[openssl-users] How to enable the FIPS mode of the OpenSSL FIPS modules by calling OPENSSL_Config() API?
security veteran
security.veteran at gmail.com
Tue Sep 15 22:11:47 UTC 2015
>From the User Guide of OpenSSL FIPS Object Module v2.0, page 54, it
mentioned the FIPS mode can be initialized indirectly by indirect call vial
OPENSSL_config() API.
My question is, from where should we call this API?
If we use Apache and Python as examples, does that mean both of them need
to invoke OPENSSL_Config() in order to enable the FIPS mode?
And if that's the case, how do we make them invoke OPENSSL_Config() API?
Also regarding the openssl.cfg changes mentioned in the User Guide, what do
I need to replace the XXXX string?
Below are the config changes I made, does it look right to you?
Thanks for the helps and suggestions in advanced.
############# Below are my openssl.cfg ##############
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
XXXX_conf = XXXX_options
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ XXXX_options ]
alg_section = algs
[ algs ]
fips_mode = yes
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/709da441/attachment.html>
More information about the openssl-users
mailing list