Need help - upgrading openssl version from 3.0.12 to 3.2.x version

[Wall, Stephen]

Let me make that message a little cleaner...

---- Original Message ----
> But in the OpenSSL org docs it is mentioned from 3.0.x onwards FIPS is
> integrated within the OpenSSL code and no need to build it separately.

This means that the FIPS provider is included in the openssl-3.x.y.tar.gz and is
no longer a separate download, and can be compiled at the same time as the
rest of OpenSSL by using the `enabled-fips` parameter when configuring.  It is
still a separate binary library module, installed in the same directory as other
providers (legacy.so and gost.so, for example).

OpenSSL states on their web page (https://www.openssl.org/source/):

> Please follow the Security Policy instructions to download, build and install a
> validated OpenSSL FIPS provider. Other OpenSSL Releases MAY use the
> validated FIPS provider, but MUST NOT build and use their own FIPS provider.
> For example you can build OpenSSL 3.2 and use the OpenSSL 3.0.8 FIPS
> provider with it.

This means, download and build using the instructions in the Security Policy
either 3.0.8 or 3.0.9 for the `fips.so` provider, and download and build
whatever version you wish for the openssl command and libraries (libcrypto
and libssl).

HOWEVER:  There have been reports of problems using a 3.0.x FIPS provider
with 3.2.x builds of OpenSSL, so I personally do not want to attempt that.  I
will continue to use 3.0.x OpenSSL with a 3.0.9 FIPS provider until the 140-3
provider is certified, then I will likely switch to the most current 3.1.x using the
3.1.2 provider.

It is important to remember that if you want to be FIPS certified, your `fips.so`
provider *must* be from 3.0.8 or 3.0.9 *only*.  No other versions are certified
through OpenSSL at this point.  There are commercial sources of FIPS 140-2
certified providers available with varying levels of compatibility.  I only have
experience with one of them, and can't make any recommendations.

-spw