OpenSSL 3.0
Matt Caswell
matt at openssl.org
Fri Feb 28 03:09:56 UTC 2020
On 27/02/2020 20:37, Jason Schultz wrote:
> Thanks for all of the responses. This question has led to other related
> topics, so I have another one. According to this blog:
>
> https://keypair.us/2019/12/rip-fips-186-2/
>
> The OpenSSL FIPS Object Module will be moved to the CMVP historical list
> as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS
> Module will be after that sometime, where does this leave 1.0.2 users
> who need a FIPS validated object module past that date?
Going to the historic list will not impact existing deployments at all.
If you already have the old module deployed you can continue to use it,
even if it is on the historic list as I understand it.
You will not be able to make *new* deployments if it goes historic.
The problem is with FIPS 186-2 RSA Key gen. Modules now need to be FIPS
186-4 compliant. But the OpenSSL FIPS Object Module 2.0 is not 186-4 and
will not updated to be so. One option is to update the validation to
remove RSA as an approved algorithm (this can be done as a purely
paperwork exercise). But doing that has implications for existing
deployments. The OMC discussed this some months ago but decided not to
take any action at that time. I'm sure it will be discussed again next
time we have a f2f.
Matt
>
>
>
> ------------------------------------------------------------------------
> *From:* openssl-users <openssl-users-bounces at openssl.org> on behalf of
> Salz, Rich via openssl-users <openssl-users at openssl.org>
> *Sent:* Thursday, February 27, 2020 1:31 PM
> *To:* Matt Caswell <matt at openssl.org>; openssl-users at openssl.org
> <openssl-users at openssl.org>
> *Subject:* Re: OpenSSL 3.0
>
>
>> It would probably be a good idea for us to pull together a "Getting
> Started" guide on the Wiki with some basic information on how to get
> things going, with some links to the various man pages etc where more
> detailed information is required.
>
> This needs to be real user documentation as part of the FIPS
> deliverable, right?
>
More information about the openssl-users
mailing list