I've just been informed that we have received the long awaited official
approval of the vulnerability fix for the OpenSSL FIPS Object Module
v1.1.1. The patched version of that product is now known as v1.1.2 with
the new validation certificate number 918 and can be downloaded from
http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz.
Please note that the DSA algorithm has been removed from the validation
because the rules for DSA changed and the code didn't.
I am keenly aware that the effective revocation of the earlier
validation more than a month before this patch was approved caused
significant disruption for some users of the FIPS validated OpenSSL
module. This incident demonstrates both business and operational risks
with validated software that I won't belabor now. It also demonstrates
the need for a more efficient evaluation process that takes into
consideration the open and transparent nature of products such as the
OpenSSL crypto module.
OSSI will continue to push the OpenSSL validation process. We will also
continue to work with the CMVP and other government agencies to try and
facilitate the development and adoption of more efficient means of
evaluating these products.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
