OpenSSL FIPS Compliance Explained

OPENSSL FIPS COMPLIANCE CONSPIRACY

OpenSSL GEM
ruby/openssl
VERSION: 3.2.0
RUBY WRAPPER!
NOT the actual crypto!

OpenSSL LIBRARY
openssl/openssl
VERSION: 3.2.4
ACTUAL C LIBRARY
The real crypto stuff!

FIPS VALIDATION
Only for C library!
Validated versions:
• 3.0.8 ✓
• 3.0.9 ✓
• 3.1.2 ✓
NOT 3.2.4!

NIST VALIDATION
Takes FOREVER!
Expensive process!
Any code change =
RE-VALIDATION!

PROVIDER ARCHITECTURE
OpenSSL 3.x uses
loadable modules
FIPS = separate provider
Must use EXACT validated one!

VERSION MISMATCH
Gem 3.2.0 ≠ Library 3.2.4
Different repos!
Different numbering!
TOTALLY DIFFERENT!

THE TRUTH:
Can't use 3.2.4 for FIPS
without separate validated
FIPS provider because
NO VALIDATION EXISTS!

DEPENDENCY CHAIN
Ruby App →
OpenSSL Gem →
OpenSSL Library →
FIPS Provider
ALL must align!

COMPLIANCE REALITY
Need:
• Validated C library
• Compatible gem
• Proper config
• Exact versions!

PEPE SILVIA MOMENT:
There IS no 3.2.4
FIPS validation!
It's all connected!
CAROL IN HR!

SEPARATE VERSIONS
You MUST maintain
different versions for
FIPS vs non-FIPS
because validation
locks you to specific
exact versions!

"Day bow bow... chik... chika-chika..."
- Charlie Kelly, Cryptography Expert