[openssl-users] /proc/sys/crypto/fips_enabled=1 is this enough to make OpenSSL to change its mode to FIPS?
Steve Marquess
marquess at openssl.com
Sat May 13 19:02:07 UTC 2017
On 05/12/2017 05:17 PM, Hareesh Joshi wrote:
> Hi,
>
> I've a CentOS machine with
> 1. FIPS capable OpenSSL module installed
> 2. Kernel switched to FIPS with /proc/sys/crypto/fips_enabled=1
>
> Will this make OpenSSL to switch to FIPS mode as well? Or do I
> necessarily need to use OPENSSL_FIPS=1 ?
>
OpenSSL and the OpenSSL FIPS Object Module ignore
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL. You'll need to check with them about how
that behaves.
For a genuine FIPS capable OpenSSL you want to use FIPS_mode_set(); see
the FIPS module user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and/or the wiki at
https://wiki.openssl.org/.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 301 874 2571
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users
mailing list