FIPS 140-2 vs FIPS 140-3 Interoperability During Migration

24 views
Skip to first unread message

omi jha

unread,
Aug 14, 2025, 4:34:14 AMAug 14
to openssl-users

Hi,

We're upgrading from OpenSSL 3.0.9 (FIPS 140-2) to OpenSSL 3.1.2 (FIPS 140-3) and need help with mixed environment compatibility.

 

Migration Scenarios:

 

1. FIPS 140-2 Client communicates with FIPS 140-3 Server

 

 Will handshake fail ?  if the FIPS 140-2 client's offered cipher suites are all deemed unacceptable by the FIPS 140-3 server (e.g., they don't meet key length requirements, or use prohibited algorithms), as For FIPS 140-3, SHA-1 is not allowed for cryptographic hashing, and triple DES (3DES) is not allowed.

 

2. FIPS 140-3 Client communicates with FIPS 140-2 Server

 

Will handshake fail?,  if the FIPS 140-2 server's available cipher suites are all considered weak or non-compliant by the FIPS 140-3 client (e.g., they use disallowed algorithms or insufficient key lengths).

 

Question:

How does OpenSSL recommend handling the interoperability issues between FIPS 140-2 and FIPS 140-3 clients and servers, given the possible handshake failures and incompatibilities in cipher suite negotiation? Are there best practices or bridging strategies to facilitate successful connections, or is it a requirement to have matching FIPS levels on both client and server to avoid these failures?

Tomas Mraz

unread,
Aug 15, 2025, 5:42:28 AMAug 15
to omi jha, openssl-users
With default settings and properly configured certificates on the
server side which are acceptable for FIPS 140-3 requirements, there
should be no interoperability issues as there is an intersection of
algorithms supported by both old and new versions.

Of course if the FIPS 140-2 based system is explicitly configured to
disallow all algorithms acceptable by the FIPS 140-3 based system, the
communication will fail. But there should be no reason to configure the
old system in such way.

Tomas Mraz, Public Support and Security Manager, OpenSSL Foundation
> --
> You received this message because you are subscribed to the Google
> Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to openssl-user...@openssl.org.
> To view this discussion visit
> https://groups.google.com/a/openssl.org/d/msgid/openssl-users/1ffb0fb9-f089-4c33-8299-a30e20439b2cn%40openssl.org
> .

--
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/

Reply all
Reply to author
Forward
0 new messages