[openssl-users] openssl_ciphers in wpa_supplicant.conf

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 6 04:58:39 UTC 2015


On Tue, May 05, 2015 at 04:06:38PM -0500, xxiao8 wrote:

> I'm trying to make wpa_supplicant fips-safe and one step is to set up:

The phrase "fips-safe" is a rather odd choice.  I think you mean
something along the lines of "FIPS compliant".  For that you'd need
to use a FIPS-capable OpenSSL release and arrange to enable "FIPS
mode".

> #openssl_ciphers=DEFAULT:!EXP:!LOW
> (based on http://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf)

In FIPS mode, openssl should automatically disable non-compliant
algorithms.

> Is there a way somehow to set up a FIPS suite for openssl_ciphers,something
> like:
>
> openssl_ciphers=FIPS?

To comply with FIPS, you need to enable FIPS mode, customizing
cipher lists does not do that.  On page 23, and in section 5.2 of:

    https://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf

you'll learn that setting the environment variable OPENSSL_FIPS=1
turns on FIPS mode in a FIPS-capable OpenSSL.  Alternatively, the
application can call FIPS_mode_set(), or use OpenSSL_config() with
a suitable configuration file and choice of "section" name.

-- 
	Viktor.


More information about the openssl-users mailing list