On 26/01/2022 11:27, Jan Lana wrote:
Hi,
When I run
openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
it shows this non complain cipher is available.
This looks correct behaviour to me. Your openssl.cnf file is explicitly
activating the default provider. The "-provider" option is additive.
Since your config file activates the default provider, you end up with
both the default and fips providers active.
To add '-propquery
fips=yes' argument does not help. IMHO it is not correct behavior.
This is a bug. Fix here:
https://github.com/openssl/openssl/pull/17595
Matt
I have the default and fips providers enabled in openssl.cnf:
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
default = default_sect
[default_sect]
activate = 1
For testing I use docker.io/salrashid123/openssl:fips image with
modified /usr/local/ssl/openssl.cnf.
When I add 'alg_section = algorithm_sect' to [openssl_init] section
defined as follows:
[algorithm_sect]
default_properties = fips=yes
the command 'openssl cipher -v' shows just fips compliant ciphers.
I found it when I try to build stunnel 5.62 and one of their test fails.
The test uses OSSL_PROVIDER_load() to load fips provider and then set
ciphersuite to TLS_CHACHA20_POLY1305_SHA256. Expected results is that
there is no complain cipher.
(https://github.com/mtrojnar/stunnel/blob/178822afdefb0798fb937f6b5f43b47c5ab77613/tests/plugins/p11_fips_cipher.py#L78)
Thanks in advance,
- jenda
