-
|
We are using FIPS provider as recommended but still using Legacy API and not new API EVP* as recommended in: We want to understand if in your version of openssl 3.1.8 we are require to do so or we can keep using Legacy API. Should we switch to new API in order to be FIPS or not. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
Generally speaking we advise against using deprecated APIs if FIPS compliance is important. Many of these deprecated APIs perform crypto operations but avoid the FIPS provider, and so would mean you are not compliant. In particular all of these ones look highly suspect and will almost certainly void your compliance: The other ones you list are less clear. But I would avoid those too for clarity. |
Beta Was this translation helpful? Give feedback.
-
|
great thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Matt's answer was not direct enough: If you use legacy APIs, you are not FIPS compliant. That answers the follow up question too (you wouldn't be complaint). |
Beta Was this translation helpful? Give feedback.
-
Functionally it should work. But obviously the old components won't be FIPS compliant. |
Beta Was this translation helpful? Give feedback.
-
|
Is it Fips 140-2 compliant its not neither 140-2 or 140-3 with legacy API? |
Beta Was this translation helpful? Give feedback.
-
|
It would not be compliant to either FIPS standard if you use the legacy API. |
Beta Was this translation helpful? Give feedback.
-
|
FIPS compliance relies on the module being approved by an independent laboratory accredited by NIST. Calling the low level functions directly does not use the FIPS provider, so it is not compliant. |
Beta Was this translation helpful? Give feedback.
Matt's answer was not direct enough:
If you use legacy APIs, you are not FIPS compliant.
That answers the follow up question too (you wouldn't be complaint).