Due to a vulnerability discovered in the OpenSSL FIPS Object Module v1.1.1 (see http://www.openssl.org/news/secadv_20071129.txt) a patched version has been submitted for FIPS 140-2 validation approval. We anticipate at least another week before completion of that "fast track" approval process.
We feel the odds of source modifications to that distribution tarball are low. Also, if any non-trivial modifications were to be required we have already concluded that our very limited resources would best be directed towards timely completion of the ongoing v1.2 validation, and thus further work on this patched v1.1.1 validation will be abandoned. Accordingly I've decided to go ahead and release this as yet UNvalidated distribution for the benefit of those vendors who have asked for an advance copy. This distribution can be found at http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz. The HMAC-SHA-1 digest is e0a9c4b06ecae197084ae152524dd39fcaab695d. The previous v1.1.1 distribution has been removed as it has no value now that the corresponding validation has effectively been revoked. Please note that there is no guarantee that this distribution will ever be validated. Until and if it is validated any software generated from it will NOT satisfy the requirements for FIPS 140-2 validated software. However, *if* this distribution is built precisely in accordance with the Security Policy (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf) then the resulting module will retroactively become validated at the time of the official formal CMVP certificate award. Vendors who want to take a chance on the outcome can thus use this distribution to prepare software now for release at that future time. Note there will be a revised Security Policy along with the new algorithm and FIPS 140-2 certificate numbers and the digest given above, but the build/install instructions will not change. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
