Need help - upgrading openssl version from 3.0.12 to 3.2.x version
Tomas Mraz
tomas at openssl.org
Thu Feb 29 08:12:43 UTC 2024
You can find the detailed changes in the CHANGES.md file [1]
And the high level overview of the changes in the release notes [2]
[1] https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md
[2] https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md
On Thu, 2024-02-29 at 06:45 +0000, Prasad, PCRaghavendra wrote:
> Thanks, Tomaz for the information this helps
>
> One more doubt is there any place where I can see the difference
> between older version to the newer version
>
> Ex: from 3.0.12 to 3.2.x specific updates
>
> Thanks,
>
> -----Original Message-----
> From: Tomas Mraz <tomas at openssl.org>
> Sent: Tuesday, February 27, 2024 1:14 PM
> To: Prasad, PCRaghavendra; Wall, Stephen; openssl-users at openssl.org
> Subject: Re: Need help - upgrading openssl version from 3.0.12 to
> 3.2.x version
>
>
> [EXTERNAL EMAIL]
>
> For FIPS compliance you definitely need to use the validated version
> of a FIPS provider. Please see the instructions here [1] on how to
> combine the latest release with a validated FIPS provider version.
>
> [1]
> https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/master/README-FIPS.md__;!!LpKI!jLMp7kblHEfwy_-l1pml2BUrIGyDrS0buy7NkQJ9AnH48CNuu5pkshNIHT4nJ8wBN0wuiDin47HZyuaShgEZPQ$
> [github[.]com]
>
> Tomas Mraz, OpenSSL
>
> On Tue, 2024-02-27 at 05:55 +0000, Prasad, PCRaghavendra wrote:
> > Thanks, Tomas,
> >
> > So we can use OpenSSL 3.2.0 and enable fips during the build step
> > and
> > get the fips.so
> >
> > OR
> >
> > we should take the OpenSSL 3.2.0 code and then take the FIPS
> > provider
> > from the OpenSSL 3.0.8 or 3.0.9 and build, then get the fips.so,
> > fipsmodule.cnf and combine with OpenSSL 3.2.0
> >
> > Thanks,
> > Raghu
> >
> > -----Original Message-----
> > From: openssl-users <openssl-users-bounces at openssl.org> On Behalf
> > Of
> > Tomas Mraz
> > Sent: Tuesday, February 27, 2024 9:05 AM
> > To: Wall, Stephen; openssl-users at openssl.org
> > Subject: Re: Need help - upgrading openssl version from 3.0.12 to
> > 3.2.x version
> >
> >
> > [EXTERNAL EMAIL]
> >
> > On Mon, 2024-02-26 at 22:38 +0000, Wall, Stephen wrote:
> > > > Please note that we actually test running the 3.0.8 and 3.0.9
> > > > validated versions of the FIPS provider with the 3.2 OpenSSL in
> > > > the CI and it works. We are not aware of any problems with
> > > > running
> > > > the validated versions of the FIPS provider with the current
> > > > OpenSSL versions.
> > >
> > > OK, so
> > > https://urldefense.com/v3/__https://github.com/openssl/openssl/issues/
> > > 23400__;!!LpKI!m4FTaZF0-kz3NQm8Y9WvC4n233dgbq01QmEc_C-
> > > 2XrCWwWFFRtkaMjD
> > > i6t8tcws2hmT529ayVVlzqPunWH8qZw$ [github[.]com] doesn't actually
> > > prevent OpenSSL from working, it's just an issue with `openssl
> > > fipsinstall`. I hadn't followed it closely enough, just briefly
> > > saw some some messages go past.
> >
> > Yeah, that issue is not really preventing the 3.0.x FIPS provider
> > working with subsequent OpenSSL releases. It's just a matter of a
> > minor FIPS compliance issue. (Depending on different views it might
> > matter for the FIPS compliance or not.)
> >
> > > Good to know. Will the same apply to the 140-3 module and
> > > OpenSSL
> > > 3.2?
> >
> > Yes, that is and always was the intention. The FIPS provider is
> > built
> > in a way that it can be used with any other version and the same
> > applies to third party providers.
> >
> > --
> > Tomáš Mráz, OpenSSL
> >
>
> --
> Tomáš Mráz, OpenSSL
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list