Ubuntu
openssl package

Please provide FIPS compliant version

Bug #95001 reported by Pascal de Bruijn on 2007-03-23

40

This bug affects 8 people

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	Won't Fix	Wishlist	Unassigned

Bug Description

Binary package hint: openssl

It should be considered to supply the FIPS validated version of OpenSSL unless there are major disadvantages to this version.

http://www.oss-institute.org/

Daniel T Chen (crimsun) on 2008-09-29

Changed in openssl:
importance:	Undecided → Wishlist

Revision history for this message

Daniël van Eeden (dveeden) wrote on 2011-04-21:

#1

See also the FIPS 140-2 Notes: http://www.openssl.org/docs/fips/fipsnotes.html

Enabling SSLFIPS in Apache2 is needed to disable SSLv2 Upgrade support. This will only work if Apache2 uses an FIPS enabled OpenSSL version.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-10-25:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status:	New → Confirmed

Revision history for this message

Roland Moriz (rmoriz) wrote on 2012-06-21:

#3

regarding #1

this affects nginx aswell.

Revision history for this message

John Gibson (redshadow) wrote on 2012-07-17:

#4

OpenSSL's FIPS certification recently reapproved, official announcement here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
OpenSSLs FIPS validation page: http://www.openssl.org/docs/fips/fipsvalidation.html
The module itself: http://www.openssl.org/source/openssl-fips-2.0.1.tar.gz

Interestingly one of the platforms upon which it was tested was Ubuntu 10.04 (both 32 and 64 bit versions).

Jonathan Davies (jpds) on 2013-12-29

Changed in openssl (Ubuntu):
status:	Confirmed → Triaged

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2013-12-30:

#5

Related: http://marc.info/?l=openssl-announce&m=138747119822324&w=2 -- in short, flaws found in Dual EC DRBG in the FIPS-validated code demonstrates that the code is under-used and fixing even fairly obvious flaws isn't allowed.

I'm not keen on turning on OpenSSL's FIPS modes in our releases.

Revision history for this message

Pascal de Bruijn (pmjdebruijn) wrote on 2014-01-01:

#6

In light of recent events, I won't argue :)

Revision history for this message

Adrien Nader (adrien) wrote on 2023-05-11:

#7

I think this should be won't fix since there is now a FIPS version available and it's 100% sure it must not be the default version (and that it wouldn't make a lot of sense even for people who want FIPS stuff).

Nick Rosbrook (enr0n) on 2023-05-11

Changed in openssl (Ubuntu):
status:	Triaged → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.