Re: openssl fips 1.2 changes

[Steve Marquess]

Roger No-Spam wrote:
 Hi,
 What are the plans for the openssl 0.9.8 FIPS 140-2 module? The
 reason I ask is that I have noticed that in later openssl releases
 (e.g. l and m) there are changes to the FIPS 140-2 code, compared to
 openssl-fips-1.2.tar.gz.

As with the rest of the OpenSSL software that software is enhanced and 
improved on an ongoing basis.  Absent a corresponding validation that 
improved code generally won't do you much good at present, however.

 We use openssl-0.9.8 on a proprietary OS and
 include the FIPS module in our SDK that we provide to customers, in
 case customers want to validate their end-products (since it is a
 proprietary OS we cannot leverage the openssl FIPS 140-2 validation
 :-( ).

The mere fact you have a proprietary OS does not automatically preclude 
use of the OpenSSL FIPS Object Module v1.2.  If you can generate and 
install it in strict accordance with the Security Policy you can use it.


 Are there plans to make a new version of the FIPS module with bug
 fixes etc.?

If by "make a new version" you mean "obtain a new open source based 
validation" the answer is no.  There is a substantial (to us) cash cost 
to a FIPS 140-2 validation.  We're ready and eager to do such a 
validation but will have to wait for appropriate funding.

 What FIPS 140-2 files are best to use in my case? The ones from the
 original openssl-fips-1.2 release, or from openssl-0.9.8m?

If you want to generate a module that you can claim and market as 
validated you have no choice, you have to use the one and only 
openssl-fips-1.2.tar.gz tarball and follow the Security Policy.  If you 
want to obtain your own "private label" validation, as many commercial 
vendors do, you can start with the latest 0.9.8 release.  And write a 
big check to a test lab, and wait 9-12 months...

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org