Thomas,
> I consider this a bug, of course, but at least now I know what's causing it and how to work around it.
thanks for sharing your analysis. Would you mind creating a GitHub issue for the hang?
https://github.com/openssl/openssl/issues
Matthias
Dr. Matthias St. Pierre
Senior Software Engineer
matthias.st.pierre@xxxxxxxxx
Phone: +49 911 9968-0
www.ncp-e.com
Follow us on: Facebook | Twitter | Xing | YouTube | LinkedIn
Headquarters Germany: NCP engineering GmbH • Dombuehler Str. 2 • 90449 • Nuremberg
North American HQ: NCP engineering Inc. • 601 Cleveland Str., Suite 501-25 • Clearwater, FL 33755
Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate Dietrich
Registry Court: Lower District Court of Nuremberg
Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE 133557619This e-mail message including any attachments is for the sole use of the intended recipient(s) and may contain privileged or confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and delete the original message and destroy all copies thereof.
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Thomas Dwyer III
Sent: Friday, July 17, 2020 6:57 PM
To: openssl-users <openssl-users@xxxxxxxxxxx>
Subject: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of the documentation at https://wiki.openssl.org/index.php/OpenSSL_3.0 for enabling FIPS support. I added these lines to the very top of the file:
openssl_conf = openssl_init.include /usr/local/ssl/fipsmodule.cnf[openssl_init]providers = provider_sect[provider_sect]fips = fips_sect
This caused the existing default section to now become part of the [provider_sect] section. Apparently any name=value line in that particular section where no [value] section exists causes OpenSSL to hang at exit when the FIPS provider is used. I consider this a bug, of course, but at least now I know what's causing it and how to work around it.
Regarding how to confirm which provider is actually providing a given algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD obtained via EVP_get_digestbyname() (even after it's used successfully by EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD obtained via EVP_MD_fetch(). Is this intentional?
Tom.III
I just created https://github.com/openssl/openssl/issues/12496 for this.
Regards,
Tom.III
On Sat, Jul 18, 2020 at 1:06 AM Dr. Matthias St. Pierre <Matthias.St.Pierre@xxxxxxxxx> wrote:
