[openssl-users] OpenSSL 3.0 and FIPS Update

Jakob Bohm jb-openssl at wisemo.com
Thu Feb 14 16:34:01 UTC 2019

On 13/02/2019 20:12, Matt Caswell wrote:
> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
>> On 13/02/2019 12:26, Matt Caswell wrote:
>>> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>>> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
>>> Matt
>> Given this announcement, a few questions arise:
>> - How will a FIPS provider in the main tarball ensure compliance
>>   with the strict code delivery and non-change requirements of the
>>   CMVP (what was previously satisfied by distributing physical
>>   copies of the FIPS canister source code, and sites compiling this
>>   in a highly controlled environment to produce a golden canister)?
> My understanding is that physical distribution is no longer a requirement.
And the other things in that question?

Integrity of validated source code when other parts of the tarball
get regular changes?

Building the validated source code in a controlled environment
separate from the full tarball?

(If there are answers in the FIPS 3.0.0 draft spec, they need repeating).

>> - Will there be a reasonable transition period where users of the
>>   old FIPS-validated module can transition to the new module (meaning
>>   that both modules are validated and usable with a supported
>>   FIPS-capable OpenSSL library)?  I imagine that applications relying
>>   on the existing FIPS canister will need some time to quality test
>>   their code with all the API changes from OpenSSL 1.0.x to OpenSSL
>>   3.0.x .  OS distributions will also need some time to roll out the
>>   resulting feature updates to end users.
> The old FIPS module will remain validated for some time to come, so both the old
> and new modules will be validated at the same time for a while. 1.0.2 will go
> EOL at the end of this year. The intention is that 3.0 will be available before
> that. It's not yet clear exactly when 3.0 will become available and what the
> overlap with 1.0.2 will be so I don't have an answer at this stage for
> transition period.
> Matt
So right now, FIPS-validated users are left hanging, with no date to
get a 3.0.0 code drop to start porting and a looming deadline for the
1.0.x API.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list