Need help - upgrading openssl version from 3.0.12 to 3.2.x version

Prasad, PCRaghavendra Pcraghavendra.Prasad at dell.com
Mon Feb 26 13:47:19 UTC 2024 

Hi Stephen & Team,

Thanks,

But in the OpenSSL org docs it is mentioned from 3.0.x onwards FIPS is integrated within the OpenSSL code and no need to build it separately.
As I mentioned we are already in the version OpenSSL 3.0.12 and we wanted to move to 3.2.x because of some vulnerabilities in cryptography (python package)

So as per the mail can we build the OpenSSL fips provider separately and then integrate with OpenSSL 3.2.x code?

Please correct me if my understanding is wrong.

Thanks,
Raghu


Internal Use - Confidential
-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Wall, Stephen
Sent: Monday, February 26, 2024 6:52 PM
To: openssl-users at openssl.org
Subject: RE: Need help - upgrading openssl version from 3.0.12 to 3.2.x version


[EXTERNAL EMAIL]

> From: Prasad, PCRaghavendra
> We are planning to upgrade the OpenSSL version from 3.0.12 to version 3.2.x version
>
> We are currently using the OpenSSL FIPS enablement feature in our application, so if we upgrade to a newer version of OpenSSL 3.2.x version are there any changes w.r.t fips?
> We need to be in line with fips 140-2 standard. Is the process the same that way we upgraded to different versions of 3.0.x versions ( like 3.0.8 to 3.0.9 and 3.0.9 to 3.0.12 etc)

You *must* use the fips.so from either 3.0.8 or 3.0.9, built in accordance with the Security Policy, in order to claim FIPS 140-2 certification.  These are the only versions listed on the OpenSSL certificate. (https://urldefense.com/v3/__https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282__;!!LpKI!ggyINhn4BgSMO5ni5vbDC3Jhy0BgLGZitO5wbh1yNTvwt4_kiEuO_ClozBdX2M2bBM7CBiDF92ljejv83KUf2c1SOXZQxQ$ [csrc[.]nist[.]gov]).

There have been several messages on one of the OpenSSL mailing lists about problems using the 3.0.x FIPS provider with 3.2.x OpenSSL builds, so it may not be possible to be FIPS compliant with OpenSSL 3.2.

-spw

Internal Use - Confidential

More information about the openssl-users mailing list