Need help - upgrading openssl version from 3.0.12 to 3.2.x version

[Prasad, PCRaghavendra]

Thanks, Tomas,

So we can use OpenSSL 3.2.0 and enable fips during the build step and get the fips.so 

OR
 
we should take the OpenSSL 3.2.0 code and then take the FIPS provider from the OpenSSL 3.0.8 or 3.0.9 and build, then get the fips.so, fipsmodule.cnf and combine with OpenSSL 3.2.0

Thanks,
Raghu

-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Tomas Mraz
Sent: Tuesday, February 27, 2024 9:05 AM
To: Wall, Stephen; openssl-users at openssl.org
Subject: Re: Need help - upgrading openssl version from 3.0.12 to 3.2.x version


[EXTERNAL EMAIL] 

On Mon, 2024-02-26 at 22:38 +0000, Wall, Stephen wrote:
> > Please note that we actually test running the 3.0.8 and 3.0.9 
> > validated versions of the FIPS provider with the 3.2 OpenSSL in the 
> > CI and it works. We are not aware of any problems with running the 
> > validated versions of the FIPS provider with the current OpenSSL 
> > versions.
> 
> OK, so 
> https://urldefense.com/v3/__https://github.com/openssl/openssl/issues/
> 23400__;!!LpKI!m4FTaZF0-kz3NQm8Y9WvC4n233dgbq01QmEc_C-2XrCWwWFFRtkaMjD
> i6t8tcws2hmT529ayVVlzqPunWH8qZw$ [github[.]com] doesn't actually prevent OpenSSL from working, it's just an issue with `openssl fipsinstall`.  I hadn't followed it closely enough, just briefly saw some some messages go past.

Yeah, that issue is not really preventing the 3.0.x FIPS provider working with subsequent OpenSSL releases. It's just a matter of a minor FIPS compliance issue. (Depending on different views it might matter for the FIPS compliance or not.)

> Good to know.  Will the same apply to the 140-3 module and OpenSSL 
> 3.2?

Yes, that is and always was the intention. The FIPS provider is built in a way that it can be used with any other version and the same applies to third party providers.

--
Tomáš Mráz, OpenSSL