Need to check on compatibility issue
225 views
Skip to first unread message
omi jha
Jun 27, 2025, 7:00:36 AM6/27/25
to openssl-users
Hi,
Just wanted to check, Is openssl 3.5 (non-FIPS) compatible with FIPS 3.0.9 (FIPS 140-2) or any issues?
Thanks,
Om
Neil Horman
Jun 27, 2025, 9:11:44 AM6/27/25
to omi jha, openssl-users
All of our openssl releases are backwards compatible with older fips providers, no issues are currently known.
To be clear, the above means that libcrypto.so from openssl 3.5 will work with the fips.so library from 3.4 and earlier releases. It does not imply any forward compatibility, i.e. the fips.so file from 3.5 is not guaranteed to work with the libcrypto.so library from 3.4 and earlier.
Best
Neil
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ae62da4f-d165-4e7c-af92-718abb73e158n%40openssl.org.
Matt Caswell
Jun 30, 2025, 4:35:35 AM6/30/25
to Neil Horman, omi jha, openssl-users
On Fri, 27 Jun 2025 at 14:11, Neil Horman <nho...@openssl.org> wrote:
All of our openssl releases are backwards compatible with older fips providers, no issues are currently known.To be clear, the above means that libcrypto.so from openssl 3.5 will work with the fips.so library from 3.4 and earlier releases. It does not imply any forward compatibility, i.e. the fips.so file from 3.5 is not guaranteed to work with the libcrypto.so library from 3.4 and earlier.
Actually we test in both directions, e.g. 3.5 library with 3.4 fips test run is here:
And 3.4 library with 3.5 fips test run is here:
Matt
BestNeil--On Fri, Jun 27, 2025 at 7:00 AM omi jha <omijh...@gmail.com> wrote:Hi,Just wanted to check, Is openssl 3.5 (non-FIPS) compatible with FIPS 3.0.9 (FIPS 140-2) or any issues?Thanks,Om--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ae62da4f-d165-4e7c-af92-718abb73e158n%40openssl.org.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
Michael Richardson
Jul 2, 2025, 3:22:09 PM7/2/25
to Matt Caswell, Neil Horman, omi jha, openssl-users
Matt Caswell <ma...@openssl.org> wrote:
>> All of our openssl releases are backwards compatible with older fips
>> providers, no issues are currently known.
>>
>> To be clear, the above means that libcrypto.so from openssl 3.5 will
>> work with the fips.so library from 3.4 and earlier releases. It does
>> not imply any forward compatibility, i.e. the fips.so file from 3.5 is
>> not guaranteed to work with the libcrypto.so library from 3.4 and
>> earlier.
>>
> Actually we test in both directions, e.g. 3.5 library with 3.4 fips
> test run is here:
I would think that makes it impossible to add new ABI, or change the ABI that
openssl provides.
--
Michael Richardson <mcr+...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
Ladd, Watson
Jul 2, 2025, 4:04:40 PM7/2/25
to Neil Horman, omi jha, openssl-users
I do not understand how this works:
-
The fips provider is supposed to be self contained
-
The interface to the provider is supposed to be very forward and backward compatible so third parties can target it
Is the issue that future fips.so may require additional calls from libcrypto to enable some things to work, in addition to the operations happening today?
From: Neil Horman <nho...@openssl.org>
Sent: Friday, June 27, 2025 6:11 AM
To: omi jha <omijh...@gmail.com>
Cc: openssl-users <openss...@openssl.org>
Subject: Re: Need to check on compatibility issue
Sent: Friday, June 27, 2025 6:11 AM
To: omi jha <omijh...@gmail.com>
Cc: openssl-users <openss...@openssl.org>
Subject: Re: Need to check on compatibility issue
This Message Is From an External Sender
This message came from outside your organization.
Jon Ericson
Jul 2, 2025, 4:41:49 PM7/2/25
to Michael Richardson, Matt Caswell, Neil Horman, omi jha, openssl-users
On Wed, Jul 2, 2025 at 12:22 PM Michael Richardson
<mcr+...@sandelman.ca> wrote:
>
>
> Matt Caswell <ma...@openssl.org> wrote:
> >> All of our openssl releases are backwards compatible with older fips
> >> providers, no issues are currently known.
<mcr+...@sandelman.ca> wrote:
>
>
> Matt Caswell <ma...@openssl.org> wrote:
> >> All of our openssl releases are backwards compatible with older fips
> >> providers, no issues are currently known.
> But, do you promise it will always work?
>
> I would think that makes it impossible to add new ABI, or change the ABI that
> openssl provides.
The release strategy
>
> I would think that makes it impossible to add new ABI, or change the ABI that
> openssl provides.
(https://openssl-library.org/policies/releasestrat/index.html) only
allows breaking changes in the ABI (or API) when moving to a new major
version. That would mean 4.0 at the soonest. The roadmap
(https://openssl-library.org/roadmap/index.html) has 4.0 penciled in
for April 2026, but that doesn't necessarily mean ABIs will change
then.
Additionally, 3.5 was an LTS, so it will be supported until April
2030. But you are correct that nothing lasts forever.
--
Jon Ericson: OpenSSL Communities Manager
Matt Caswell
Jul 3, 2025, 4:51:26 AM7/3/25
to Michael Richardson, Neil Horman, omi jha, openssl-users
On Wed, 2 Jul 2025 at 20:22, Michael Richardson <mcr+...@sandelman.ca> wrote:
Matt Caswell <ma...@openssl.org> wrote:
>> All of our openssl releases are backwards compatible with older fips
>> providers, no issues are currently known.
>>
>> To be clear, the above means that libcrypto.so from openssl 3.5 will
>> work with the fips.so library from 3.4 and earlier releases. It does
>> not imply any forward compatibility, i.e. the fips.so file from 3.5 is
>> not guaranteed to work with the libcrypto.so library from 3.4 and
>> earlier.
>>
> Actually we test in both directions, e.g. 3.5 library with 3.4 fips
> test run is here:
But, do you promise it will always work?
Yes. At least within the same major version. We *may* choose to extend the promise across some major versions (e.g. we may choose to promise that 3.x providers will still work with 4.x libcrypto and vice versa) but that would be on a case by case basis.
I would think that makes it impossible to add new ABI, or change the ABI that
openssl provides.
Within the same major version we only ever make additions to the ABI. So newer versions may expose more functions at the fips.so level. But the provider interface is designed such that libcrypto can discover the capabilities that any particular provider supports. So if a new libcrypto encounters an older fips provider, it will only use the things that that provider can do. Similarly if an older libcrypto is used with a newer fips.so, then it won't know how to deal with new functions made available by the fips.so - but that's ok. It will just continue to use the old functions.
Matt
Reply all
Reply to author
Forward
0 new messages