> From: Prasad, PCRaghavendra > We are planning to upgrade the OpenSSL version from 3.0.12 to version 3.2.x version > > We are currently using the OpenSSL FIPS enablement feature in our application, so if we upgrade to a newer version of OpenSSL 3.2.x version are there any changes w.r.t fips? > We need to be in line with fips 140-2 standard. Is the process the same that way we upgraded to different versions of 3.0.x versions ( like 3.0.8 to 3.0.9 and 3.0.9 to 3.0.12 etc) You *must* use the fips.so from either 3.0.8 or 3.0.9, built in accordance with the Security Policy, in order to claim FIPS 140-2 certification. These are the only versions listed on the OpenSSL certificate. (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282). There have been several messages on one of the OpenSSL mailing lists about problems using the 3.0.x FIPS provider with 3.2.x OpenSSL builds, so it may not be possible to be FIPS compliant with OpenSSL 3.2. -spw
