I think, perhaps, two different things are being confused here: 1) RedHat's use of the term "OpenSSL Module v1.0" and
2) James' use of the term "OpenSSL 1.0.0." Looking through RedHat's Security Policy and Certificate posted on NIST's site, it certainly looks to me that their "OpenSSL Module v1.0" is based on OpenSSL 0.9.8. Geoff ----- Original Message ---- From: Steve Marquess <marqu...@opensslfoundation.com> To: openssl-users@openssl.org Sent: Thu, July 29, 2010 9:36:19 AM Subject: Re: OpenSSL 1.0.0 FIPS module ja...@nixsecurity.org wrote: > Hello, > > Aside from searching the net, I've learned that the FIPS module for OpenSSL >1.0.0 requires funding for the project and availability of the next FIPS >revision (I think). I'm curious if there's an ETA on the module at all? I've >also noticed that Redhat (Fedora) is pushing OpenSSL 1.0.0 with FIPS, I'm >assuming they've either modified the FIPS module to be compatible with OpenSSL >1.0.0, they've obtained their own module by other means or some other method. > > Any information on this would be helpful. > > Thanks in advanced, > James I'll have to speculate here as I've had no contact with Red Hat, but it appears that they have obtained their own proprietary validation based on OpenSSL (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1320). This is a pretty common thing for proprietary software vendors to do, and obtaining such a binary validation is much easier than for the open source based ones (e.g. the OpenSSL FIPS Object Module v1.2, #1051). I've been told by those in the know that the *majority* of all software validations are based on OpenSSL. There is no schedule for a new open source based 1.0 compatible validation because we have no funding. In fairness to the commercial vendors like Red Hat, it isn't to their economic advantage to support a validation that could be leveraged by their competitors. To those vendors who do have validated crypto modules the FIPS 140-2 procurement requirements are a marvelous advantage that lock out a lot of potential competition, well worth the (significant) expense. Not such a good deal for the U.S. and Canadian taxpayers, as they indirectly pay for many validations of essentially the same software, but there is currently no one really representing that interest (the previous validations did receive significant financial support from the U.S. government and DoD, but that was all done on a one-off basis). -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
