<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
You need to do this:<br>
<br>
1. Configure, build and install OpenSSL 3.0.0 as per the security
policy. This gives you a FIPS provider that is compliant.<br>
<br>
2. Configure, build and install the later version of OpenSSL
*without* the `enable-fips' option. This gives you the security
and bug fixes.<br>
<br>
3. Run the later version of OpenSSL with the 3.0.0 FIPS provider.
You now have FIPS compliant cryptographic algorithms and the fixes.<br>
<br>
The intention has always been to support different versions of the
FIPS provider just working across different releases (both earlier
and later).<br>
<br>
<br>
As for additional options during configuration, in step 2 above,
these pose no problem since it's not FIPS related. In step 1 it
might be problematic & I'd suggest talking to a FIPS lab or
auditor about any specifics. However, there really isn't much need
to tweak the build in the step 1.<br>
<br>
<br>
Pauli<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/2/23 06:58, Afshin Pir wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SY2PR01MB2778148A5455802A27CA977094D89@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding FIPS compliance, I read following
statement in your README-FIPS.md:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If you need a FIPS validated module then
you must ONLY generate a FIPS provider using OpenSSL versions
that have valid FIPS certificates. A FIPS certificate contains
a link to a Security Policy, and you MUST follow the
instructions in the Security Policy in order to be FIPS
compliant.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I check security policy, I need to use <a
href="https://www.openssl.org/source/openssl-3.0.0.tar.gz"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.openssl.org/source/openssl-3.0.0.tar.gz</a> and
configure it with ‘enable-fips’ option only. Now I have 2
questions: What does happen if a security hole is seen on
OpenSSL? If I build FIPS module using newer source codes that
resolve that security hole, my module will not have FIPS
compliance? My second question is if compiling code with other
options (like no-deprecated or no-engine) will also break FIPS
compliance or not. Any idea?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<hr>
This email is confidential and may contain information subject to
legal privilege. If you are not the intended recipient please
advise us of our error by return e-mail then delete this email and
any attached files. You may not copy, disclose or use the contents
in any way. The views expressed in this email may not be those of
Gallagher Group Ltd or subsidiary companies thereof.
<hr>
</blockquote>
<br>
</body>
</html>