Re: Need Help on OpenSSl 3.0.x and FIPS enablement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Have you read the relevant documentation?  Specifically, the FIPS module guide, the FIPS provider and the migration guide?  These answer most of your questions and can be easy to miss.

With the FIPS provider in OpenSSL 3.0 you will not be able to escape having some configuration in a file.  The FIPS provider does an integrity check on start up and the correct checksum comes from configuration.

As for running on different machines to the build one, the security policy is clear that the checksum configuration cannot be copied between machines:
Note: The Module shall have the self-tests run, and the Module config file output generated on each platform where it is intended to be used. The Module config file output data shall not be copied from one machine to another.
I'll note that following the build and installation instructions from in the security policy is necessary for a FIPS compliant provider.


Pauli

On 1/3/23 04:52, Prasad, PCRaghavendra via openssl-users wrote:

Hi Team,

 

Our team has started migrating from OpenSSL 1.0.2 to OpenSSL 3.0.x version.

We are doing POC for the same on windows and Linux.

 

We have a tight schedule to finish the migration by April 1st week as we need to fix one critical BD issue and support TLS 1.3 feature as well.

 

The team and I are going through multiple docs of OpenSSL 3.x and trying to figure out how to configure fips once we build the OpenSSL.

 

Few things:

  • In openssl 3.0.x Fips module is installed/integrated by default (enable-fips) during the build step
  • Fipsmodule.cnf is present in the default location (c:\usr\local\ssl\)
  • After reading multiple ways on how to enable fips, one way is the config way where we need to change few params in openssl.cnf
  • By changing that and we did the test using openssl.exe ( sha1 passed and md5 failed) all good
  • Now the challenge is we need to set the fips enablement programmatically which we were going through multiple docs (openssl and some forums)
  • Till now we used OpenSSL 1.0.2 where the fipsmodule is embedded in libcrypto and we need to set it at the beginning of the application (fips_mode_set()) and everything else is taken care by default.
  • Now with OpenSSL 3.0.x how to set that fips mode for the entire application is not very clear
  • Very where they are talking about the config files, our application is a standalone application that bundles all the required libs(crypto/SSL) and runs on its own, it will not refer to any system config/lib files
  • So our doubt is if we build on the application on build machine containing OpenSSL 3.0.x and create an artifact. We need to run on different machines.
  • In OpenSSL 3.0.x is there any hard dependency on the .cnf files should we carry them in our artifact and if so should we install them in the default path like ( C:\usr or /us/local) which we were not doing till now?

 

Any input on this will be really helpful

 

Thanks,

Raghavendra


Internal Use - Confidential


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux