Hello,
We are in the process of building and deploying OpenSSL with the FIPS module. We want to make sure we are doing it the right way, and have a few questions:
**Config file**
Are there any stipulations on the contents of the config file? Our preferred plan is to have a minimal openssl.cnf file, with following contents, that in turn references the fips config file:
openssl.cnf:
config_diagnostics = 1
openssl_conf = openssl_init
.include = fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
base = base_sect
fips = fips_sect
[base_sect]
activate = 1
fipsmodule.cnf:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = <module-mac>
install-mac = <install-mac>
install-status = INSTALL_SELF_TEST_KATS_RUN
An alternate plan for the config file is to merge both of the above into a single config file, and load it.
We are in the process of building and deploying OpenSSL with the FIPS module. We want to make sure we are doing it the right way, and have a few questions:
**Config file**
Are there any stipulations on the contents of the config file? Our preferred plan is to have a minimal openssl.cnf file, with following contents, that in turn references the fips config file:
openssl.cnf:
config_diagnostics = 1
openssl_conf = openssl_init
.include = fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
base = base_sect
fips = fips_sect
[base_sect]
activate = 1
fipsmodule.cnf:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = <module-mac>
install-mac = <install-mac>
install-status = INSTALL_SELF_TEST_KATS_RUN
An alternate plan for the config file is to merge both of the above into a single config file, and load it.
Any concerns with either of the above options?
**FIPS self-tests**
From the docs, I see two alternatives to do the FIPS self-tests: (i) Doing "make install_fips" on each instance, or (ii) Running the openssl tool with fipsinstall option.
The former is not feasible for us since we cannot/don't want to build openssl on each endpoint. Which leaves the latter ("openssl fipsinstall") as the only feasible option.
**FIPS self-tests**
From the docs, I see two alternatives to do the FIPS self-tests: (i) Doing "make install_fips" on each instance, or (ii) Running the openssl tool with fipsinstall option.
The former is not feasible for us since we cannot/don't want to build openssl on each endpoint. Which leaves the latter ("openssl fipsinstall") as the only feasible option.
Is this understanding correct? And in particular, "openssl fipsinstall" is an acceptable choice to do the fips self-tests, correct?
**Building different openssl assets at different versions**
We obviously want to use the fips module fully complying with its certification. In particular, we will be building the fips module off OpenSSL 3.0.8.
There are a few other assets we require: the static libcrypto and libssl libs, and the openssl tool. We plan to build these off the latest 3.0.x release, which happens to be 3.0.9 currently. This is so as to benefit from any fixes that are in the latest version.
Is the above fine? ie building the static libcrypto and libssl libs and the openssl tool (and any other non-fips assets) off 3.0.9, and using them in conjunction with the 3.0.8 fips provider?
**Building different openssl assets at different versions**
We obviously want to use the fips module fully complying with its certification. In particular, we will be building the fips module off OpenSSL 3.0.8.
There are a few other assets we require: the static libcrypto and libssl libs, and the openssl tool. We plan to build these off the latest 3.0.x release, which happens to be 3.0.9 currently. This is so as to benefit from any fixes that are in the latest version.
Is the above fine? ie building the static libcrypto and libssl libs and the openssl tool (and any other non-fips assets) off 3.0.9, and using them in conjunction with the 3.0.8 fips provider?
Thanks
-Vivek
