[openssl-dev] Latest Open SSL and old FIP module
Steve Marquess
marquess at openssl.com
Fri Jun 17 12:48:38 UTC 2016
On 06/17/2016 07:48 AM, Alibek Joraev wrote:
> Currently, I use 1.0.1 series (with current one being 1.0.1t) of OpenSSL
> with OpenSSL FIPS module version 2.0.2.
> as 1.0.1 version nears its long term support, I would like to upgrade to
> OpenSSL 1.0.2h, but keep existing 2.0.2 FIPS module.
>
> I can see that latest OpenSSL 1.0.2h is posted together with FIPS module
> 2.0.12.
>
> is OpenSSL 1.0.2h compatible with older FIPS modules? or do I also have
> to upgrade to newest FIPS module?
>
> ...
All revisions of OpenSSL 1.0.2 are compatible with all revisions of the
OpenSSL FIPS Object Module 2.0. So you can keep your existing 2.0.2 FIPS
module and upgrade from 1.0.1 to 1.0.2.
Note that in general there is no advantage to upgrading to newer FIPS
module revisions (e.g. from 2.0.2 to 2.0.12) as in general we're not
allowed to do bugfixes or feature enhancements; the newer revisions are
not "better" in the sense usually expected for open source software. The
exception to that statement is a feature enhancement of sorts, the
removal of Dual EC DRBG that occurred at 2.0.6. If completely removing
Dual EC DRBG matters to you[1] then you can upgrade to any revision
2.0.6+, all of which will work for any platform supported by 2.0.2. If
you're upgrading you might as well go straight to 2.0.12[2], while
realizing you'll always be a revision or three behind (2.0.13 is in the
works).
Also please note that at some point you'll want or need to upgrade to
OpenSSL 1.1, for which no FIPS 140 support is currently available or
planned at anything beyond the wistful thinking stage.
-Steve M.
[1] why you might: http://veridicalsystems.com/blog/immutability-of-fips/
[2] Unless, sigh, your platform(s) of interest are listed only for the
#1747 or #2473 validations which stop at revision 2.0.10, in which case
that's the newest FIPS module revision with the magical pixie dust of
FIPS righteousness, even though the latest revision (2.0.12)
functionally supports all platforms for all validations.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-dev
mailing list