[openssl-users] regarding openssl and openssl fips

Steve Marquess marquess at openssl.com
Wed Aug 24 13:51:32 UTC 2016

On 08/24/2016 09:31 AM, Test ssl wrote:
> Hi,
> I am having a product which is right now using openssl1.0.1s and
> opensslfips 2.0.1
> I am upgrading to openssl1.0.2h, is it OK to still be at openssfips
> 2.0.1 or do i need to upgrade the opensslfips too to 2.0.12?
> Regards,

Yes, it's fine to stay at 2.0.1 if that's working for you now.

With one singular exception, we're not allowed to implement improvements
or bug fixes in a validated cryptographic module, so the later revisions
of the OpenSSL FIPS module (now up to 2.0.13) are not "better" in any
real-world sense (i.e. better performance, security vulnerability
mitigations, etc.). The permitted mods are for platform portability and
have to implemented in a way that does not impact any previously tested

The exception is the complete removal of Dual EC DRBG as of 2.0.6 (and
again for 2.0.8, long story). The Dual EC DRBG was disabled all along,
but its complete removal was arguably a vulnerability mitigation. I
think that was only allowed (after much delay) as a special case
exception due to the notoriety of that algorithm. If not having a
dormant Dual EC DRBG matters to you then upgrade to any revision 2.0.8
or later.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list