diff options
author | Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com> | 2021-04-26 02:19:35 +0200 |
---|---|---|
committer | Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com> | 2021-04-29 11:26:58 +0200 |
commit | 3b9e47695f66e83b162d6d78f9a3c20e4464322d (patch) | |
tree | 5b45a65d802b4e77240c18cf18634b85e52d1e3a /CHANGES.md | |
parent | f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a (diff) |
CHANGES: document the FIPS provider configuration and installation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index a7420d6d5a..1097c8c749 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,22 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 + validated. The module is implemented as an OpenSSL provider, the so-called + FIPS provider. A list of all changes related to the FIPS provider would go + beyond the scope of this CHANGES file, please consult the README-FIPS and + README-PROVIDERS files, as well as the migration guide. + + The FIPS provider is disabled by default and needs to be enabled explicitly + at configuration time using the `enable-fips` option. If it is enabled, + the FIPS provider gets built and installed in addition to the default and + the legacy provider. No separate installation procedure is necessary. + There is however a dedicated `install_fips` make target, which serves the + special purpose of installing only the FIPS provider into an existing + OpenSSL installation. + + *OpenSSL team members and many third party contributors* + * For the key types DH and DHX the allowed settable parameters are now different. Previously (in 1.1.1) these conflicting parameters were allowed, but will now result in errors. See EVP_PKEY-DH(7) for further details. This affects the |