Review OpenSSL 3.1 End of Support

Ok, thank you for the clarification. The only input I think I can reasonably make on the support question is historic, in that for all our releases we indicate that we offer premium support contracts on releases that are beyond their EoL dates for this purpose:
https://openssl-corporation.org/support/
We've done this for openssl 1.0.2 and 1.1.1 (which of course don't have FIPS certifications attached to them), but regardless, thats how we have traditionally handled support for releases beyond those dates. I would expect that, if a using entity wishes to ensure support/CVE updates to 3.0.8/3.0.9 between now and the FIPS certificate sunset date (Sept 21, 2026), that a premium support contract would be the path forward, though I've not seen any documentation spelling that out specifically, nor am I aware of any technical methodology for how we will administer that (i.e. will we keep updating a private fork of the repo for those with support contracts).

This is something I think OpenSSL needs to provide a clear and detailed document so that companies can make an informed decision when selecting versions of the FIPS module and surrounding OpenSSL software.

@Neil Horman If I am not mistaken, the support contracts only apply to LTS branches. OpenSSL 3.1 is not an LTS branch, hence the desire for more clarification around EOS. BTW, thank you for the discussion. It is very helpful to the community, as Craig L. is pointing out.

@Jeff Johnson  The commercial support contract includes all supported versions of the OpenSSL library until their official end-of-life (EOL), and extends support for long-term support (LTS) versions beyond their EOL.

@Anton Arapov Yes, so accordingly OpenSSL3.1 from your support page... "Version 3.1 will be supported until 2025-03-14". Am I perhaps confusing EOL and EOS? My understanding (fully aware of how wrong I can be sometime), is that the support contracts were for LTS branches and while supported branches like 3.1 will continue to get security fixes during their support period (a fixed 2 year length of time), after that time they would not be supported.

@Jeff Johnson  OpenSSL 3.1 is not an LTS release and is supported for a fixed 2-year period, ending on 2025-03-14. During that time, it receives security updates. After that date, it reaches end of life (EOL) and will no longer be supported. Only LTS releases like 3.0 and 3.5 are eligible for extended commercial support through contracts.

The release cycle graph on that page might be helpful: https://openssl-library.org/roadmap/index.html

Note that starting with OpenSSL 3.6, regular releases are supported for a fixed 1-year period instead of 2.

@Anton Arapov That was exactly my understanding, thanks for confirming. That leads to the question that @Benjamin has posed. I know it seems like a simple concept but can be confusing when you have requirements that raise a lot of doubts (like FedRamp), so again, really appreciate the time given to this.

That is a question I'm unable to answer. The language in

https://openssl-corporation.org/support/

Seems to suggest that, but I'm not sure how flexible that is. @Anton Arapov can you comment here?

Maybe this was concluded and announced somewhere? Is FIPS module 3.1.2 still supported until FIPS module on 3.5 gets the certificate? If it is out of support, then we should use FIPS module on 3.5 then?

@Anton Arapov Did The OpenSSL Corporation agree on language confirming how CVE fixes within the boundary will be made available to 3.1.2 FIPS module consumers?

Please share the public documentation to close on this issue so that consumers of this module are fully aware of the plans for backport availability. It is important that businesses can reference the ongoing security maintenance plan in their complaince story.

@Anton Arapov , @Neil Horman - Did we firm this up?

@Jeff Johnson This has been agreed, but I haven’t yet reflected it on our public pages - it’s been sitting in my backlog.

That said, it’s time to close the gap. I will make sure we have the language finalized and published this month. Please hold me to that.

Apologies, @Craig , for the delay here, and thank you again for the wording you suggested earlier - it’s been helpful in shaping this.

@Anton Arapov Happy to help, looking forward to seeing the policy document.

@Anton @Neil Horman So with the CVE announcement yesterday there was one inside the FIPS boundary: CVE-2026-42770. However there is no corresponding mention of it being fixed or affected in the announcement. What is the disposition of this CVE in regards to FP 3.1.2? What about rebrands?

Additionally, is OpenSSL pursuing an UPDT to the affected FP's?

I added to this thread because it was basically the same subject.

thx,

-jj

@Jeff Johnson This CVE unfortunately affects 3.1.2 FIPS module. There is a workaround, though. It is described on https://openssl-library.org/news/fips-cve/index.html

The https://openssl-library.org/news/fips-cve/index.html web page is now updated with the latest CVEs.

@Tomas Mraz So code changes for the user. Still have 2 questions? Is the FP for 3.1.2 supported (it isn't listed as affected on the page you sent). And for any FP affected is there going to be CMVP UPDT pursued?