On 06/25/2013 01:48 PM, mclellan, dave wrote: > Sorry for the re-post, I thought someone would have some > authoritative answer, opinion, or experience with this subject of > compatibility and FIPS approval status when upgrading... > > From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To: > [email protected] Subject: OpenSSL 1.0.1E and FIPS 2.0.x? > > I've searched archives for an answer, but found nothing obvious - if > we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do > we also have to move ahead to latest version of FIPS OM which appears > to be 2.0.4?
>From the perspective of the validity of the OpenSSL FIPS Object Module 2.0 validation, all other software including OpenSSL is out of scope of the validation. So policy isn't a constraint on your choice of OpenSSL version and/or revision, only technical compatibility. The 2.0 FIPS module was designed to be compatible with the OpenSSL 1.0.1 release (including all letter revisions), and hopefully also the upcoming 1.0.2 release. The letter revisions with OpenSSL 1.0.1 (the most recent being 1.0.1e) address bug and security fixes, so you'll want the latest revision. In the DoD and federal government arena security policies will usually require such upgrades. The revisions of the FIPS module (the most recent being 2.0.5) are primarily for the purpose of adding support for new platforms. We incorporate the occasional minor bugfix when we can, but the fixes (including security fixes) we'd most like to include we usually can't due to the substantial restrictions on modifications to validated modules. So, there is no reason to upgrade to the latest 2.0 FIPS module revision unless the specific platform(s) of interest require that revision. If you're building a FIPS module for the first time you might as well use the latest revision, but all earlier revisions 2.0, 2.0.1, etc. remain fully valid. To summarize: always use the latest 1.0.1n revision of OpenSSL, but once you have built and fielded a specific revision 2.0.N of the FIPS module there is no reason to upgrade it even when upgrading to OpenSSL 1.0.1n. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
