[openssl-project] OpenSSL 3.0 and FIPS Update

Matt Caswell matt at openssl.org
Thu Feb 21 16:20:53 UTC 2019

On 21/02/2019 15:02, Dmitry Belyavsky wrote:
> Dear Matt
> On Wed, Feb 13, 2019 at 9:30 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>     Please see my blog post for an OpenSSL 3.0 and FIPS Update:
>     https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
> After reading the proposed architecture description, I have some questions that
> are very important for the developers of non-US certified openssl-based products.

Hi Dmitry,

Answers inserted.

> 1. Will it still be available to implement custom RAND_methods via the new
> providers API?

Yes, I expect this to be possible.

> 2. Can we do something with a bunch of hard-linked non-extendable lists of
> internal NIDs? 
> For example, providing GOST algorithms always requires a patch to extend 3-5
> internal lists.
> If it could be done dynamically, it will be great.

That's not currently something we've considered, but I agree it would be great
to fix that. Perhaps you could create a github issue identifying the specific
areas we should be looking at and then we can take a look at the feasibility of
fixing it.

> 3. Do you have plans to make some callback structures created by providers? 
> I mean such structures as SSL key exchange/authentication methods, X.509
> extensions etc.

There aren't any plans to do that at the moment. There's nothing in the provider
design that would prevent us from doing so at some point in the future.


More information about the openssl-users mailing list