FIPS 140-2 compliance for newer versions?

Tue, 10 Jan 2006 07:44:43 -0800 

Anyone,
 
OpenSSL 0.9.7b is currently undergoing Federal Information Processing Standard
(FIPS) validation for compliance with FIPS 140-2
(http://csrc.nist.gov/cryptval/140-2.htm). OpenSSL 0.9.7b appears on the
"Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2
Pre-Validation List" (http://csrc.nist.gov/cryptval/140PreVal.pdf). This version
has known security issues (detailed below). These known security vulnerabilities
can be addressed by upgrading to a more recent version of OpenSSL, such as the
current version 0.9.7i, but that version is not being evaluated for FIPS 140-2
compliance, which is a requirement for us. Does anyone know for certain if the
cryptographic modules within 0.9.7b have been changed in recent versions? If
they have remained the same, I am looking for some statement to that affect. If
they have changed, what is the plan for resubmission for FIPS validation with
the changes?
 
OpenSSL 0.9.7b has known security issues:

*       http://www.openssl.org/news/secadv_20030930.txt 
*       http://www.openssl.org/news/secadv_20031104.txt 
*       http://www.openssl.org/news/secadv_20040317.txt 
*       http://www.openssl.org/news/secadv_20051011.txt 
        *       Reference: http://www.openssl.org/news/
<http://www.openssl.org/news/> 

*       Advisory CA-2002-23 
*       Advisory CA-2003-26 
*       US-CERT VU#102795 
*       US-CERT VU#104280 
*       US-CERT VU#104280 
*       US-CERT VU#104280 
*       US-CERT VU#131923 
*       US-CERT VU#255484 
*       US-CERT VU#258555 
*       US-CERT VU#258555 
*       US-CERT VU#288574 
*       US-CERT VU#308891 
*       US-CERT VU#380864 
*       US-CERT VU#412478 
*       US-CERT VU#465542 
*       US-CERT VU#465542 
*       US-CERT VU#484726 
*       US-CERT VU#561275 
*       US-CERT VU#686224 
*       US-CERT VU#732952 
*       US-CERT VU#748355 
*       US-CERT VU#888801 
*       US-CERT VU#888801 
*       US-CERT VU#935264 
*       US-CERT VU#9O97481 
        *       Reference: http://search.cert.org/ <http://search.cert.org/> 

*       CVE-2005-2969 
*       CVE-2004-0975 
*       CVE-2004-0112 
*       CVE-2004-0081 
*       CVE-2004-0079 
*       CVE-2003-0851 
*       CVE-2003-0545 
*       CVE-2003-0544 
*       CVE-2003-0543 
        *       Reference: http://cve.mitre.org/cve/index.html
<http://cve.mitre.org/cve/index.html> 

Regards,
Rick

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to