On 09/14/2015 05:21 PM, security veteran wrote: > I asked this question from a different thread, but thought it may be the > best to start a new thread to discuss this question since it sounds like > a big deal to me. > > I've built an openssl library with the FIPS objects modules, and I was > testing the new lib files by replacing the original library files such > as libcrypto.so with the new ones. > > From the FIPS user guide I understand that any applications which need > to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set > to enable the FIPS mode. > > This sounds like a big issue to me: there are may other libraries/ services which depends on OpenSSL. For example, Python, Apache, PostgreSQL, etc. > > If the /FIPS_mode_set /API needs to be invoked in order to enable the > FIPS mode, how can we make third party library/ services like Python and > Apache to invoke this API? > > Is there any other way to make the FIPS mode always enabled? Well ... yes and no. It depends. The OpenSSL FIPS module User Guide (https://openssl.org/docs/fips/UserGuide-2.0.pdf) discusses use of the OPENSSL_Config() call and the global openssl.conf configuration file. In theory you could toggle FIPS mode for all the applications on a system with in one swell foop. In practice it's not that easy, because when you enable FIPS mode you also automatically disable use of all "non-allowed" cryptography. Many applications not specifically written to accommodate the restrictions of FIPS module may not behave gracefully. Some (OpenSSH for instance) require extensive hacks for FIPS mode. Apache httpd does have native FIPS support, but you'll need to invoke the right buildtime and runtime options; the typical httpd binary install won't have FIPS support. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc