FIPS module for OpenSSL 1.1.1x

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS module for OpenSSL 1.1.1x

shiva kumar
Hi,
I wanted to move from OpenSSL 1.0.2r to 1.1.1b. I have some doubts they are

1) If I upgrade to 1.1.1b will it cause any problem to other applications? which uses openssl for communications. ( say apache http server ).

2) can I expect FIPS module for 1.1.1b as well ?

3) since OpenSSL 1.1.1b doesn't have FIPS will this affect any other application ?



Thanks and regards
Shivakumar S

Reply | Threaded
Open this post in threaded view
|

RE: FIPS module for OpenSSL 1.1.1x

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of shiva kumar
> Sent: Thursday, May 16, 2019 04:30

> 1) If I upgrade to 1.1.1b will it cause any problem to other applications? which
> uses openssl for communications. ( say apache http server ).

I don't think anyone on the openssl-users list can predict the future.

OpenSSL 1.1.1, in its default configuration (using the default cipher list, etc) does disable some algorithms which are now deemed unsafe. That may prevent connecting to old peers that only support deprecated algorithms. The workarounds are to upgrade (or reconfigure) the peers, or change the cipher list or other configuration for the component using 1.1.1.

On the other hand, 1.1.1 adds support for TLSv1.3 and other newer TLS features, so it will improve compatibility with peers that require support for contemporary protocols and algorithms.

Since there have been many versions of Apache, and it offers a multitude of configurations, it's impossible to guess whether you'd have interoperability issues with it.

> 2) can I expect FIPS module for 1.1.1b as well ?

No. This has been discussed ad nauseum on the list, and is well-documented on the openssl.org site. The next FIPS module release will be for the next major OpenSSL release (which will be called OpenSSL 3 or OpenSSL 4), and will likely not be available until sometime in 2020.

> 3) since OpenSSL 1.1.1b doesn't have FIPS will this affect any other application ?

Any application that uses OpenSSL and requires FIPS mode (that is, insists on enabling it) will have to use 1.0.2 until 3 (or 4) is available. Any application that claims FIPS validation (or uses "FIPS inside" branding) and uses OpenSSL will have to use 1.0.2 until 3 is available.

FIPS mode should not be required for interoperability. FIPS 140-2 restricts what features are available; it doesn't add any. Those features are all still available outside FIPS mode.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



Reply | Threaded
Open this post in threaded view
|

Re: FIPS module for OpenSSL 1.1.1x

Dennis Clarke-2
On 5/16/19 12:14 PM, Michael Wojcik wrote:
>> From: openssl-users [mailto:[hidden email]] On Behalf Of shiva kumar
>> Sent: Thursday, May 16, 2019 04:30
>
>> 1) If I upgrade to 1.1.1b will it cause any problem to other applications? which
>> uses openssl for communications. ( say apache http server ).
>
> I don't think anyone on the openssl-users list can predict the future.
>

I can. However only a few microseconds. Thankfully speech and human
communications are so slow on a macroscopic scale that it is measurably
impossible to catch me in an error.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
Reply | Threaded
Open this post in threaded view
|

Re: FIPS module for OpenSSL 1.1.1x

Dr Paul Dale
In reply to this post by shiva kumar
In answer to the second question: there will *never* be a FIPS module for any 1.1.1 OpenSSL version.
The next version of OpenSSL will be 3.0.0 and it will support FIPS.
There will be a gap in FIPS support between the end of life of 1.0.2 and the validation of 3.0.0.


Pauli
-- 
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia



On 16 May 2019, at 8:29 pm, shiva kumar <[hidden email]> wrote:

Hi,
I wanted to move from OpenSSL 1.0.2r to 1.1.1b. I have some doubts they are

1) If I upgrade to 1.1.1b will it cause any problem to other applications? which uses openssl for communications. ( say apache http server ).

2) can I expect FIPS module for 1.1.1b as well ?

3) since OpenSSL 1.1.1b doesn't have FIPS will this affect any other application ?



Thanks and regards
Shivakumar S