[openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

security veteran security.veteran at gmail.com
Wed Feb 3 01:04:30 UTC 2016


Thanks Steve.

I think the way to use OPENSSL_config() and openssl.conf to enable FIPS
mode basically still requires each application to explicitly invoke
OPENSSL_config() API in order to truly enable the FIPS mode, is that
correct?

If that's the case, then basically there's no way to really globally enable
the FIPS mode in the OpenSSL library in a system-wide way, so that all the
applications which use OpenSSL (libcrypto to be more specific) will be
running under FIPS mode by default (i.e. without the needs of modification
tomake them invoke either OPENSSL_config() or FIPS_mode_set() API). Is that
correct?

The reason I ask was mainly because I am evaluating how I should modify my
server platform and applications in order to adapt FIPS capable OpenSSL
library into the platform.

Thanks and any suggestions are greatly appreciated.

On Mon, Feb 1, 2016 at 1:35 PM, security veteran <security.veteran at gmail.com
> wrote:

> Thanks Steve.
>
> I think the way to use OPENSSL_config() and openssl.conf basically still
> requires each application to explicitly invoke OPENSSL_config() API in
> order to truly enable the FIPS mode, is that correct?
>
> If that's the case, then basically there's no way to really globally
> enable the FIPS mode in the OpenSSL library in a system-wide way, so that
> all the applications which use OpenSSL (libcrypto to be more specific)
> will be running under FIPS mode by default (i.e. without the needs of
> modification tomake them invoke either OPENSSL_config() or
> FIPS_mode_set() API). Is that correct?
>
> The reason I ask was mainly because I am evaluating how I should modify my
> server platform and applications in order to adapt FIPS capable OpenSSL
> library into the platform.
>
> Thanks and I truly appreciate your answers and helps.
>
> On Fri, Jan 29, 2016 at 6:31 AM, Steve Marquess <marquess at openssl.com>
> wrote:
>
>> On 01/28/2016 07:11 PM, security veteran wrote:
>> > Hi All:
>> >
>> > Is there a way to enable FIPS mode globally, instead of having to
>> > explicitly invoke the FIPS_mode_set() API from each application, for
>> > enabling the FIPS mode?
>> >
>> > ...
>>
>> Kinda-sorta, via OPENSSL_config() and openssl.conf. See the FIPS user
>> guide, https://openssl.org/docs/fips/UserGuide-2.0.pdf, section 5.2.
>>
>> -Steve M.
>>
>> --
>> Steve Marquess
>> OpenSSL Software Foundation
>> 1829 Mount Ephraim Road
>> Adamstown, MD  21710
>> USA
>> +1 877 673 6775 s/b
>> +1 301 874 2571 direct
>> marquess at openssl.com
>> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160202/78bc2fd6/attachment.html>


More information about the openssl-users mailing list