[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

Steve Marquess marquess at openssl.com
Fri Aug 19 17:16:11 UTC 2016

On 08/19/2016 12:43 PM, jonetsu wrote:
> Hello,
> We are using FOM 2.0.9 for an embedded product that will go for FIPS
> validation.  Validation of the full product, that is.  All
> development so far is with 2.0.9.  What would be the reasons, if any,
> to update to 2.0.12 before going to the lab ?
> Thanks - comments much appreciated.

No reason at all, if 2.0.9 works for you as-is and you're getting your
own validation.

Unlike the usual case for software, where continual improvements and
bugfixes are routinely implemented, we're not allowed to do bugfixes or
refinements (not even security vulnerability mitigations) for validated
modules. So later revisions of the OpenSSL FIPS Object Module are not
"better" in any meaningful way as you'd normally assume. The only
difference between revisions[*] is the addition of platform specific
portability mods. As part of the validation process we have to
demonstrate that the revision mods can't have any effect on any
previously tested platforms.

On the other hand, since there are no substantive differences between
2.0.9 and 2.0.13, and since you're apparently going to the expense and
trouble of obtaining a copycat validation, there's no reason for you
*not* to use 2.0.13. That way you'd potentially have coverage for more

-Steve M.

[*] Removal of Dual EC DRBG -- arguably a vulnerability mitigation -- at
revisions 2.0.6 and 2.0.8 is a singular exception to that rule.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list