On 06/17/2016 07:48 AM, Alibek Joraev wrote: > Currently, I use 1.0.1 series (with current one being 1.0.1t) of OpenSSL > with OpenSSL FIPS module version 2.0.2. > as 1.0.1 version nears its long term support, I would like to upgrade to > OpenSSL 1.0.2h, but keep existing 2.0.2 FIPS module. > > I can see that latest OpenSSL 1.0.2h is posted together with FIPS module > 2.0.12. > > is OpenSSL 1.0.2h compatible with older FIPS modules? or do I also have > to upgrade to newest FIPS module? > > ...
All revisions of OpenSSL 1.0.2 are compatible with all revisions of the OpenSSL FIPS Object Module 2.0. So you can keep your existing 2.0.2 FIPS module and upgrade from 1.0.1 to 1.0.2. Note that in general there is no advantage to upgrading to newer FIPS module revisions (e.g. from 2.0.2 to 2.0.12) as in general we're not allowed to do bugfixes or feature enhancements; the newer revisions are not "better" in the sense usually expected for open source software. The exception to that statement is a feature enhancement of sorts, the removal of Dual EC DRBG that occurred at 2.0.6. If completely removing Dual EC DRBG matters to you[1] then you can upgrade to any revision 2.0.6+, all of which will work for any platform supported by 2.0.2. If you're upgrading you might as well go straight to 2.0.12[2], while realizing you'll always be a revision or three behind (2.0.13 is in the works). Also please note that at some point you'll want or need to upgrade to OpenSSL 1.1, for which no FIPS 140 support is currently available or planned at anything beyond the wistful thinking stage. -Steve M. [1] why you might: http://veridicalsystems.com/blog/immutability-of-fips/ [2] Unless, sigh, your platform(s) of interest are listed only for the #1747 or #2473 validations which stop at revision 2.0.10, in which case that's the newest FIPS module revision with the magical pixie dust of FIPS righteousness, even though the latest revision (2.0.12) functionally supports all platforms for all validations. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev