OpenSSL Communities
Thu 13 Mar 2025 4:51PM

Review OpenSSL 3.1 End of Support

CL Craig Lorentzen Public Seen by 53

Disclaimer: I am not directing anyone on the FIPS module to use and/or on your compliance story around FIPS modules and security patching.

OpenSSL recently attained FIPS 140-3 validation of OpenSSL 3.1.2 FIPS Module https://openssl-library.org/post/2025-03-11-fips-140-3/

Version 3.1 will be supported until 2025-03-14 https://openssl-library.org/policies/releasestrat/index.html

I am concerned about what this means for public consumption of a secure OpenSSL FIPS module. I expect that as of the 14th we do not actually stop applying security fixes to 3.1, but it would be good to have more of a guarantee that there will be security fixes available for this FIPS module until the 3.5 Module is approved for use.

Alternatively many could continue to use the 3.0 FIPS module (FIPS 140-2) for their FIPS workloads.

CB

Chris Brych Thu 13 Mar 2025 7:11PM

Hi Craig,

Maybe the ask is to see if OpenSSL will extend the 3.1 support date till September of 2026 when the FIPS 140-2 or OpenSSL 3.0 module goes out of compliance or until the OpenSSL 3.5 release for which FIPS 140-3 certification is planned gets submitted to the CMVP? That could allow consumers of the FIPS module to have a FIPS story until 3.5 gets submitted? Does this seem like a reasonable ask?

JJ

Jeff Johnson Thu 13 Mar 2025 8:05PM

Can't the FP 3.1.2 be used with OpenSSL3.5 thereby enabling FIPS 140-3 on the LTS branch of OpenSSL3.5? Just wondering if I am missing something... I usually am :)

JJ

Jeff Johnson Thu 13 Mar 2025 8:13PM

Or are you just talking about the FIPS Provider CVE fixes inside the boundary? Since it just got the cert I don't think the EOL of OpenSSL3.1 means the EOL of the FP 3.1.2 but clarity on that would be helpful. It wouldn't make a lot of sense to finally get a FIPS cert and not support the FP IMO.

CL

Craig Lorentzen Thu 13 Mar 2025 8:50PM

To be clear I am suggesting OpenSSL extend 3.1 support until the 3.5 FIPS provider is available; This will ensure that the 140-3 validated FIPS provider continues to receive CVE fix until the replacement 3.5 provider is available for those who wish to use a 140-3 validated module.

Those who are happily consuming the 3.0 FIPS provider (140-2) may continue to consume that with another supported OpenSSL release if they want performance/feature upgrades made since 3.0s release.