|
Thomas, > I consider this a bug, of course, but at least now I know what's causing it and how to work around it. thanks for sharing your analysis. Would you mind creating a
GitHub issue for the hang? https://github.com/openssl/openssl/issues Matthias From: openssl-users <openssl-users-bounces@xxxxxxxxxxx>
On Behalf Of Thomas Dwyer III It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of the documentation at
https://wiki.openssl.org/index.php/OpenSSL_3.0 for enabling FIPS support. I added these lines to the very top of the file: openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect This caused the existing default section to now become part of the [provider_sect] section. Apparently any name=value line in that particular section where no [value] section exists causes OpenSSL to hang at exit when the FIPS provider
is used. I consider this a bug, of course, but at least now I know what's causing it and how to work around it. Regarding how to confirm which provider is actually providing a given algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD obtained via EVP_get_digestbyname() (even after it's used successfully by EVP_DigestInit_ex()) but
it returns a valid OSSL_PROVIDER for any EVP_MD obtained via EVP_MD_fetch(). Is this intentional? Tom.III |
