FIPS compliance in OpenSSL v3.0

Dr Paul Dale pauli at openssl.org
Wed Feb 8 21:10:18 UTC 2023 

You need to do this:

1. Configure, build and install OpenSSL 3.0.0 as per the security 
policy.  This gives you a FIPS provider that is compliant.

2. Configure, build and install the later version of OpenSSL *without* 
the `enable-fips' option.    This gives you the security and bug fixes.

3. Run the later version of OpenSSL with the 3.0.0 FIPS provider. You 
now have FIPS compliant cryptographic algorithms and the fixes.

The intention has always been to support different versions of the FIPS 
provider just working across different releases (both earlier and later).


As for additional options during configuration, in step 2 above, these 
pose no problem since it's not FIPS related.  In step 1 it might be 
problematic & I'd suggest talking to a FIPS lab or auditor about any 
specifics.  However, there really isn't much need to tweak the build in 
the step 1.


Pauli


On 9/2/23 06:58, Afshin Pir wrote:
>
> Hi
>
> Regarding FIPS compliance, I read following statement in your 
> README-FIPS.md:
>
> If you need a FIPS validated module then you must ONLY generate a FIPS 
> provider using OpenSSL versions that have valid FIPS certificates. A 
> FIPS certificate contains a link to a Security Policy, and you MUST 
> follow the instructions in the Security Policy in order to be FIPS 
> compliant.
>
> If I check security policy, I need to use 
> https://www.openssl.org/source/openssl-3.0.0.tar.gz and configure it 
> with ‘enable-fips’ option only. Now I have 2 questions: What does 
> happen if a security hole is seen on OpenSSL? If I build FIPS module 
> using newer source codes that resolve that security hole, my module 
> will not have FIPS compliance? My second question is if compiling code 
> with other options (like no-deprecated or no-engine) will also break 
> FIPS compliance or not. Any idea?
>
> Best Regards,
>
> Afshin
>
> ------------------------------------------------------------------------
> This email is confidential and may contain information subject to 
> legal privilege. If you are not the intended recipient please advise 
> us of our error by return e-mail then delete this email and any 
> attached files. You may not copy, disclose or use the contents in any 
> way. The views expressed in this email may not be those of Gallagher 
> Group Ltd or subsidiary companies thereof.
> ------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230209/459fad3a/attachment.htm>

More information about the openssl-users mailing list