason Schultz)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 27 Feb 2020 20:49:33 +0000
> From: "Salz, Rich" <rsalz at akamai.com>
> To: Jason Schultz <jetson23 at hotmail.com>, "openssl-users at openssl.org"
>    <openssl-users at openssl.org>
> Subject: Re: OpenSSL 3.0
> Message-ID: <1E825139-40C4-4888-AB96-32FC423F0B9C at akamai.com>
> Content-Type: text/plain; charset="utf-8"
> 
>  *   The OpenSSL FIPS Object Module will be moved to the CMVP historical list as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS Module will be after that sometime, where does this leave 1.0.2 users who need a FIPS validated object module past that date?
> 
> Without their free lunch?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200227/6e69ca80/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 27 Feb 2020 13:56:10 -0700 (MST)
> From: Neptune <pdrotter at us.ibm.com>
> To: openssl-users at openssl.org
> Subject: Re: OpenSSL 3.0
> Message-ID: <1582836970178-0.post at n7.nabble.com>
> Content-Type: text/plain; charset=us-ascii
> 
> You essentially have three choices:
> 1. Stay on the 1.0.2 branch to continue FIPS compliance, but go the entire
> year without support or security patches.
> 2. Pay OpenSSL for a premium support contract ($50,000 per year) to continue
> to receive patches on 1.0.2 for the remainder of the year.
> 3. Pay SafeLogic for support contract to receive 1.0.2 security patches
> through the year. Cost is roughly half what OpenSSL is asking, but you may
> be able to negotiate.
> 
> These are the only options of which I am aware.
> 
> 
> 
> 
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 27 Feb 2020 20:58:10 +0000
> From: "Salz, Rich" <rsalz at akamai.com>
> To: Jason Schultz <jetson23 at hotmail.com>, "openssl-users at openssl.org"
>    <openssl-users at openssl.org>
> Subject: Re: OpenSSL 3.0
> Message-ID: <3CFEF9FC-D5E7-46D4-8D61-C485BF81E120 at akamai.com>
> Content-Type: text/plain; charset="utf-8"
> 
>  *   That's fair. So the only option is to use another module? Extended 1.0.2 support does not resolve this either, correct?
> 
> I do not think that is the only option.  For example, you might be able to use 3.0 and say it?s ?in evaluation.? There might be other options, that was all I could think of while composing this email.
> 
> HOWEVER, note that the set of validated platforms for 3.0 is very different from the current FOM.  Someone officially with the project will have to provide details on that, not me.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200227/985830ee/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 27 Feb 2020 20:58:36 +0000
> From: Jason Schultz <jetson23 at hotmail.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: Re: OpenSSL 3.0
> Message-ID:
>    <CH2PR10MB42144FE2FCDE9AC37E050DDDC7EB0 at CH2PR10MB4214.namprd10.prod.outlook.com>
>    
> Content-Type: text/plain; charset="iso-8859-1"
> 
> For option 2, we have a support contract in place. But does this actually help us as far as the FIPS Object Module?
> 
> 
> ________________________________
> From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Neptune <pdrotter at us.ibm.com>
> Sent: Thursday, February 27, 2020 8:56 PM
> To: openssl-users at openssl.org <openssl-users at openssl.org>
> Subject: Re: OpenSSL 3.0
> 
> You essentially have three choices:
> 1. Stay on the 1.0.2 branch to continue FIPS compliance, but go the entire
> year without support or security patches.
> 2. Pay OpenSSL for a premium support contract ($50,000 per year) to continue
> to receive patches on 1.0.2 for the remainder of the year.
> 3. Pay SafeLogic for support contract to receive 1.0.2 security patches
> through the year. Cost is roughly half what OpenSSL is asking, but you may
> be able to negotiate.
> 
> These are the only options of which I am aware.
> 
> 
> 
> 
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200227/ea0d384b/attachment.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> ------------------------------
> 
> End of openssl-users Digest, Vol 63, Issue 44
> *********************************************


More information about the openssl-users mailing list