Need help - upgrading openssl version from 3.0.12 to 3.2.x version

Tomas Mraz tomas at openssl.org
Mon Feb 26 22:24:28 UTC 2024


Please note that we actually test running the 3.0.8 and 3.0.9 validated
versions of the FIPS provider with the 3.2 OpenSSL in the CI and it
works. We are not aware of any problems with running the validated
versions of the FIPS provider with the current OpenSSL versions.

Regards,

Tomas Mraz, OpenSSL

On Mon, 2024-02-26 at 21:59 +0000, Wall, Stephen wrote:
> > But in the OpenSSL org docs it is mentioned from 3.0.x onwards FIPS
> > is integrated within the OpenSSL code and no need to build it
> > separately.
> This means that the FIPS provider is included in the openssl-
> 3.x.y.tar.gz and is no longer a separate download, and can be
> compiled at the same time as the rest of OpenSSL by using the
> `enabled-fips` parameter when configuring.  It is still a separate
> binary library module, installed in the same directory as other
> providers (legacy.so and gost.so, for example).
> 
> OpenSSL states on their web page (https://www.openssl.org/source/):
> > Please follow the Security Policy instructions to download, build
> > and install a validated OpenSSL FIPS provider. Other OpenSSL
> > Releases MAY use the validated FIPS provider, but MUST NOT build
> > and use their own FIPS provider. For example you can build OpenSSL
> > 3.2 and use the OpenSSL 3.0.8 FIPS provider with it.
> This means, download and build using the instructions in the Security
> Policy either 3.0.8 or 3.0.9 for the `fips.so` provider, and download
> and build whatever version you wish for the openssl command and
> libraries (libcrypto and libssl).
> 
> HOWEVER:  There have been reports of problems using a 3.0.x FIPS
> provider with 3.2.x builds of OpenSSL, so I personally do not want to
> attempt that.  I will continue to use 3.0.x OpenSSL with a 3.0.9 FIPS
> provider until the 140-3 provider is certified, then I will likely
> switch to the most current 3.1.x using the 3.1.2 provider.
> 
> It is important to remember that if you want to be FIPS certified,
> your `fips.so` provider *must* be from 3.0.8 or 3.0.9 *only*.  No
> other versions are certified through OpenSSL at this point.  There
> are commercial sources of FIPS 140-2 certified providers available
> with varying levels of compatibility.  I only have experience with
> one of them, and can't make any recommendations.
> 
> -spw
> 

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list