command 'openssl ciphers -v -provider fips' shows not complain algorithms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

When I run
  openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256

it shows this non complain cipher is available. To add '-propquery fips=yes' argument does not help. IMHO it is not correct behavior.


I have the default and fips providers enabled in openssl.cnf:

  openssl_conf = openssl_init

  .include /usr/local/ssl/fipsmodule.cnf

  [openssl_init]
  providers = provider_sect

  [provider_sect]
  fips = fips_sect
  default = default_sect

  [default_sect]
  activate = 1


For testing I use docker.io/salrashid123/openssl:fips image with modified /usr/local/ssl/openssl.cnf.

When I add 'alg_section = algorithm_sect' to [openssl_init] section defined as follows:

  [algorithm_sect]
  default_properties = fips=yes

the command 'openssl cipher -v' shows just fips compliant ciphers.

I found it when I try to build stunnel 5.62 and one of their test fails. The test uses OSSL_PROVIDER_load() to load fips provider and then set ciphersuite to TLS_CHACHA20_POLY1305_SHA256. Expected results is that there is no complain cipher.
(https://github.com/mtrojnar/stunnel/blob/178822afdefb0798fb937f6b5f43b47c5ab77613/tests/plugins/p11_fips_cipher.py#L78)

Thanks in advance,
- jenda



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux