FIPS module for OpenSSL 1.1.1x

Michael Wojcik Michael.Wojcik at microfocus.com
Thu May 16 16:14:33 UTC 2019


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of shiva kumar
> Sent: Thursday, May 16, 2019 04:30

> 1) If I upgrade to 1.1.1b will it cause any problem to other applications? which
> uses openssl for communications. ( say apache http server ).

I don't think anyone on the openssl-users list can predict the future.

OpenSSL 1.1.1, in its default configuration (using the default cipher list, etc) does disable some algorithms which are now deemed unsafe. That may prevent connecting to old peers that only support deprecated algorithms. The workarounds are to upgrade (or reconfigure) the peers, or change the cipher list or other configuration for the component using 1.1.1.

On the other hand, 1.1.1 adds support for TLSv1.3 and other newer TLS features, so it will improve compatibility with peers that require support for contemporary protocols and algorithms.

Since there have been many versions of Apache, and it offers a multitude of configurations, it's impossible to guess whether you'd have interoperability issues with it.

> 2) can I expect FIPS module for 1.1.1b as well ?

No. This has been discussed ad nauseum on the list, and is well-documented on the openssl.org site. The next FIPS module release will be for the next major OpenSSL release (which will be called OpenSSL 3 or OpenSSL 4), and will likely not be available until sometime in 2020.

> 3) since OpenSSL 1.1.1b doesn't have FIPS will this affect any other application ?

Any application that uses OpenSSL and requires FIPS mode (that is, insists on enabling it) will have to use 1.0.2 until 3 (or 4) is available. Any application that claims FIPS validation (or uses "FIPS inside" branding) and uses OpenSSL will have to use 1.0.2 until 3 is available.

FIPS mode should not be required for interoperability. FIPS 140-2 restricts what features are available; it doesn't add any. Those features are all still available outside FIPS mode.

--
Michael Wojcik
Distinguished Engineer, Micro Focus





More information about the openssl-users mailing list