[openssl-users] How to enable FIPS mode by default of the OpenSSL FIPS modules

security veteran security.veteran at gmail.com
Tue Sep 15 17:50:27 UTC 2015


Thanks Steve.

If we use Apache and Python as examples, does that mean both of them need
to invoke OPENSSL_Config() in order to enable the FIPS mode?
And if that's the case, how do we make them invoke OPENSSL_Config() API?

Also regarding the openssl.cfg changes mentioned in the User Guide, what do
I need to replace the XXXX string?

Below are the config changes I made, does it look right to you?

Thanks.


HOME                    = .

RANDFILE                = $ENV::HOME/.rnd


# Extra OBJECT IDENTIFIER info:

#oid_file               = $ENV::HOME/.oid

oid_section             = new_oids


# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions            =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)


XXXX_conf = XXXX_options


[ new_oids ]


# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6


# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7



[ XXXX_options ]

alg_section = algs


[ algs ]

fips_mode = yes


####################################################################

[ ca ]

default_ca      = CA_default            # The default ca section






------------------------------

On 09/14/2015 05:21 PM, security veteran wrote:
>* I asked this question from a different thread, but thought it may be the
*>* best to start a new thread to discuss this question since it sounds like
*>* a big deal to me.
*> >* I've built an openssl library with the FIPS objects modules, and I was
*>* testing the new lib files by replacing the original library files such
*>* as libcrypto.so with the new ones.
*> >* From the FIPS user guide I understand that any applications which need
*>* to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set
*>* to enable the FIPS mode.
*> >* This sounds like a big issue to me: there are may other
libraries/ services which depends on OpenSSL. For example, Python,
Apache, PostgreSQL, etc.
*> >* If the /FIPS_mode_set /API needs to be invoked in order to enable the
*>* FIPS mode, how can we make third party library/ services like Python and
*>* Apache to invoke this API?
*> >* Is there any other way to make the FIPS mode always enabled?
*
Well ... yes and no. It depends.

The OpenSSL FIPS module User Guide
(https://openssl.org/docs/fips/UserGuide-2.0.pdf) discusses use of the
OPENSSL_Config() call and the global openssl.conf configuration file. In
theory you could toggle FIPS mode for all the applications on a system
with in one swell foop.

In practice it's not that easy, because when you enable FIPS mode you
also automatically disable use of all "non-allowed" cryptography. Many
applications not specifically written to accommodate the restrictions of
FIPS module may not behave gracefully. Some (OpenSSH for instance)
require extensive hacks for FIPS mode.

Apache httpd does have native FIPS support, but you'll need to invoke
the right buildtime and runtime options; the typical httpd binary
install won't have FIPS support.

-Steve M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/81912031/attachment.html>


More information about the openssl-users mailing list