We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

OpenSSL in RHEL: FIPS-140-3 certification

Formal Metadata

Title
OpenSSL in RHEL: FIPS-140-3 certification
Subtitle
From FIPS-140-2 upstream to FIPS-140-3 downstream
Title of Series
Number of Parts
542
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
OpenSSL 3.0 key feature was FIPS-140-2 certification. As FIPS-140-2 is sunseting, we had to significantly patch OpenSSL to make it FIPS-140-3 capable. The presentation briefly describes major changes in OpenSSL 3.0 architecture, what happened to Old Good API and why deal with new, the provider concepts, and changes necessary to match the new standard. OpenSSL 3.0 key feature was FIPS-140-2 certification. To deal with it properly, the architecture was significantly changed, and applications have to deal with it. A lot of API calls were deprecated, the engines shouldn't be used now, and applications can't rely on all the algorithms are still with us. The brand new provider concept opens new way to extend OpenSSL functionality. As FIPS-140-2 is sunseting, the upstream version can't be taken as is for the future version of the standard. We had to significantly patch OpenSSL to make it FIPS-140-3 capable. We also provided some extra hardening to be sure that only up-to-date algorithms are in use, limited SHA-1 usage, and introduced many other changes.