If you don't know what FIPS 186-4 is then ignore this and count yourself lucky.
I'm getting a lot of private queries about this issue and so want to put this statement in a public forum for reference. Effective Jan 1 some new FIPS 140-2 validation requirements were introduced. As is usually the case these requirements apply retroactively to existing validations such as certificate #1747, the OpenSSL FIPS Object Module 2.0. A consequence of one of those requirements is a new format for the RSA algorithm testing, per FIPS 186-4. As currently written the 2.0 module cannot handle that new algorithm test (FIPS 186-4 didn't exist at the time that code was written, and we concluded that implementation of the then extant FIPS 186-3 wasn't feasible). The new algorithm test could be accommodated with a minor code tweak, but FIPS 140-2 imposes severe restrictions on the modification of validated modules. We do not know yet what modifications will be permitted without retesting of all 80 platforms, an economic and practical impossibility. After several weeks our test lab is still researching our very specific questions on what options, if any, remain for the addition of new platforms to the #1747 validation. That validation has been widely used as the basis of "private label" validations where the 2.0 module source code is used to obtain another validation under a different name and certificate number. All of those private label validations are similarly affected, and I'm now hearing from many of those vendors. We are also currently impacted as we have seven new platforms in our test lab ready for testing (and more on the way); that work is on hold. I'll post another message when we know how this story turns out. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
