Need help - upgrading openssl version from 3.0.12 to 3.2.x version
Wall, Stephen
stephen.wall at redcom.com
Mon Feb 26 21:59:36 UTC 2024
> But in the OpenSSL org docs it is mentioned from 3.0.x onwards FIPS is integrated within the OpenSSL code and no need to build it separately.
This means that the FIPS provider is included in the openssl-3.x.y.tar.gz and is no longer a separate download, and can be compiled at the same time as the rest of OpenSSL by using the `enabled-fips` parameter when configuring. It is still a separate binary library module, installed in the same directory as other providers (legacy.so and gost.so, for example).
OpenSSL states on their web page (https://www.openssl.org/source/):
> Please follow the Security Policy instructions to download, build and install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY use the validated FIPS provider, but MUST NOT build and use their own FIPS provider. For example you can build OpenSSL 3.2 and use the OpenSSL 3.0.8 FIPS provider with it.
This means, download and build using the instructions in the Security Policy either 3.0.8 or 3.0.9 for the `fips.so` provider, and download and build whatever version you wish for the openssl command and libraries (libcrypto and libssl).
HOWEVER: There have been reports of problems using a 3.0.x FIPS provider with 3.2.x builds of OpenSSL, so I personally do not want to attempt that. I will continue to use 3.0.x OpenSSL with a 3.0.9 FIPS provider until the 140-3 provider is certified, then I will likely switch to the most current 3.1.x using the 3.1.2 provider.
It is important to remember that if you want to be FIPS certified, your `fips.so` provider *must* be from 3.0.8 or 3.0.9 *only*. No other versions are certified through OpenSSL at this point. There are commercial sources of FIPS 140-2 certified providers available with varying levels of compatibility. I only have experience with one of them, and can't make any recommendations.
-spw
More information about the openssl-users
mailing list