[openssl-users] OpenSSL 3.0 and FIPS Update

Matt Caswell matt at openssl.org
Thu Feb 14 16:46:57 UTC 2019

On 14/02/2019 16:34, Jakob Bohm via openssl-users wrote:
> On 13/02/2019 20:12, Matt Caswell wrote:
>> On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
>>> On 13/02/2019 12:26, Matt Caswell wrote:
>>>> Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>>>> https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
>>>> Matt
>>> Given this announcement, a few questions arise:
>>> - How will a FIPS provider in the main tarball ensure compliance
>>>   with the strict code delivery and non-change requirements of the
>>>   CMVP (what was previously satisfied by distributing physical
>>>   copies of the FIPS canister source code, and sites compiling this
>>>   in a highly controlled environment to produce a golden canister)?
>> My understanding is that physical distribution is no longer a requirement.
> And the other things in that question?
> Integrity of validated source code when other parts of the tarball
> get regular changes?
> Building the validated source code in a controlled environment
> separate from the full tarball?

See the section of the Design document with the title "Detection of Changes
inside the FIPS Boundary". Basically there will be version controlled checksum
covering all of the validated source.

Yes - I do expect you to be able to build just the validated source
independently of the rest of the tarball so that you could (for example) run the
latest main OpenSSL version but with an older module.


More information about the openssl-users mailing list