repost: OpenSSL 1.0.1E and FIPS 2.0.x?
Sorry for the re-post, I thought someone would have some authoritative answer, opinion, or experience with this subject of compatibility and FIPS approval status when upgrading... From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To: openssl-users@openssl.org Subject: OpenSSL 1.0.1E and FIPS 2.0.x? I've searched archives for an answer, but found nothing obvious - if we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to move ahead to latest version of FIPS OM which appears to be 2.0.4? Thanks +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+
Re: repost: OpenSSL 1.0.1E and FIPS 2.0.x?
On 06/25/2013 01:48 PM, mclellan, dave wrote: Sorry for the re-post, I thought someone would have some authoritative answer, opinion, or experience with this subject of compatibility and FIPS approval status when upgrading... From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To: openssl-users@openssl.org Subject: OpenSSL 1.0.1E and FIPS 2.0.x? I've searched archives for an answer, but found nothing obvious - if we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to move ahead to latest version of FIPS OM which appears to be 2.0.4? From the perspective of the validity of the OpenSSL FIPS Object Module 2.0 validation, all other software including OpenSSL is out of scope of the validation. So policy isn't a constraint on your choice of OpenSSL version and/or revision, only technical compatibility. The 2.0 FIPS module was designed to be compatible with the OpenSSL 1.0.1 release (including all letter revisions), and hopefully also the upcoming 1.0.2 release. The letter revisions with OpenSSL 1.0.1 (the most recent being 1.0.1e) address bug and security fixes, so you'll want the latest revision. In the DoD and federal government arena security policies will usually require such upgrades. The revisions of the FIPS module (the most recent being 2.0.5) are primarily for the purpose of adding support for new platforms. We incorporate the occasional minor bugfix when we can, but the fixes (including security fixes) we'd most like to include we usually can't due to the substantial restrictions on modifications to validated modules. So, there is no reason to upgrade to the latest 2.0 FIPS module revision unless the specific platform(s) of interest require that revision. If you're building a FIPS module for the first time you might as well use the latest revision, but all earlier revisions 2.0, 2.0.1, etc. remain fully valid. To summarize: always use the latest 1.0.1n revision of OpenSSL, but once you have built and fielded a specific revision 2.0.N of the FIPS module there is no reason to upgrade it even when upgrading to OpenSSL 1.0.1n. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: repost: OpenSSL 1.0.1E and FIPS 2.0.x?
Excellent. Thank you very much. very helpful and is exactly what we need to know. Dave +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+ -Original Message- From: Steve Marquess [mailto:marqu...@opensslfoundation.com] Sent: Tuesday, June 25, 2013 2:59 PM To: openssl-users@openssl.org Cc: mclellan, dave Subject: Re: repost: OpenSSL 1.0.1E and FIPS 2.0.x? On 06/25/2013 01:48 PM, mclellan, dave wrote: Sorry for the re-post, I thought someone would have some authoritative answer, opinion, or experience with this subject of compatibility and FIPS approval status when upgrading... From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To: openssl-users@openssl.org Subject: OpenSSL 1.0.1E and FIPS 2.0.x? I've searched archives for an answer, but found nothing obvious - if we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to move ahead to latest version of FIPS OM which appears to be 2.0.4? From the perspective of the validity of the OpenSSL FIPS Object Module 2.0 validation, all other software including OpenSSL is out of scope of the validation. So policy isn't a constraint on your choice of OpenSSL version and/or revision, only technical compatibility. The 2.0 FIPS module was designed to be compatible with the OpenSSL 1.0.1 release (including all letter revisions), and hopefully also the upcoming 1.0.2 release. The letter revisions with OpenSSL 1.0.1 (the most recent being 1.0.1e) address bug and security fixes, so you'll want the latest revision. In the DoD and federal government arena security policies will usually require such upgrades. The revisions of the FIPS module (the most recent being 2.0.5) are primarily for the purpose of adding support for new platforms. We incorporate the occasional minor bugfix when we can, but the fixes (including security fixes) we'd most like to include we usually can't due to the substantial restrictions on modifications to validated modules. So, there is no reason to upgrade to the latest 2.0 FIPS module revision unless the specific platform(s) of interest require that revision. If you're building a FIPS module for the first time you might as well use the latest revision, but all earlier revisions 2.0, 2.0.1, etc. remain fully valid. To summarize: always use the latest 1.0.1n revision of OpenSSL, but once you have built and fielded a specific revision 2.0.N of the FIPS module there is no reason to upgrade it even when upgrading to OpenSSL 1.0.1n. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1E and FIPS 2.0.x?
I've searched archives for an answer, but found nothing obvious - if we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to move ahead to latest version of FIPS OM which appears to be 2.0.4? Thanks +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+
