On 01/20/2016 02:00 AM, cloud force wrote: > Hi everyone, > > From the openssl tips doc it said the power-on self-tests need to be run > when the system comes up. > > If I have multiple applications which uses the openssl crypto functions > (under fips mode), does each of this application need to run the > power-on self-tests? > > Also if the openssl fips modules are installed on a Linux server, what > is the best way to run the power-on self-tests (e.g. run within init.d > script or upstart scripts or run by a daemon)? The POST is run automagically when your application code calls FIPS_mode_SET(). For most platforms including Linux the shared library has non-writable code/data area(s) shared among all calling processes, and writable data area(s) private to each such process. The library state information resides in the private writable areas, of course, so each such process will need to independently call FIPS_mode_set(). Keep in mind that the POST doesn't really do anything useful, it is an ideological requirement from the dim mists of history. As such you cannot enable FIPS mode without also invoking the POST. Note this means that one set of shared libraries can be used for all processes, both those that care about FIPS 140-2 and those that don't. The OpenSSL + OpenSSL FIPS module combination (the "FIPS capable" OpenSSL) was designed for such dual use so that the FIPS behavior wouldn't be seen *unless* FIPS_mode_set() was called. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
