[OE-core] openssl10 unusable for many components
Mark Hatle
mark.hatle at windriver.com
Fri Aug 18 19:03:51 UTC 2017
On 8/18/17 1:41 PM, Alexander Kanavin wrote:
> On 08/18/2017 08:56 PM, Mark Hatle wrote:
>>> Even with that patch to rename openssl10 back to openssl we still need to solve
>>> the openssl-native which wasn't reverted back to 1.0.
>>>
>>> Upstream nodejs isn't going to be openssl-1.1 for a bit longer as explained:
>>> https://github.com/nodejs/node/pull/14761
>>
>> I wanted to pull out a specific comment from the above link that shows one of
>> the reasons why OpenSSL 1.1 support is delayed by many:
>>
>> 7 days ago: shigeki commented:
>>> We're also waiting for FIPS support of 1.1.x. They are now working on it as https://www.openssl.org/blog/blog/2017/07/25/fips/.> ...
>>
>> Until the OpenSSL 1.1.x FIPS work is further along, a lot of projects (and major
>> distributions) are going to wait to deploy it.
>
> What I don't understand is why node even cares about FIPS? FIPS
> compliance is needed to win software supplier contracts with one certain
> government; I haven't seen any other reasons.
Many governments and private company require this certification. FIPS-140-2 is
the US NIST name for this work, but the same work resolves ISO requirements in
Europe and other countries.
Medical devices often requires FIPS certification in order to conform the
privacy requirements (or to be sold into US Government funded hospitals.) FIPS
is really a big deal for many industries.
> Another point is that getting FIPS done will take a very long time,
> possibly two years or more, and this work is just starting now with no
> clear funding or completion date (see the openssl blog link). Meanwhile,
> all major desktop linux distros have 1.1 by default already; seems to me
> that they don't care.
Yes it will. It will likely take 6 months to a year of development and likely
another 6 months to a year of certification lab work.
This is part of the reason the 1.0.2 EOL was set to end of 2019, to help force
the move to 1.1. However, if you look at the 1.0.2 FIPS module, it has January
2022 EOL. (Note, that EOL has a slightly different meaning then the 2019 1.0.2
one.... but the reality is that there will be organizations that will continue
to publish security fixes for OpenSSL 1.0.2 through the FIPS module EOL...
simply our of necessity.)
One of the key thing with this is that work can accelerate (likely not less then
a year) if additional people step up and assist in the funding. I'm aware of a
few commercial companies that are discussing doing this, but unfortunately
nothing more concrete then the blog referenced above.)
> Alex
>
More information about the Openembedded-core
mailing list