[openssl-users] FIPS 140-2 hostage rescue underway

Steve Marquess marquess at openssl.com
Wed Mar 18 18:44:04 UTC 2015

As always, if you don't know or care what FIPS 140-2 is then count
yourself lucky and move on (in this case, count yourself *very* lucky).

We have -- we think -- a workaround for the "hostage" issue that was
blocking the addition of new platforms to the OpenSSL FIPS module
validation via "change letter" updates. That issue impacted several
platform updates that were already in process (the "hostages").

The workaround is messy, ugly, and complex in the finest tradition of
bureaucratic molehill-to-mountain obfuscation. An attempt to describe it
can be found here:


The TL;DR is that the current #1747 validation becomes three validations
that share the same OpenSSL FIPS module (more or less). So, actual use
and deployment of the FIPS module will be the same as before and all
previously tested platforms remain available (that's the big win).
Compliance paperwork will require some careful attention to the multiple
validations which will overlap the same module (the downside). Confusion
is inevitable, feel free to post questions to this list.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list