In case of Bullseye (SONiC 202311), to include fixes for certain CVEs such as (CVE-2023-48795), we see a need to recompiling sonic-fips importing the patches of interest from debian to openssh/openssl patchset.
Does this process of recompiling sonic-fips without any changes to SymCrypt/SymCrypt-OpenSSL repos but with patches to openssh/openssl etc. and using the built debs, invalidate FIPS 140-3 certificate?
We wanted to clarify if the certification also includes specific versions of openssh/openssl and other fips associated packages as well. If that is the case, we would await for (#57) to be merged and use the binaries from the public storage.
In case of Bullseye (SONiC 202311), to include fixes for certain CVEs such as (CVE-2023-48795), we see a need to recompiling sonic-fips importing the patches of interest from debian to openssh/openssl patchset.
Does this process of recompiling sonic-fips without any changes to SymCrypt/SymCrypt-OpenSSL repos but with patches to openssh/openssl etc. and using the built debs, invalidate FIPS 140-3 certificate?
We wanted to clarify if the certification also includes specific versions of openssh/openssl and other fips associated packages as well. If that is the case, we would await for (#57) to be merged and use the binaries from the public storage.