Need help on Migration from OpenSSL 3.2.x from OpenSSL 3.0.12 including FIPS enablement

[raghupcr]

Hi Team,

We are planning to upgrade the OpenSSL version from 3.0.12 to version 3.2.x version

We are currently using the OpenSSL FIPS enablement feature in our application, so if we upgrade to a newer version of OpenSSL 3.2.x version are there any changes w.r.t fips?
We need to be in line with fips 140-2 standard. Is the process the same that way we upgraded to different versions of 3.0.x versions ( like 3.0.8 to 3.0.9 and 3.0.9 to 3.0.12 etc)

Thanks

[raghupcr]

Hi team,

any information/inputs will be helpful to share with our team inside our project.

Got few mail from the mail discussions and one link
https://github.com/openssl/openssl/blob/master/README-FIPS.md

if we follow the above link and make the upgrade will that be sufficient to be called fips compliance

Thanks,

[slontis]

If you followed the guide correctly then you should have built twice.
You are FIPS compliant IF
(1) you build and use the fips provider from the source tarball from OpenSSL 3.0.0/3.0.8/3.0.9
(2) You only use the algorithms in the FIPS provider. (If you fetch algorithms from the default provider you are not FIPS compliant).

[raghupcr]

@slontis thanks for the information
we are trying to use the way that is mentioned in the link and we will try to make sure steps 1 and 2 as mentioned above.
one doubt in our fipsmodule.cnf we are making configuration as

included fipsmodule.cnf.

fips = fips_sect

and

[default_sect]

activate = 1

So this is enough to make sure we are using fips provider and not the default provider. Correct?

[StephenWall]

https://www.openssl.org/docs/man3.0/man7/fips_module.html also has information on enabling FIPS mode. If you enable the fips provider, and disable the default provider, then you will also need to enable the base provider.

[slontis]

There is a link to this from the README-FIPS