Re: OpenSSL 3.0 FIPS questions

[Jason Schultz <jetson23@xxxxxxxxxxx>]

Thanks again. I think most of that makes sense. Going back to your initial response, there is something I'm not clear on. 

The second method you explained (which I don't plan to use) starting with "Alternatively,..." included the calls to OSSL_PRIVIDER_load(), and then discussed calling the following API for FIPS:

   EVP_set_default_properties(NULL, “fips=yes”);

Was the EVP_set_default_properties() call specifically and only for the 2nd method, or did that API call apply to both the first and second methods you explained? From reading the doc for that call, it seems like I should be doing it if I use the first method as well.

Regards,

Jason

---

From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Dr Paul Dale <pauli@xxxxxxxxxxx>
Sent: Sunday, October 24, 2021 11:12 PM
To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: OpenSSL 3.0 FIPS questions

 

The configuration shouldn't have much impact.  You will need a fips section specifying where the integrity check data are.  You shouldn't need base or default sections.


Pauli

On 25/10/21 5:23 am, Jason Schultz wrote:

Thank you for your response. I think all of that makes sense, and seems to accomplish what I want programmatically, limiting it to my application. I guess the only question I have is what about the config files? Should they remain as they were installed, or do I need to provide sections for fips, base, default, etc?

Regards,

Jason

---

From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Dr Paul Dale <pauli@xxxxxxxxxxx>
Sent: Sunday, October 24, 2021 12:28 AM
To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: OpenSSL 3.0 FIPS questions

 

Oops, the second time this occurs "defp = OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp = OSSL_PROVIDER_load(NULL, "default");"


Pauli

On 24/10/21 10:06 am, Dr Paul Dale wrote:

defp = OSSL_PROVIDER_load(non_fips_libctx, "default");