Let me make that message a little cleaner... ---- Original Message ---- +AD4- But in the OpenSSL org docs it is mentioned from 3.0.x onwards FIPS is +AD4- integrated within the OpenSSL code and no need to build it separately. This means that the FIPS provider is included in the openssl-3.x.y.tar.gz and is no longer a separate download, and can be compiled at the same time as the rest of OpenSSL by using the +AGA-enabled-fips+AGA- parameter when configuring. It is still a separate binary library module, installed in the same directory as other providers (legacy.so and gost.so, for example). OpenSSL states on their web page (https://www.openssl.org/source/): +AD4- Please follow the Security Policy instructions to download, build and install a +AD4- validated OpenSSL FIPS provider. Other OpenSSL Releases MAY use the +AD4- validated FIPS provider, but MUST NOT build and use their own FIPS provider. +AD4- For example you can build OpenSSL 3.2 and use the OpenSSL 3.0.8 FIPS +AD4- provider with it. This means, download and build using the instructions in the Security Policy either 3.0.8 or 3.0.9 for the +AGA-fips.so+AGA- provider, and download and build whatever version you wish for the openssl command and libraries (libcrypto and libssl). HOWEVER: There have been reports of problems using a 3.0.x FIPS provider with 3.2.x builds of OpenSSL, so I personally do not want to attempt that. I will continue to use 3.0.x OpenSSL with a 3.0.9 FIPS provider until the 140-3 provider is certified, then I will likely switch to the most current 3.1.x using the 3.1.2 provider. It is important to remember that if you want to be FIPS certified, your +AGA-fips.so+AGA- provider +ACo-must+ACo- be from 3.0.8 or 3.0.9 +ACo-only+ACo-. No other versions are certified through OpenSSL at this point. There are commercial sources of FIPS 140-2 certified providers available with varying levels of compatibility. I only have experience with one of them, and can't make any recommendations. -spw
