Ok Tomas for the clarification, it is clear now +2D3eCg- Internal Use - Confidential -----Original Message----- From: Tomas Mraz +ADw-tomas+AEA-openssl.org+AD4- Sent: Wednesday, March 6, 2024 5:09 PM To: Prasad, PCRaghavendra+ADs- Wall, Stephen+ADs- openssl-users+AEA-openssl.org Cc: Ds, Pradeep Kumar+ADs- Chandramouli, Basavaraj - Dell Team Subject: Re: Need help - upgrading openssl version from 3.0.12 to 3.2.x version +AFs-EXTERNAL EMAIL+AF0- Yes, exactly. If you use the FIPS module that is part of the 3.2.x version, it will not be FIPS compliant as that version is not FIPS validated. It is still present there and can be built with enable-fips but not validated. You can combine the OpenSSL library (libcrypto+-libssl shared or statically linked libraries) from the 3.2.x version with the FIPS module (fips.so/fips.dll) built from the validated version of the OpenSSL tarball. Regards, Tomas Mraz On Tue, 2024-03-05 at 12:37 +-0000, Prasad, PCRaghavendra wrote: +AD4- Hi Tomas, +AD4- +AD4- If we are using OpenSSL 3.2.x and during the build, if we use the +AD4- command enable-fips and install OpenSSL, then we can't claim for fips +AD4- compliance. +AD4- Is this understanding right? +AD4- +AD4- OpenSSL FIPS provider module 3.0 (+ACM-4282) is tested only in 3.0.8 and +AD4- 3.0.9 and that is the reason we should pick from these OpenSSL +AD4- versions. +AD4- What is the OpenSSL FIPS provider module in the OpenSSL 3.2.x version? +AD4- +AD4- Thanks, +AD4- Raghu +AD4- +AD4- +AD4- Internal Use - Confidential +AD4- -----Original Message----- +AD4- From: Prasad, PCRaghavendra +AD4- Sent: Thursday, February 29, 2024 8:23 PM +AD4- To: Tomas Mraz+ADs- Wall, Stephen+ADs- openssl-users+AEA-openssl.org +AD4- Subject: RE: Need help - upgrading openssl version from 3.0.12 to +AD4- 3.2.x version +AD4- +AD4- Hi Tomas, +AD4- +AD4- If we migrate from 3.0.x to 3.2.x directly do we need to take care of +AD4- any use cases, we are carrying OpenSSL (libcrypto and libssl) in our +AD4- python application and use them during the encryption/decryption, +AD4- handshake etc. +AD4- +AD4- So should we take care of any specific things as part of the migration +AD4- as it is a major change from 3.0.x to 3.2.x. ( will there be any +AD4- specific code changes or config changes we as an application need to +AD4- consider) +AD4- +AD4- Thanks +AD4- +AD4- +AD4- -----Original Message----- +AD4- From: Tomas Mraz +ADw-tomas+AEA-openssl.org+AD4- +AD4- Sent: Tuesday, February 27, 2024 1:14 PM +AD4- To: Prasad, PCRaghavendra+ADs- Wall, Stephen+ADs- openssl-users+AEA-openssl.org +AD4- Subject: Re: Need help - upgrading openssl version from 3.0.12 to +AD4- 3.2.x version +AD4- +AD4- +AD4- +AFs-EXTERNAL EMAIL+AF0- +AD4- +AD4- For FIPS compliance you definitely need to use the validated version +AD4- of a FIPS provider. Please see the instructions here +AFs-1+AF0- on how to +AD4- combine the latest release with a validated FIPS provider version. +AD4- +AD4- +AFs-1+AF0- +AD4- https://urldefense.com/v3/+AF8AXw-https://github.com/openssl/openssl/blob/ma +AD4- ster/README-FIPS.md+AF8AXwA7ACEAIQ-LpKI+ACE-jLMp7kblHEfwy+AF8--l1pml2BUrIGyDrS0buy7NkQJ9A +AD4- nH48CNuu5pkshNIHT4nJ8wBN0wuiDin47HZyuaShgEZPQ+ACQ- +AD4- +AFs-github+AFs-.+AF0-com+AF0- +AD4- +AD4- Tomas Mraz, OpenSSL +AD4- +AD4- On Tue, 2024-02-27 at 05:55 +-0000, Prasad, PCRaghavendra wrote: +AD4- +AD4- Thanks, Tomas, +AD4- +AD4- +AD4- +AD4- So we can use OpenSSL 3.2.0 and enable fips during the build step +AD4- +AD4- and get the fips.so +AD4- +AD4- +AD4- +AD4- OR +AD4- +AD4- +AD4- +AD4- we should take the OpenSSL 3.2.0 code and then take the FIPS +AD4- +AD4- provider from the OpenSSL 3.0.8 or 3.0.9 and build, then get the +AD4- +AD4- fips.so, fipsmodule.cnf and combine with OpenSSL 3.2.0 +AD4- +AD4- +AD4- +AD4- Thanks, +AD4- +AD4- Raghu +AD4- +AD4- +AD4- +AD4- -----Original Message----- +AD4- +AD4- From: openssl-users +ADw-openssl-users-bounces+AEA-openssl.org+AD4- On Behalf Of +AD4- +AD4- Tomas Mraz +AD4- +AD4- Sent: Tuesday, February 27, 2024 9:05 AM +AD4- +AD4- To: Wall, Stephen+ADs- openssl-users+AEA-openssl.org +AD4- +AD4- Subject: Re: Need help - upgrading openssl version from 3.0.12 to +AD4- +AD4- 3.2.x version +AD4- +AD4- +AD4- +AD4- +AD4- +AD4- +AFs-EXTERNAL EMAIL+AF0- +AD4- +AD4- +AD4- +AD4- On Mon, 2024-02-26 at 22:38 +-0000, Wall, Stephen wrote: +AD4- +AD4- +AD4- +AD4- Please note that we actually test running the 3.0.8 and 3.0.9 +AD4- +AD4- +AD4- +AD4- validated versions of the FIPS provider with the 3.2 OpenSSL in +AD4- +AD4- +AD4- +AD4- the CI and it works. We are not aware of any problems with +AD4- +AD4- +AD4- +AD4- running the validated versions of the FIPS provider with the +AD4- +AD4- +AD4- +AD4- current OpenSSL versions. +AD4- +AD4- +AD4- +AD4- +AD4- +AD4- OK, so +AD4- +AD4- +AD4- https://urldefense.com/v3/+AF8AXw-https://github.com/openssl/openssl/iss +AD4- +AD4- +AD4- ues/ +AD4- +AD4- +AD4- 23400+AF8AXwA7ACEAIQ-LpKI+ACE-m4FTaZF0-kz3NQm8Y9WvC4n233dgbq01QmEc+AF8-C- +AD4- +AD4- +AD4- 2XrCWwWFFRtkaMjD +AD4- +AD4- +AD4- i6t8tcws2hmT529ayVVlzqPunWH8qZw+ACQ- +AFs-github+AFs-.+AF0-com+AF0- doesn't actually +AD4- +AD4- +AD4- prevent OpenSSL from working, it's just an issue with +AGA-openssl +AD4- +AD4- +AD4- fipsinstall+AGA-. I hadn't followed it closely enough, just briefly +AD4- +AD4- +AD4- saw some some messages go past. +AD4- +AD4- +AD4- +AD4- Yeah, that issue is not really preventing the 3.0.x FIPS provider +AD4- +AD4- working with subsequent OpenSSL releases. It's just a matter of a +AD4- +AD4- minor FIPS compliance issue. (Depending on different views it might +AD4- +AD4- matter for the FIPS compliance or not.) +AD4- +AD4- +AD4- +AD4- +AD4- Good to know. Will the same apply to the 140-3 module and OpenSSL +AD4- +AD4- +AD4- 3.2? +AD4- +AD4- +AD4- +AD4- Yes, that is and always was the intention. The FIPS provider is +AD4- +AD4- built in a way that it can be used with any other version and the +AD4- +AD4- same applies to third party providers. +AD4- +AD4- +AD4- +AD4- -- +AD4- +AD4- Tom+AOEBYQ- Mr+AOE-z, OpenSSL +AD4- +AD4- +AD4- +AD4- -- +AD4- Tom+AOEBYQ- Mr+AOE-z, OpenSSL +AD4- -- Tom+AOEBYQ- Mr+AOE-z, OpenSSL