[openssl-users] What version of OpenSSL source can be built with FIPS modules?

Jakob Bohm jb-openssl at wisemo.com
Tue Jan 19 19:56:07 UTC 2016 

If, as I suspect, the Ubuntu and Debian OpenSSL packages
share the packaging work and patches, then the situation
is a bit different.

At least for Debian, the OpenSSL packages:

- Freeze the visible patch level letter at whatever it
  was on some freeze date prior to release (for instance
  it may say "1.0.1e")

- Include backports of all relevant security patches in
  Debian packages versioned e.g. 1.0.1e-2+deb7u18 (meaning
  the 18th patch release since version 2 of the 1.0.1e
  packaging was included in Debian 7.0).

- Include additional patches to do "symbol versioning"
  wherever the 1.0.x libraries contain ABI differences
  that would otherwise break running software compiled
  to run against shared libraries built from the 1.0.0
  tree against shared libraries compiled from the 1.0.1
  tree (etc.).  Basically, they fix bugs in the binary
  compatibility within the 1.0.x upstream releases.

- An unknown number of truly custom patches, one of
  which used to accidentally criple key generation so
  badly they were actually able to release a blacklist
  of all the public keys it could possibly generate
  (after they found the bug).

On 19/01/2016 20:30, security veteran wrote:
> Thanks Steve.
>
> I believe the OpenSSL bundled with Ubuntu basically just added some 
> Ubuntu packaging stuffs such as the package installation scripts, the 
> dependency information, etc. The main source code should be pretty 
> much the same and all the patches should still come from the OpenSSL 
> community.
>
> Another option I was thinking was, build the FIPS modules with the 
> openssl source in Ubuntu package, and then just replace the original 
> Ubuntu libcrypto.so file with the libcrypto.so which integrated with 
> the FIPS modules. Ideally this should work, or do you see any possible 
> issues of doing this way?
>
> Thanks.
>
> On Tue, Jan 19, 2016 at 11:17 AM, Steve Marquess <marquess at openssl.com 
> <mailto:marquess at openssl.com>> wrote:
>
>     On 01/19/2016 01:54 PM, security veteran wrote:
>     > Hi All:
>     >
>     > What version of OpenSSL source can be built with FIPS modules?
>
>     Stock OpenSSL 0.9.8 is compatible with the 1.2 module only
>     (openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the
>     end of
>     this month.
>
>     Stock OpenSSL 1.0.N is compatible with the 2.0 module only
>     (openssl-fips-2.0.N.tar.gz).
>
>     OpenSSL 1.1 is not compatible with any FIPS module.
>
>     > We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04
>     > packaged their openssl .deb from different version of openssl
>     source.
>     >
>     > e.g. Ubuntu 12.04 uses openssl_1.0.1
>     >
>     <http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz>
>     and
>     > Ubuntu 14.04 uses openssl_1.0.1f
>     >
>     <https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz>
>     >
>     > Can the OpenSSL FIPS modules be built with both of these two
>     different
>     > version of OpenSSL?
>
>     Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL,
>     and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible
>     it will be to rebuild those Ubuntu sources with the "fips" option to
>     make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu
>     modifications. Try it and see.
>
>     -Steve M.
>
>     --
>     Steve Marquess
>     OpenSSL Software Foundation
>     1829 Mount Ephraim Road
>     Adamstown, MD  21710
>     USA
>     +1 877 673 6775 <tel:%2B1%20877%20673%206775> s/b
>     +1 301 874 2571 <tel:%2B1%20301%20874%202571> direct
>     marquess at openssl.com <mailto:marquess at openssl.com>
>     gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
>     _______________________________________________
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list