140-3 support for FIPS #9120
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.erlang.org/doc/apps/crypto/fips.html#background states
"OpenSSL can be built to provide FIPS 140-2 validated cryptographic services. It is not the OpenSSL application that is validated, but a special software component called the OpenSSL FIPS Object Module. However applications do not use this Object Module directly, but through the regular API of the OpenSSL library"
However, 140-2 is quite dated ..
https://csrc.nist.gov/publications/detail/fips/140/2/final
..and 140-3 has been available since March 22, 2019 ..
https://csrc.nist.gov/publications/detail/fips/140/3/final
OpenSSL has 140-3 validation work ongoing, but they seem to have run into some issues: openssl/openssl#23084 "The FIPS lab we were using is no longer accredited. That's going to stall the 140-3 validation I suspect."
There exists some 140-3 based validations though, e.g. CiscoSSL with..
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4891 for CiscoSSL 8, an OpenSSL 3.x derivative, and ..
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4747 for CiscoSSL 7.3, an OpenSSL 1.1.1 derivative.
Thus it would be greatly appreciated if OTP could upgrade its crypto library with support for FIPS 140-3 as the 140-2 support is, or very soon will be, outdated.
The text was updated successfully, but these errors were encountered: