OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

Salman Baset
Hello everyone,

I was wondering if there is any update on getting a new FIPS-validated module for OpenSSL by the end of this year (before EOL of 1.0.2), as was mentioned in this blog post:

According to this email, the new FIPS module is dependent on OpenSSL 3.0, whose release timing is not certain yet.

I will appreciate if someone can provide an update on the new FIPS timeline as that will help folks who are looking to depend on OpenSSL's FIPS-validated modules in the next 6-9 months or so.

Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?

Thanks
Salman
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

OpenSSL - User mailing list
  • Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?

 

This question gets asked a great deal.  Why?

 

The OpenSSL project has not done any 1.0.2-FIPS work for years. This means that if there are any CVE-level bugs in 1.0.2 that affect(ed) that FIPS module, they weren’t getting fixed and the module wasn’t being revalidated. This has been the situation for several years. By 1.0.2 going out of support, all this means is that the OpenSSL project will not be posting bugfixes.  Nobody is going to come and make you delete your own copies.

 

So why do people  care if it goes out of support?  I suspect the answer is this: by using the open source code, you didn’t have to pay anything or do any support and maintenance, and now they are worried about having to do so.

 

Is there another reason?

 

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

Dr Paul Dale
In reply to this post by Salman Baset
The EOL date for OpenSSL 1.0.2 will not be extended.

It is possible to purchase premium level support which will provide 1.0.2 updates beyond its normal end of life.  See: https://www.openssl.org/support/contracts.html#premium


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 21 Oct 2019, at 9:11 pm, Salman Baset <[hidden email]> wrote:

Hello everyone,

I was wondering if there is any update on getting a new FIPS-validated module for OpenSSL by the end of this year (before EOL of 1.0.2), as was mentioned in this blog post:

According to this email, the new FIPS module is dependent on OpenSSL 3.0, whose release timing is not certain yet.

I will appreciate if someone can provide an update on the new FIPS timeline as that will help folks who are looking to depend on OpenSSL's FIPS-validated modules in the next 6-9 months or so.

Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?

Thanks
Salman

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

Salman Baset
Thank you very much. This is helpful. Will the support also include any updates to the FIPS compatible part, or is that out of scope because any update essentially invalidates existing FIPS cert for potential use?


On Mon, Oct 21, 2019 at 11:56 AM Dr Paul Dale <[hidden email]> wrote:
The EOL date for OpenSSL 1.0.2 will not be extended.

It is possible to purchase premium level support which will provide 1.0.2 updates beyond its normal end of life.  See: https://www.openssl.org/support/contracts.html#premium


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 21 Oct 2019, at 9:11 pm, Salman Baset <[hidden email]> wrote:

Hello everyone,

I was wondering if there is any update on getting a new FIPS-validated module for OpenSSL by the end of this year (before EOL of 1.0.2), as was mentioned in this blog post:

According to this email, the new FIPS module is dependent on OpenSSL 3.0, whose release timing is not certain yet.

I will appreciate if someone can provide an update on the new FIPS timeline as that will help folks who are looking to depend on OpenSSL's FIPS-validated modules in the next 6-9 months or so.

Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?

Thanks
Salman

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

Dr Paul Dale
The FIPS module source code can’t be changed without losing validation.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 22 Oct 2019, at 11:46 pm, Salman Baset <[hidden email]> wrote:

Thank you very much. This is helpful. Will the support also include any updates to the FIPS compatible part, or is that out of scope because any update essentially invalidates existing FIPS cert for potential use?


On Mon, Oct 21, 2019 at 11:56 AM Dr Paul Dale <[hidden email]> wrote:
The EOL date for OpenSSL 1.0.2 will not be extended.

It is possible to purchase premium level support which will provide 1.0.2 updates beyond its normal end of life.  See: https://www.openssl.org/support/contracts.html#premium


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 21 Oct 2019, at 9:11 pm, Salman Baset <[hidden email]> wrote:

Hello everyone,

I was wondering if there is any update on getting a new FIPS-validated module for OpenSSL by the end of this year (before EOL of 1.0.2), as was mentioned in this blog post:

According to this email, the new FIPS module is dependent on OpenSSL 3.0, whose release timing is not certain yet.

I will appreciate if someone can provide an update on the new FIPS timeline as that will help folks who are looking to depend on OpenSSL's FIPS-validated modules in the next 6-9 months or so.

Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?

Thanks
Salman