OpenSSL 0.9.7b is currently undergoing Federal Information Processing Standard (FIPS) validation for compliance with FIPS 140-2 (http://csrc.nist.gov/cryptval/140-2.htm). OpenSSL 0.9.7b appears on the "Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-Validation List" (http://csrc.nist.gov/cryptval/140PreVal.pdf).
Where does it say 0.9.7b? It doesn't specify the exact version and it's not 0.9.7b that was submitted for final round, but 0.9.7h with specific fix-ups required to meet certain requirements.
This version has known security issues (detailed below).
The only advisory applicable to submitted code as a whole is SSL rollback, *but* the catch is that FIPS-enabled applications are not affected, because SSLv2 is non-negotiable once FIPS mode is engaged.
... FIPS 140-2 compliance, which is a requirement for us.
Do talk to OSS institute! The effort needs every bit of support, including moral. A.
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
