OpenSSL needs updating for Common Criteria certification

We are currently beginning the process of Common Criteria certification of our SLES 12 SP2 product.

It has come to our attention that the current version of OpenSSL, v1.0.2j-60.11.2, is currently using RSA for key encapsulation (used as part of TLS) that will be non-approved starting in 2018. See section 6 of Starting 2018, this needs to be as per SP 800-56B or else it will not be allowed.

As per the SLES 12 OpenSSL Security Policy (, Table 4 indicates that it is using RSA for key-wrapping using non-compliant schemes, which is allowed till 12/31/2017.
Starting 2018, RSA used for key-wrapping should be implemented as per SP 800-56B key transport scheme.

I would like to know when SUSE plans to update the RSA key encapsulation for OpenSSL provided by SLES 12 SP2.

I’ve asked my SUSE Contacts for further information on this… stay tuned :wink:

Hi Jay,

Malcolm pointed this thread out to me.

As I approached a wider internal audience with this question, it appears as you had also approached the security folks with this same question already.
As it turns out you have also received a direct response on this, and I sincerely hope this business problem is solved for you now.

Best regards