* Lastly, is there any chance of extending the EOL date of OpenSSL 1.0.2 till the new FIPS module/OpenSSL 3.0 becomes available?
This question gets asked a great deal. Why? The OpenSSL project has not done any 1.0.2-FIPS work for years. This means that if there are any CVE-level bugs in 1.0.2 that affect(ed) that FIPS module, they weren’t getting fixed and the module wasn’t being revalidated. This has been the situation for several years. By 1.0.2 going out of support, all this means is that the OpenSSL project will not be posting bugfixes. Nobody is going to come and make you delete your own copies. So why do people care if it goes out of support? I suspect the answer is this: by using the open source code, you didn’t have to pay anything or do any support and maintenance, and now they are worried about having to do so. Is there another reason?
