I figured I should mention our current libressl policy wrt FIPS mode. It's gone and it's not coming back.
This doesn't really impact OpenBSD users since we've never enabled FIPS builds, but some others may be interested. Question: Was Heartbleed FIPS mandated, or merely FIPS certified? Question: Does Dual EC DRBG make your communications more secure? Does it somehow help that a worthless broken implementation still passes certification? We have here a standard that includes worse than useless crypto, and a process that certifies useless implementations. How does this help anyone? "But I need FIPS mode for blah blah." I notice nobody claims that there's any intrinsic value to FIPS mode. It's widely recognized as a worthless checkbox; now it's time to stand up to the clowns in charge and tell them the same thing. It's funny to compare how many people like to quote Gandhi's "Be the change that you wish to see in the world." with how few people actually like to be the change. Note that FIPS mode isn't just worthless, it's actively harmful. It creates perverse incentives that lead to a toxic development process where necessary work doesn't happen and unnecessary work does. Our goal is to produce a TLS stack with the same objectives as OpenBSD itself: free, functional, and secure. FIPS mode is none of those things. If people really need FIPS mode, somebody will fork again and create libfipssl.com and charge a million bucks for it. And then the ones who need FIPS mode can pay to get it, but they won't pay us. The OpenBSD Foundation will gladly take donations to improve libressl, but some money is just too expensive to accept. Sitting on (or more accurately, under) a million dollars in custom contracts creates what I will charitably call a priority inversion.
