[openssl-users] openssl_ciphers in wpa_supplicant.conf
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 6 04:58:39 UTC 2015
On Tue, May 05, 2015 at 04:06:38PM -0500, xxiao8 wrote:
> I'm trying to make wpa_supplicant fips-safe and one step is to set up:
The phrase "fips-safe" is a rather odd choice. I think you mean
something along the lines of "FIPS compliant". For that you'd need
to use a FIPS-capable OpenSSL release and arrange to enable "FIPS
mode".
> #openssl_ciphers=DEFAULT:!EXP:!LOW
> (based on http://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf)
In FIPS mode, openssl should automatically disable non-compliant
algorithms.
> Is there a way somehow to set up a FIPS suite for openssl_ciphers,something
> like:
>
> openssl_ciphers=FIPS?
To comply with FIPS, you need to enable FIPS mode, customizing
cipher lists does not do that. On page 23, and in section 5.2 of:
https://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf
you'll learn that setting the environment variable OPENSSL_FIPS=1
turns on FIPS mode in a FIPS-capable OpenSSL. Alternatively, the
application can call FIPS_mode_set(), or use OpenSSL_config() with
a suitable configuration file and choice of "section" name.
--
Viktor.
More information about the openssl-users
mailing list