It took a couple of hours of code hacking followed by six long months of waiting, but at long last revision 2.0.6 of the OpenSSL FIPS Object Module v2.0 (validation certificate #1747) has finally been approved:
https://www.openssl.org/source/openssl-fips-2.0.6.tar.gz https://www.openssl.org/source/openssl-fips-ecp-2.0.6.tar.gz Usually new revisions add support for new platforms; with 2.0.6 the Dual EC DRBG algorithm implementation is entirely removed from the module. This removal eliminates dead code that no one in their right mind would use deliberately, and also eliminates the accidental or malicious enabling of that algorithm. Revision 2.0.6 is a direct replacement for all previous revisions (2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5). Anyone concerned about the presence of the toxic and officially deprecated Dual EC DRBG algorithm is encouraged to upgrade to revision 2.0.6. Note that the formal paperwork for revision 2.0.7, with support for eleven new platforms, was submitted some time ago. As the removal of Dual EC DRBG was not approved at that time, that revision still includes the Dual EC DRBG implementation. We've put in a query asking if we will be permitted to retroactively remove Dual EC DRBG from that as well. If that approval is not given we'll be in the odd position of re-introducing Dual EC DRBG with revision 2.0.7 when that is eventually approved. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
