I think it’s worth pointing out that OpenSSL is itself a non-profit and that FIPS validations cost a significant amount of money.
Until about a year ago, there was also a notable absence of FIPS sponsors. Pauli -- Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia > On 8 Jul 2019, at 7:18 pm, Jakob Bohm via openssl-users > <openssl-users@openssl.org> wrote: > > On 08/07/2019 10:12, Dr Paul Dale wrote: >> I have to disagree with the “decision not to make a FIPS module for the >> current 1.1.x series” comment. Technically, this is true. More >> practically, 3.0 is intended to be source compatible with 1.1.x. Thus far, >> nothing should be broken in this respect. >> > The key word is "intended". > >> If support for 1.0.2 is required beyond the end of this year, it is >> available: https://www.openssl.org/support/contracts.html >> > I am unsure if this is an affordable route for all affected users > and distributions (especially non-profit OS distributions). > >> >> I’d also be interested to know what is wrong with the policy page? >> > > Only that it states the policy of stopping 1.0.2 support at end of > 2019, which would be fine if a FIPS-capable replacement had been > ready by now (as is fortunately the case for non-FIPS). > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded >
