Some of you may have noticed that the upcoming 1.1 release doesn’t include any FIPS support. That omission is not by choice; it was forced on us by circumstances and will hopefully not be permanent.
The v2.0 OpenSSL FIPS module is compatible with the 1.0.x releases, in particular the 1.0.2 “LTS” release that will be supported through 2019. It has proven very popular, used both directly by hundreds of software vendors and indirectly as a model for copycat “private label” validations.
Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record.
In September 2014, the team adopted a security policy that defines how we handle vulnerability reports. One year later, I’m very happy to conclude that our policy is enforced, and working well.
Our policy divides vulnerabilities into three categories, and defines actions for each category: we use the severity ranking to balance the need to get the fix out fast with the burden release upgrades put on our consumers.
The OpenSSL license is rather unique and idiosyncratic. It reflects
views from when its predecessor, SSLeay, started twenty years ago. As a
further complication, the original authors were hired by RSA in 1998,
and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C.
(See Wikipedia for discussion.) I don’t
want get into any specific details, and I certainly don’t know them all.
Things have evolved since then, and open source is an important part of
the landscape – the Internet could not exist without it.
There are good reasons why Microsoft is a founding member of the
Core Infrastructure Initiative (CII).
Our plan is to update the license to the
Apache License version 2.0.
We are in
consultation with various corporate partners, the CII, and the legal experts
at the Software Freedom Law Center.
In other words, we have a great deal of expertise and interest at our
fingertips.