OpenSSL 3.0 on Rocky

I noticed that Rocky Linux is currently using OpenSSL v1.1.1, which was the most recent GA for OpenSSL until just recently. OpenSSL has now released OpenSSL v3.0. OpenSSL v1.1.1 does not support the FIPS object module that allows you to seek a FIPS certification on the OpenSSL implementation. OpenSSL v3.0 more or less integrates that FIPS module into the OpenSSL v3.0 release. We’d really like to be able to use Rocky Linux and still seek a FIPS 140-3 certification. What are the plans, if any, to move Rocky to OpenSSL v3.0?

Remember, Rocky 8 is just a rebuild of upstream RedHat 8. So the official version of OpenSSL will always be what RedHat provides in their distro.

There may be additional repos that offer OpenSSL 3, but the core OS will always match RedHat. And since the whole point of RedHat Enterprise is to be consistent and since OpenSSL-3 has breaking compatibility changes to OpenSSL-1.1 I very very much doubt the core will change.

2 Likes

One could ask: does RHEL 8 have FIPS 140-3? If yes, how?

Good point @sweh . Rocky would move to OpenSSL 3.0 until Red Hat moves. So the real question is when will Red Hat move to v3.0. I guess I’ll go ask in a Red Hat forum. thanks!

@jlehtone - I think it’s a little more complicated than that. RHEL 8’s implementation of OpenSSL does have a FIPS 140-2 certification, but it seems all the functionality to meet the FIPS requirements is added during the Red Hat build process so the source that is shared does not provide the FIPS object module functionality. I think this is one of the things you get when you pay for Red Hat’s built product.
RHEL 8 FIPS: Cryptographic Module Validation Program | CSRC

My guess would be “not before RedHat 9”.

Does anyone have information about updating OpenSSL from default 1.1.1g to 1.1.1k or 1.1.1l? I have found website instructions, but after trying on 5-6 different VM’s, amongst myself and coworker, whenever we reboot it doesnt come back up
After following all instructions and typing ‘openssl version’, i confirm i successfully updated it to 1.1.1h or 1.1.1k, but as soon as i reboot, i come to a blank black screen with Rocky Linux on the bottom, but no username/password prompt ever appears.

You shouldn’t replace OS provided libraries with alternate ones. Firstly it may not work, but even if it did then the next time there’s an OS patch for the package it’ll overwrite what you put there. So even if you got 1.1.1k today, tomorrow you might find 1.1.1g put back.

Note that RedHat backport security patches without changing the release version. So RedHat’s 1.1.1g-15 should be fully patched. They also sometimes add functionality, if it’s not a breaking change. So looking at the changelog (rpm -q --changelog openssl) we can see:

* Thu Mar 25 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-15
- version bump

* Wed Mar 24 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-14
- CVE-2021-3450 openssl: CA certificate check
  bypass with X509_V_FLAG_X509_STRICT

* Wed Mar 24 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-13
- Fix CVE-2021-3449 NULL pointer deref in signature_algorithms processing

* Fri Dec 04 2020 Sahana Prasad <sahana@redhat.com> 1.1.1g-12
- Fix CVE-2020-1971 ediparty null pointer dereference

* Mon Nov 02 2020 Tomáš Mráz<tmraz@redhat.com> 1.1.1g-11.1
- Implemented new FIPS requirements in regards to KDF and DH selftests
- Disallow certificates with explicit EC parameters
1 Like