[openssl-users] End of the line for the OpenSSL FIPS Object Module?

Isaac Hailperin Isaac.Hailperin at lcsystems.ch
Thu Feb 26 12:04:24 UTC 2015


Steve,

thank you for alerting us.
Do I understand correctly that by "platform", not  a general OS (like "Linux", "Solaris") on a specific hardware (sparc, x86, ...) is meant, but a very specific distribution release, like "Ubuntu 14.04", or "CentOS 7.0", on e.g. x86? This would mean that there would be no fips compliant openssl build possible on e.g. a future "CentOS 8.1"?

We are currently using the fips module on Solaris 10, and have plans to use it on Linux, probably RHEL 7.X, but depending on the time in the future, that could well be RHEL 8.X.

Isaac

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Steve Marquess
Sent: Mittwoch, 25. Februar 2015 15:08
To: openssl-users at openssl.org
Subject: [openssl-users] End of the line for the OpenSSL FIPS Object Module?

As always, if you don't know or care what FIPS 140-2 is count yourself very, very lucky and move on.

The open source based OpenSSL FIPS module validations now date back over a decade, a period during which we've encountered many challenges.
We have recently hit an issue that is apparently inconsequential on its face, but which threatens to bring an end to the era of the open source validated module. This is a situation that reminds me of the old "for want of a nail..." ditty (https://en.wikipedia.org/wiki/For_Want_of_a_Nail).

Tedious details can be found here:

  http://openssl.com/fips/hostage.html

The short take is that for now at least the OpenSSL FIPS Object Module v2.0, certificate #1747, can no longer be updated to include new platforms. This development also wrecks the already marginal economics of tentative plans for a new open source based validation to succeed the current #1747. So, the #1747 validation may be the last of the collaborative open source FIPS modules.

If you are a stakeholder currently using the OpenSSL FIPS module, or with a desire to use it or successor modules (either directly or as the basis for a "private label" validation), this is the time to speak up.
Feel free to contact me directly for specific suggestions or to coordinate with other stakeholders.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list