On Tue, May 05, 2015 at 04:06:38PM -0500, xxiao8 wrote: > I'm trying to make wpa_supplicant fips-safe and one step is to set up: The phrase "fips-safe" is a rather odd choice. I think you mean something along the lines of "FIPS compliant". For that you'd need to use a FIPS-capable OpenSSL release and arrange to enable "FIPS mode". > #openssl_ciphers=DEFAULT:!EXP:!LOW > (based on http://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf) In FIPS mode, openssl should automatically disable non-compliant algorithms. > Is there a way somehow to set up a FIPS suite for openssl_ciphers,something > like: > > openssl_ciphers=FIPS? To comply with FIPS, you need to enable FIPS mode, customizing cipher lists does not do that. On page 23, and in section 5.2 of: https://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf you'll learn that setting the environment variable OPENSSL_FIPS=1 turns on FIPS mode in a FIPS-capable OpenSSL. Alternatively, the application can call FIPS_mode_set(), or use OpenSSL_config() with a suitable configuration file and choice of "section" name. -- Viktor.
