On 09/29/2016 12:40 PM, Troy Smoke wrote: > I am in the position of evaluating products that have (or claim to have) > implemented the OpenSSL FIPS module. > > I would like to be able to be able to run a command or run the FIPS > self-test on command, for the purpose of verifying if OpenSSL is > operating in FIPS mode. > > ... Keep in mind that "OpenSSL" itself doesn't "operate in FIPS mode". OpenSSL is a set of shared libraries which may be instantiated different ways by different calling applications. Application A may enable FIPS mode while application B referencing the same shared libraries doesn't. "OpenSSL" itself is never "operating in FIPS mode" independently of any applications; the term is meaningful only in the context of a specific application/process. A related question is "Does this OpenSSL install support use of the FIPS module"? We call OpenSSL built that way a "FIPS capable" OpenSSL; "capable" because calling applications can elect to enable FIPS mode (or not). To see if a specific install of OpenSSL 1.0.1/1.0.2 was built as FIPS capable, you can run the command (application): OPENSSL_FIPS=1 openssl md5 < /dev/null It will throw errors if the "openssl" command is from a FIPS capable OpenSSL; either for a self test failure (unlikely) or because of the disallowed algorithm. If not from a FIPS capable OpenSSL you just see the message "FIPS mode not supported." Note that tells you nothing about whether another application has enabled FIPS mode, though. For that you need to look under the hood of that application (i.e. ask the vendor). -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
