Preview release of OpenSSL FIPS Object Module v1.1.2

Thu, 13 Dec 2007 09:30:20 -0800

Due to a vulnerability discovered in the OpenSSL FIPS Object Module v1.1.1 (see http://www.openssl.org/news/secadv_20071129.txt) a patched version has been submitted for FIPS 140-2 validation approval. We anticipate at least another week before completion of that "fast track" approval process.
We feel the odds of source modifications to that distribution tarball are low. Also, if any non-trivial modifications were to be required we have already concluded that our very limited resources would best be directed towards timely completion of the ongoing v1.2 validation, and thus further work on this patched v1.1.1 validation will be abandoned. 


Accordingly I've decided to go ahead and release this as yet UNvalidated 
distribution for the benefit of those vendors who have asked for an 
advance copy.  This distribution can be found at 
http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz.  The HMAC-SHA-1 
digest is e0a9c4b06ecae197084ae152524dd39fcaab695d.  The previous v1.1.1 
distribution has been removed as it has no value now that the 
corresponding validation has effectively been revoked.



Please note that there is no guarantee that this distribution will ever 
be validated.  Until and if it is validated any software generated from 
it will NOT satisfy the requirements for FIPS 140-2 validated software.



However, *if* this distribution is built precisely in accordance with 
the Security Policy 
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf) 
then the resulting module will retroactively become validated at the 
time of the official formal CMVP certificate award.  Vendors who want to 
take a chance on the outcome can thus use this distribution to prepare 
software now for release at that future time.



Note there will be a revised Security Policy along with the new 
algorithm and FIPS 140-2 certificate numbers and the digest given above, 
but the build/install instructions will not change.


-Steve M.

--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Announcement Mailing List                 openssl-announce@openssl.org
Automated List Manager                           [EMAIL PROTECTED]














    











					Reply via email to