Brussels / 4 & 5 February 2023

schedule

FIPS in OpenSSL: from 140-2 to 140-3

How Red Hat made FIPS-140-2 provider FIPS-140-3 capable


OpenSSL 3.0 key feature was FIPS-140-2 certification. As FIPS-140-2 is sunseting, we had to significantly patch OpenSSL to make it FIPS-140-3 capable.

The presentation briefly describes major changes in OpenSSL 3.0 architecture, what happened to Old Good API and why deal with new, the provider concepts, and changes necessary to match the new standard.

OpenSSL 3.0 key feature was FIPS-140-2 certification. To deal with it properly, the architecture was significantly changed, and applications have to deal with it.

A lot of API calls were deprecated, the engines shouldn't be used now, and applications can't rely on all the algorithms are still with us. The brand new provider concept opens new way to extend OpenSSL functionality.

As FIPS-140-2 is sunseting, the upstream version can't be taken as is for the future version of the standard. We had to significantly patch OpenSSL to make it FIPS-140-3 capable. We also provided some extra hardening to be sure that only up-to-date algorithms are in use, limited SHA-1 usage, and introduced many other changes.

Speakers

Dmitry Belyavskiy

Links