If, as I suspect, the Ubuntu and Debian OpenSSL packages share the packaging work and patches, then the situation is a bit different. At least for Debian, the OpenSSL packages: - Freeze the visible patch level letter at whatever it was on some freeze date prior to release (for instance it may say "1.0.1e") - Include backports of all relevant security patches in Debian packages versioned e.g. 1.0.1e-2+deb7u18 (meaning the 18th patch release since version 2 of the 1.0.1e packaging was included in Debian 7.0). - Include additional patches to do "symbol versioning" wherever the 1.0.x libraries contain ABI differences that would otherwise break running software compiled to run against shared libraries built from the 1.0.0 tree against shared libraries compiled from the 1.0.1 tree (etc.). Basically, they fix bugs in the binary compatibility within the 1.0.x upstream releases. - An unknown number of truly custom patches, one of which used to accidentally criple key generation so badly they were actually able to release a blacklist of all the public keys it could possibly generate (after they found the bug). On 19/01/2016 20:30, security veteran wrote: > Thanks Steve. > > I believe the OpenSSL bundled with Ubuntu basically just added some > Ubuntu packaging stuffs such as the package installation scripts, the > dependency information, etc. The main source code should be pretty > much the same and all the patches should still come from the OpenSSL > community. > > Another option I was thinking was, build the FIPS modules with the > openssl source in Ubuntu package, and then just replace the original > Ubuntu libcrypto.so file with the libcrypto.so which integrated with > the FIPS modules. Ideally this should work, or do you see any possible > issues of doing this way? > > Thanks. > > On Tue, Jan 19, 2016 at 11:17 AM, Steve Marquess <marquess at openssl.com > <mailto:marquess at openssl.com>> wrote: > > On 01/19/2016 01:54 PM, security veteran wrote: > > Hi All: > > > > What version of OpenSSL source can be built with FIPS modules? > > Stock OpenSSL 0.9.8 is compatible with the 1.2 module only > (openssl-fips-1.2.N.tar.gz). Note the 1.2 module will die at the > end of > this month. > > Stock OpenSSL 1.0.N is compatible with the 2.0 module only > (openssl-fips-2.0.N.tar.gz). > > OpenSSL 1.1 is not compatible with any FIPS module. > > > We are using Ubuntu, and we noticed that the Ubuntu 12.04 and 14.04 > > packaged their openssl .deb from different version of openssl > source. > > > > e.g. Ubuntu 12.04 uses openssl_1.0.1 > > > <http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1.orig.tar.gz> > and > > Ubuntu 14.04 uses openssl_1.0.1f > > > <https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.1f.orig.tar.gz> > > > > Can the OpenSSL FIPS modules be built with both of these two > different > > version of OpenSSL? > > Keep in mind that the OpenSSL bundled with Ubuntu isn't stock OpenSSL, > and isn't built as a "FIPS capable" OpenSSL. I don't know how feasible > it will be to rebuild those Ubuntu sources with the "fips" option to > make a "FIPS capable" OpenSSL, as I haven't looked at the Ubuntu > modifications. Try it and see. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 <tel:%2B1%20877%20673%206775> s/b > +1 301 874 2571 <tel:%2B1%20301%20874%202571> direct > marquess at openssl.com <mailto:marquess at openssl.com> > gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded