On 01/19/2016 01:54 PM, security veteran wrote: > Hi All: > > What version of OpenSSL source can be built with FIPS modules? Stock OpenSSL 0.9.8 is compatible with the 1.2 module only (openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the end of this month. Stock OpenSSL 1.0.N is compatible with the 2.0 module only (openssl-fips-2.0.N.tar.gz). OpenSSL 1.1 is not compatible with any FIPS module. > We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04 > packaged their openssl .deb from different version of openssl source. > > e.g. Ubuntu 12.04 uses openssl_1.0.1 > <http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz> and > Ubuntu 14.04 uses openssl_1.0.1f > <https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz> > > Can the OpenSSL FIPS modules be built with both of these two different > version of OpenSSL? Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL, and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible it will be to rebuild those Ubuntu sources with the "fips" option to make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu modifications. Try it and see. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
