[openssl-users] What version of OpenSSL source can be built with FIPS modules?

Steve Marquess marquess at openssl.com
Tue Jan 19 19:17:14 UTC 2016

On 01/19/2016 01:54 PM, security veteran wrote:
> Hi All:
> What version of OpenSSL source can be built with FIPS modules?

Stock OpenSSL 0.9.8 is compatible with the 1.2 module only
(openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the end of
this month.

Stock OpenSSL 1.0.N is compatible with the 2.0 module only

OpenSSL 1.1 is not compatible with any FIPS module.

> We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04
> packaged their openssl .deb from different version of openssl source. 
> e.g. Ubuntu 12.04 uses openssl_1.0.1
> <http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz> and
> Ubuntu 14.04 uses openssl_1.0.1f
> <https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz>
> Can the OpenSSL FIPS modules be built with both of these two different
> version of OpenSSL?

Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL,
and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible
it will be to rebuild those Ubuntu sources with the "fips" option to
make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
modifications. Try it and see.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list