On 02/22/2016 11:01 AM, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes > use of the current (2.0.11?) fipscanister.o. Also, opinions on if > this would be a legitimate way to get FIPS in 1.1.0. > > Thanks, spw >
Re-use of the current 2.0 module was debated in detail, with the conclusion that too many distortions to the new OpenSSL code would be required. We're trying hard to get away from messy, ugly, fragile code and reluctantly concluded that only a new FIPS module designed for a clean interface with OpenSSL 1.1 was feasible. We are not happy with the loss of FIPS support for 1.1; we know many users require it. But, we're not willing to compromise sound software engineering judgment to kludge together an abomination (and frankly the current FIPS module with OpenSSL 1.0.N is pretty ugly already). What we need is a new FIPS module, which we're willing to develop given the opportunity. The main problem there is the formal validation process. A FIPS 140-2 validation is challenging enough for conventional proprietary close-source binary code; open source based validations are enormously more difficult. Those have only been done five times, and my assessment of the current regulatory environment is that it would be far too risky for us to attempt a sixth such attempt (at least not without sponsor(s) willing to absorb most of that risk). If and when a new FIPS module for 1.1 is developed, it almost certainly will take the form of a new "engine" style modular component. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev