To be FIPS compliant, you must build the FIPS provider from the 3.0.0 or 3.0.8 source code releases.
The FIPS provider built there will work with OpenSSL 3.1.
Instructions for this are in the README_FIPS.md file in the Installing the FIPS provider and using it with the latest release section.
Dr Paul Dale
On 23/8/23 10:45, Robert Brown via
openssl-users wrote:
Hi,
I'm working on a Windows Program that utilizes the OpenSSL libraries and DLLs. I'm looking to enable FIPS in some cases (where it is required by the user). Currently, I'm looking at restarting the program when the FIPS mode is changed and changing the loaded provider.
I've compiled and installed OpenSSL 3.1 with the enable-fips option, run the fips install, generated the .cnf file, and copied the FIPS module along with the .cnf to my program I'm following the code provided at https://wiki.openssl.org/index.php/OpenSSL_3.0 under the Programmatically loading the FIPS module (default library context) heading. I'm not able to load the FIPS module, the provider value is null.
Is there anything I'm missing here or pointers to reference material folks can provide me?
As a side not I'm wondering if anyone has tips for running the fips-install command on each client as it seems we can't copy config files between machines.
Thanks,
Robert
