diff options
author | Pauli <pauli@openssl.org> | 2023-01-19 11:16:40 +1100 |
---|---|---|
committer | Hugo Landau <hlandau@openssl.org> | 2023-01-24 12:35:36 +0000 |
commit | 8353b2dfacd723db5ba8b833b95e68e9600d1cf5 (patch) | |
tree | 5fb6196f1800c212092537dd168f7a5aa496b593 /doc/man7/migration_guide.pod | |
parent | bfd5680e6be789fd554acf2ad34428816a644eec (diff) | |
download | openssl-new-8353b2dfacd723db5ba8b833b95e68e9600d1cf5.tar.gz |
fips: document that the EdDSA algorithms are not-validated
Ed25519 and Ed448 are included in the FIPS 140-3 provider for
compatibility purposes but are flagged as "fips=no" to prevent their accidental
use. This therefore requires that applications always specify the "fips=yes"
property query to enforce FIPS correctness.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
Diffstat (limited to 'doc/man7/migration_guide.pod')
-rw-r--r-- | doc/man7/migration_guide.pod | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 8bd44a6ce7..e82471370f 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -20,7 +20,19 @@ L<crypto(7)>. =head2 Main Changes from OpenSSL 3.0 -There are no changes requiring additional migration measures since OpenSSL 3.0. +The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +consequently the property query C<fips=yes> is mandatory for applications that +want to operate in a FIPS approved manner. The algorithms are: + +=over 4 + +=item Triple DES + +=item EdDSA + +=back + +There are no other changes requiring additional migration measures since OpenSSL 3.0. =head1 OPENSSL 3.0 |