1

I successfully built OpenSSL v3.0.0 with the FIPS option from the current .gz download from the official OpenSSL site. I have also ensured my application code has been upgraded from OpenSSL '1.0.2t to v3.0.0 (v1.1.1l setters/getters). My application works great with OpenSSL v3.0.0 FIPS, as it had with 1.0.2t.

What's next? Am I FIPS? May I tell my customers that my application supports FIPS integrity? I am sure there must be more to be done before I can make this proclamation? FIP Certified?

mkrieger1
  • 19,194
  • 5
  • 54
  • 65
Ray A Brown
  • 11
  • 1
  • Are you using the 3.0 FIPS provider in your application? If you don't enable it somehow then you won't be using it by default. See https://www.openssl.org/docs/man3.0/man7/fips_module.html. Additionally the 3.0 FIPS module has not yet completed the validation process (i.e. the certificate has not yet been issued) - its in the CMVP queue waiting to be reviewed. The certificate will only list certain operational environments - see https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/ – Matt Caswell Dec 14 '21 at 11:30
  • 1
    Thanks for your guidance. I see from this link (https://www.openssl.org/docs/man3.0/man7/fips_module.html) , I have a lot more to look at. I understand we are waiting for the CMVP. Thanks again! – Ray A Brown Dec 15 '21 at 15:07

0 Answers0