On 08/24/2016 09:31 AM, Test ssl wrote: > Hi, > > I am having a product which is right now using openssl1.0.1s and > opensslfips 2.0.1 > > I am upgrading to openssl1.0.2h, is it OK to still be at openssfips > 2.0.1 or do i need to upgrade the opensslfips too to 2.0.12? > > Regards, > > Yes, it's fine to stay at 2.0.1 if that's working for you now. With one singular exception, we're not allowed to implement improvements or bug fixes in a validated cryptographic module, so the later revisions of the OpenSSL FIPS module (now up to 2.0.13) are not "better" in any real-world sense (i.e. better performance, security vulnerability mitigations, etc.). The permitted mods are for platform portability and have to implemented in a way that does not impact any previously tested platforms. The exception is the complete removal of Dual EC DRBG as of 2.0.6 (and again for 2.0.8, long story). The Dual EC DRBG was disabled all along, but its complete removal was arguably a vulnerability mitigation. I think that was only allowed (after much delay) as a special case exception due to the notoriety of that algorithm. If not having a dormant Dual EC DRBG matters to you then upgrade to any revision 2.0.8 or later. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
